Description of problem: sos removes a bindpw from ldap.conf and replaces it with "***" which is a ugly thing in a production environment. Especially when too much false tries result in a locked account. Version-Release number of selected component (if applicable): 1.7.6.1 How reproducible: easey Steps to Reproduce: 1. configure ldap.conf with bindpw and binddn 2. execute sosreport 3. have locked ldap-account Actual results: locked account + sos-report-file Expected results: only sos-report-file Additional info:
Hi, Are you saying this modifies /etc/ldap.conf on your production machine and not just the file thats copied into sosreport? If so that is a bug, however, if its only the files within the sosreport that are modified that is intended behavior. If we didn't sanitize passwords during data collection it would be considered a security risk. Thanks for the report
Hi, a modified file in the sos-report would not lock the account in ldap, so: yes, the file in /etc/ldap.conf is being modified.
Alright then -- testing on RHEL4, 5, and F8 fails to physically modify /etc/ldap.conf. Please provide detailed instructions on how you are reproducing this. Thanks
[user@host ~]$ ls -ltc /etc/ldap.conf lrwxrwxrwx 1 root root 23 Aug 16 2006 /etc/ldap.conf -> /etc/openldap/ldap.conf [user@host ~]$ ls -ltc /etc/openldap/ldap.conf -rw-r--r-- 1 root root 1459 Apr 30 09:35 /etc/openldap/ldap.conf [user@host ~]$ [user@host ~]$ sudo su - [host:/root] root# sosreport sosreport (version 1.7) This utility will collect some detailed information about the hardware and setup of your Red Hat Enterprise Linux system. The information is collected and an archive is packaged under /tmp, which you can send to a support rappresentative. Red Hat will use this information for diagnostic purposes ONLY and it will be considered confidential information. This process may take a while to complete. No changes will be made to your system. Press ENTER to continue, or CTRL-C to quit. One or more plugins have detected a problem in your configuration. Please review the following messages: cluster: * required package is not installed for current kernel: dlm-kernel-smp * required package is not installed for current kernel: cman-kernel-smp * required package is present but not loaded: cman * required package is present but not loaded: dlm * service cman is not running * service cman is not started in default runlevel * service ccsd is not running * service ccsd is not started in default runlevel * service rgmanager is not running * service rgmanager is not started in default runlevel * service fenced is not running * service fenced is not started in default runlevel * cluster node is not quorate * one or more nodes have no fencing agent configured: the cluster infrastructure might not work as intended Are you sure you would like to continue (y/n) ? y Please enter your first initial and last name [host]: Please enter the case number that you are generating this report for: Progress [###################100%##################][00:38/00:38] Creating compressed archive... Your sosreport has been generated and saved in: /tmp/sosreport-host-785904-8e9ff2.tar.bz2 The md5sum is: 8eff1da67c3780b48ed1b10b948e9ff2 Please send this file to your support representative. [host:/root] root# ls -ltc /etc/openldap/ldap.conf -rw-r--r-- 1 root root 1449 Apr 30 13:14 /etc/openldap/ldap.conf
And yes: the bindpw was again set to "***"
Ok, I see how you are getting this, however, my question is why are you symlinking ? They are 2 separate configs for 2 separate operations. /etc/ldap.conf is primarily used for linux-pam and for name services while /etc/openldap/ldap.conf is for the actual ldap client configuration.
I am symlinking because this is the standard-setup which was designed by the people responsible for ldap-operations in the company I work for. Thanks for fixing sos in a way that it will not modify files in /etc/ any more.
Hello, I am unable to justify fixing sosreport to check for misconfigurations in your ldap setup (or any setup for that matter). Those are 2 separate files which have 2 separate responsibilities. I am inclined to suggest that the ldap setup be configured properly first before stating that there is a bug in sosreport. Thank you, Adam
Created attachment 379683 [details] RHEL5 vs RHEL4
This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux.
This bug is being closed now that RHEL4 has entered a limited maintanence phase. If you're a customer with ELS entitlements and need to have this fixed, please contact our support team by visiting access.redhat.com Thanks