Bug 619549

Summary: LDAP based Kerberos Server configuration fails with TLS error
Product: [openSUSE] openSUSE 11.3 Reporter: Ralf Haferkamp <ralf>
Component: YaST2Assignee: Michael Calmer <mc>
Status: RESOLVED FIXED QA Contact: Jiri Srain <jsrain>
Severity: Normal    
Priority: P5 - None CC: jsuchome, meissner
Version: RC 2   
Target Milestone: Final   
Hardware: Other   
OS: Other   
Whiteboard: maint:released:11.3:34687 maint:released:11.4:40212 maint:released:sle11-sp1:44396
Found By: Development Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 615805    
Bug Blocks: 684475    
Attachments: proposed patch for yast2-kerberos-server

Description Ralf Haferkamp 2010-07-02 14:04:08 UTC 
After fixing bug#615805 I ran into the next bug. Because we now have Certificate checks enabled by default in /etc/openldap/ldap.conf (bug#575146) the kerberos-server module fails with a Verification error (in SetupLdapClient() it seems).
Comment 1 Ralf Haferkamp 2010-07-02 14:07:09 UTC 
AFAIK kerberos-server creates the certificates by default. So all that's missing is telling ldap-client the correct location of the CA certificate (I guess).


@jsuchome: How can that be achieved?
Comment 2 Jiří Suchomel 2010-07-02 14:16:17 UTC 
See

Ldap::tls_cacertdir
Ldap::tls_cacertfile

they are accessible directly or using Export/Import
Comment 3 Ralf Haferkamp 2010-07-06 09:50:03 UTC 
Hm the correct fix would probably be to write the correct settings to /etc/openldap/ldap.conf from the ldap-server module (The ldap-server module writes /etc/openldap/ldap.conf when using the UI wizward) . However I ran into a bit of a problem with that.

1. If I write /etc/openldap/ldap.conf using the etc.ldap_conf agent, even with flushing the caches Write(.src.ldap_conf, "force"), the kerberos-server module seems to ignore the values. I don't know exactly what it does but it just seems to be using the ldap-client/ldap modules.

2. The ldap-server module writes "host localhost" to the  /etc/openldap/ldap.conf, but during the run of kerberos-server this is somehow changed to "host 127.0.0.1" which will break the certificate verification of libldap. Only when "localhost" is used libldap will try to figure out the real hostname for certificate verification. I have no idea where this change from localhost to "127.0.0.1" happens, it might be ldap-client or kerberos-server.
Comment 4 Ralf Haferkamp 2010-07-06 13:23:39 UTC 
FYI, you can find the above mention fix (updating /etc/openldap/ldap.conf from yast2-ldap-server) and the fix for bug#615805 in YaST:Head in obs.
Comment 6 Ralf Haferkamp 2010-07-21 16:37:36 UTC 
I think I found the problem. Even after closing every connection the OpenLDAP library seem to only read /etc/openldap/ldap.conf on the first ldap_initialize/ldap_init call.
yast2-ldap-server uses the ldap-agent before it wrote /etc/openldap/ldap.conf. And after than when yast2-kerberos-server calls Ldap->WriteNow() the file is not re-read. 

I think I can re-arrange yast2-ldap-server so that it calls into the ldap-agent after it wrote  /etc/openldap/ldap.conf.
Comment 7 Ralf Haferkamp 2010-07-22 11:49:54 UTC 
Fixed yast2-ldap-server submitted to 11.3 (Submitrequest #43734).

There is however still a problem in the kerberos-server code. It doesn't set the correct hostname int SetupLdapClient(). I'll attach a patch for that.
Comment 8 Ralf Haferkamp 2010-07-22 11:50:54 UTC 
Created attachment 377728 [details]
proposed patch for yast2-kerberos-server
Comment 9 Marcus Meissner 2010-07-23 08:52:19 UTC 
yast2-kerberos-server submissionm still missing
Comment 10 Michael Calmer 2010-07-23 09:19:14 UTC 
submitted.
Comment 11 Swamp Workflow Management 2010-10-18 20:01:57 UTC 
Update released for: yast2-kerberos-server, yast2-ldap-server, yast2-ldap-server-debuginfo, yast2-ldap-server-debugsource
Products:
openSUSE 11.3 (debug, i586, x86_64)
Comment 12 Bernhard Wiedemann 2011-04-11 09:55:17 UTC 
This bug (619549) was mentioned in
https://build.opensuse.org/request/show/66789
Comment 13 Swamp Workflow Management 2011-04-26 14:39:12 UTC 
Update released for: yast2-kerberos-server
Products:
openSUSE 11.4 (i586)
Comment 14 Bernhard Wiedemann 2011-04-28 11:49:27 UTC 
This is an autogenerated message for OBS integration:
This bug (619549) was mentioned in
https://build.opensuse.org/request/show/67269
Comment 15 Swamp Workflow Management 2011-12-29 19:17:58 UTC 
Update released for: yast2-kerberos-server
Products:
SLE-SDK 11-SP1 (i386, x86_64)
SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1-TERADATA (x86_64)
SLES4VMWARE 11-SP1 (i386, x86_64)
Comment 16 Bernhard Wiedemann 2016-04-15 11:58:22 UTC 
This is an autogenerated message for OBS integration:
This bug (619549) was mentioned in
https://build.opensuse.org/request/show/42654 Factory / yast2-ldap-server
https://build.opensuse.org/request/show/43734 11.3:Test / yast2-ldap-server
https://build.opensuse.org/request/show/43816 11.3:Test / yast2-kerberos-server