Red Hat Bugzilla – Bug 578219
Configuring ldaps:// + cacert does not run cacert_rehash on downloaded certificate
Last modified: 2013-09-02 02:47:04 EDT
Created attachment 403514 [details]
Description of problem:
Version-Release number of selected component (if applicable):
Steps to Reproduce:
Follow instructions at https://fedoraproject.org/wiki/QA:Testcase_SSSD_LDAP_Identity_and_LDAP_Authentication
Specifically, in firstboot
1. Under, ''User account database'' select LDAP
2. For ''base DN'', enter 'dc=fedoraproject,dc=org'
3. For ''LDAP Server'', enter 'ldaps://publitest9.fedoraproject.org'
4. Click "Download certificate" and use http://jlaska.fedorapeople.org/sssd/cacert.asc
5. Leave TLS *UNCHECKED*
6. Under ''Authentication Method'', select LDAP
7. Select Apply and complete firstboot setup
/etc/openldap/cacerts does not contain the cert symlink as expected. I have to manually run 'cacert_rehash /etc/openldap/cacerts' in order to setup the symlink so that I can properly identify and authentication LDAP users.
/etc/openldap/cacerts should contain a symlink to authconfig_downloaded.pem
* See attached screenshot
* sgallagh notes that cacert_rehash should be run regardless of whether using TLS or not. In further testing, if you enable TLS, it is properly setup. However, when TLS is disabled, cacert_rehash is not run
I tested this case after a f13 fresh install using http brached repo. I didn't reproduce this issue. it works for me.
(In reply to comment #1)
> I tested this case after a f13 fresh install using http brached repo. I didn't
> reproduce this issue. it works for me.
Ah, I was wrong. It passed because I enabled TLS before this case as James provided in Additional info.
authconfig-6.1.3-1.fc13 has been submitted as an update for Fedora 13.
authconfig-6.1.3-1.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
su -c 'yum --enablerepo=updates-testing update authconfig'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/authconfig-6.1.3-1.fc13
authconfig-6.1.3-1.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.