Red Hat Bugzilla – Bug 444714
sos modifes ldap.conf
Last modified: 2012-06-14 16:30:00 EDT
Description of problem:
sos removes a bindpw from ldap.conf and replaces it with "***" which is a ugly
thing in a production environment. Especially when too much false tries result
in a locked account.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. configure ldap.conf with bindpw and binddn
2. execute sosreport
3. have locked ldap-account
locked account + sos-report-file
Are you saying this modifies /etc/ldap.conf on your production machine and not
just the file thats copied into sosreport?
If so that is a bug, however, if its only the files within the sosreport that
are modified that is intended behavior. If we didn't sanitize passwords during
data collection it would be considered a security risk.
Thanks for the report
a modified file in the sos-report would not lock the account in ldap, so: yes,
the file in /etc/ldap.conf is being modified.
Alright then -- testing on RHEL4, 5, and F8 fails to physically modify
Please provide detailed instructions on how you are reproducing this.
[user@host ~]$ ls -ltc /etc/ldap.conf
lrwxrwxrwx 1 root root 23 Aug 16 2006 /etc/ldap.conf -> /etc/openldap/ldap.conf
[user@host ~]$ ls -ltc /etc/openldap/ldap.conf
-rw-r--r-- 1 root root 1459 Apr 30 09:35 /etc/openldap/ldap.conf
[user@host ~]$ sudo su -
sosreport (version 1.7)
This utility will collect some detailed information about the
hardware and setup of your Red Hat Enterprise Linux system.
The information is collected and an archive is packaged under
/tmp, which you can send to a support rappresentative.
Red Hat will use this information for diagnostic purposes ONLY
and it will be considered confidential information.
This process may take a while to complete.
No changes will be made to your system.
Press ENTER to continue, or CTRL-C to quit.
One or more plugins have detected a problem in your configuration.
Please review the following messages:
* required package is not installed for current kernel: dlm-kernel-smp
* required package is not installed for current kernel: cman-kernel-smp
* required package is present but not loaded: cman
* required package is present but not loaded: dlm
* service cman is not running
* service cman is not started in default runlevel
* service ccsd is not running
* service ccsd is not started in default runlevel
* service rgmanager is not running
* service rgmanager is not started in default runlevel
* service fenced is not running
* service fenced is not started in default runlevel
* cluster node is not quorate
* one or more nodes have no fencing agent configured: the cluster
infrastructure might not work as intended
Are you sure you would like to continue (y/n) ? y
Please enter your first initial and last name [host]:
Please enter the case number that you are generating this report for:
Creating compressed archive...
Your sosreport has been generated and saved in:
The md5sum is: 8eff1da67c3780b48ed1b10b948e9ff2
Please send this file to your support representative.
root# ls -ltc /etc/openldap/ldap.conf
-rw-r--r-- 1 root root 1449 Apr 30 13:14 /etc/openldap/ldap.conf
And yes: the bindpw was again set to "***"
Ok, I see how you are getting this, however, my question is why are you symlinking ?
They are 2 separate configs for 2 separate operations.
/etc/ldap.conf is primarily used for linux-pam and for name services while
/etc/openldap/ldap.conf is for the actual ldap client configuration.
I am symlinking because this is the standard-setup which was designed by the
people responsible for ldap-operations in the company I work for.
Thanks for fixing sos in a way that it will not modify files in /etc/ any more.
I am unable to justify fixing sosreport to check for misconfigurations in your ldap setup (or any setup for that matter). Those are 2 separate files which have 2 separate responsibilities. I am inclined to suggest that the ldap setup be configured properly first before stating that there is a bug in sosreport.
Created attachment 379683 [details]
RHEL5 vs RHEL4
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
This bug is being closed now that RHEL4 has entered a limited maintanence phase. If you're a customer with ELS entitlements and need to have this fixed, please contact our support team by visiting access.redhat.com