Bug 570057 - Bug in /etc/rc.d/init.d/slapd causes warning '/etc/pki/tls/certs/myverylongnodename.mysuperdooperl is not readable by "ldap"'
Summary: Bug in /etc/rc.d/init.d/slapd causes warning '/etc/pki/tls/certs/myverylongno...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: openldap
Version: 12
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Jan Zeleny
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-03-03 06:01 UTC by Paul Moore
Modified: 2010-07-14 22:55 UTC (History)
2 users (show)

Fixed In Version: openldap-2.4.19-4.fc12
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-04-09 01:30:13 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
Modified /etc/rc.d/init.d/slapd to handle arbitrary length certificate filenames. (7.77 KB, application/octet-stream)
2010-03-03 06:01 UTC, Paul Moore 		no flags Details
View All

Description Paul Moore 2010-03-03 06:01:56 UTC 
Created attachment 397477 [details]
Modified /etc/rc.d/init.d/slapd to handle arbitrary length certificate filenames.

Description of problem:

/etc/rc.d/init.d/slapd init script generates a warning on TLSCA certificate filenames when they have long filenames.

Version-Release number of selected component (if applicable):

openldap-servers-2.4.19-1.fc12.x86_64 in Fedora 12 


How reproducible:

Always if the filenames are long enough.

Steps to Reproduce:
1. Create a certificate for slapd where the full path of the file exceeds 80 characters. - E.G. /etc/pki/tls/certs/myverylongnodename.mysuperdooperlongdomainname.com.au.pem
2. Configure /etc/openldap/slapd.conf with the certs and do a bunch of stuff to ensure that the filename eventually makes its way into /etc/openldap/slapd.d/cn\=config.ldif
3. service slapd start
  
Actual results:

/etc/pki/tls/certs/myverylongnodename.mysuperdooperlong is [WARNING]ble by "ldap"
/etc/pki/tls/certs/myverylongnodename.mysuperdooperl is not[WARNING] by "ldap"
Checking configuration files for slapd:                    [WARNING]
bdb_db_open: warning - no DB_CONFIG file found in directory /var/lib/ldap: (2).
Expect poor performance for suffix "dc=blueprintconsulting,dc=com".
config file testing succeeded
Starting slapd:                                            [  OK  ]


Expected results:

Checking configuration files for slapd:                    [WARNING]
bdb_db_open: warning - no DB_CONFIG file found in directory /var/lib/ldap: (2).
Expect poor performance for suffix "dc=blueprintconsulting,dc=com".
config file testing succeeded
Starting slapd:                                            [  OK  ]

Additional info:

Offending code in "/etc/rc.d/init.d/slapd":
tlsconfigs=`LANG=C egrep '^olc(TLSCACertificateFile|TLSCertificateFile|TLSCertificateKeyFile)[[:space:]]*:[[:space:]]' $configdir/cn\=config.ldif | awk '{print $2}'`

The above *ONLY* works reliably for certificate paths containing less 52 characters. This is because when the 26 character string "olcTLSCertificateKeyFile: " (or others) are prepended to the certificate files name, the result is 78 characters or longer which will be wrapped onto multiple lines when it appears in "/etc/openldap/slapd.d/cn\=config.ldif".

To modify "/etc/rc.d/init.d/slapd" to handle arbitrary length certificate filenames, the original code must be replaced with something more reliable such as:

#           tlsconfigs=`LANG=C egrep '^olc(TLSCACertificateFile|TLSCertificateFile|TLSCertificateKeyFile)[[:space:]]*:[[:space:]]' $configdir/cn\=config.ldif | awk '{print $2}'`
#       The code on the above line fails if the TLS filename is too long and is thus
#       wrapped across more than one 78 character line of the ldif file. The replacement
#       code below fixes this problem. - Paul Moore, Astute Systems, 03-Mar-2010.
            tlsconfigs=`LANG=C awk '/^olcTLS/ { while (/^olcTLS/) { if (/^olc(TLSCertificateKeyFile|TLSCertificateFile|TLSCACertificateFile)[ \t]*:[ \t]*/)  { do { printf gensub(/^ /,"",1); getline } while (/^ /) printf "\n" ; } else break; } }' /etc/openldap/slapd.d/cn\=config.ldif | awk '{print $2}'`
Comment 1 Fedora Update System 2010-03-16 15:11:41 UTC 
openldap-2.4.21-5.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/openldap-2.4.21-5.fc13
Comment 2 Fedora Update System 2010-03-17 13:05:44 UTC 
openldap-2.4.19-4.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/openldap-2.4.19-4.fc12
Comment 3 Fedora Update System 2010-03-18 03:24:51 UTC 
openldap-2.4.21-5.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update openldap'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/openldap-2.4.21-5.fc13
Comment 4 Fedora Update System 2010-03-20 03:43:44 UTC 
openldap-2.4.19-4.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update openldap'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/openldap-2.4.19-4.fc12
Comment 5 Fedora Update System 2010-04-09 01:30:00 UTC 
openldap-2.4.19-4.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2010-06-30 17:36:13 UTC 
openldap-2.4.21-8.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/openldap-2.4.21-8.fc13
Comment 7 Fedora Update System 2010-07-14 22:55:06 UTC 
openldap-2.4.21-8.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.