462549 – make ldap/ldaps in uri override ssl yes/no setting

Bug 462549 - make ldap/ldaps in uri override ssl yes/no setting

Summary: make ldap/ldaps in uri override ssl yes/no setting

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	nss_ldap
Sub Component:
Version:	5.2
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Nalin Dahyabhai
QA Contact:	Brian Brock
Docs Contact:
URL:
Whiteboard:
Duplicates (2):	241887 450604 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-09-17 00:34 UTC by Alan
Modified:	2018-10-19 21:36 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-09-01 17:45:45 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Alan 2008-09-17 00:34:45 UTC

Description of problem:

authconfig cannot create a proper authorization system when trying to auth to an ldap server that requires SSL.  

Version-Release number of selected component (if applicable):
authconfig-5.3.21-3.el5
nss_ldap-253-13.el5_2.1

How reproducible:

always

Steps to Reproduce:
1.  Fresh 5.2 install, seperate ldap server using ssl
2.  craft authconfig command:
authconfig --kickstart --nostart --enableshadow --enablemd5 --disablecache --enablelocauthorize --enableldap --enableldapauth --ldapserver ldaps://mytestserver1.ucla.edu,ldaps://mytestserver2.design.ucla.edu --ldapbasedn dc=test,dc=ucla,dc=edu
  
Actual results:

/etc/ldap.conf gets created/modified with a line saying:
"ssl no"
which causes the auth to fail (and the system to hang on most any command)

adding the --enableldaptls option sets
"ssl start_tls"
which also fails since this is an ldaps:// URL (though this would work fine for regular ldap:// URLs that support TLS).

Expected results:

either an option to --enableldapssl or automatic checking for ldaps:// URLS such that the end result is an /etc/ldap.conf file that contains the line:
"ssl yes"

Comment 1 Tomas Mraz 2008-09-26 13:20:46 UTC

Actually nss_ldap should be fixed to ignore ssl yes/no setting when uri is used instead of host. It should just look whether ssl start_tls is used and then try to issue the start tls commands. But otherwise it should switch ssl on and off based on whether ldap or ldaps is used in the uri.

The ssl setting is just a single setting but there might be multiple ldap and ldaps uris mixed.

Comment 2 Tomas Mraz 2008-09-26 13:29:33 UTC

The nss_ldap version in current Rawhide works exactly like this so this is just a matter of backport.

Comment 3 Alan 2008-09-26 18:47:26 UTC

that sounds good.
I should note that when upgrading from 5.1 to 5.2 the upgrade process hung halfway through.  Turns out that was because the behaviour in dealing with ldap.conf changed.  I used to have ssl=no now I have ssl=yes with ldaps:// URIs.  When that behavior changed it caused my update to fail since some of the later updates involved using useradd, which was just hanging without timeout trying to get at the ldap stuff...
anyway, thanks for taking care of this.
-alan

Comment 4 Tomas Mraz 2008-10-01 09:34:42 UTC

*** Bug 450604 has been marked as a duplicate of this bug. ***

Comment 5 Tomas Mraz 2008-10-01 09:42:08 UTC

*** Bug 241887 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.