Bug 684395

Summary: yast2-kerberos-server fails with LDAP SSL error
Product: [openSUSE] openSUSE 11.4 Reporter: Ralf Haferkamp <ralf>
Component: YaST2Assignee: Jiří Suchomel <jsuchome>
Status: RESOLVED FIXED QA Contact: Jiri Srain <jsrain>
Severity: Normal    
Priority: P5 - None CC: bwiedemann, mc
Version: Final   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: Development Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 683826    
Bug Blocks:    
Attachments: Proposed fix for the yast2 ldap agent

Description Ralf Haferkamp 2011-04-01 08:57:04 UTC 
yast2-kerberos-server, when configured to setup its own LDAP server fails with an SSL when setting up the LDAP client configuration.

The reason seems to be that the LDAP SCR agent does not use the CA Cert configured in /etc/openldap/ldap.conf by yast2-ldap-server.  I'll attach a patch for the agent.
Comment 1 Ralf Haferkamp 2011-04-01 09:00:34 UTC 
Created attachment 422686 [details]
Proposed fix for the yast2 ldap agent

This patch will cause the LDAP agent always use the global TLS Options. Previously it set the options per connection, which cause the agent to ignore settings from /etc/openldap/ldap.conf.
Comment 2 Ralf Haferkamp 2011-04-01 09:05:09 UTC 
Note 1:  libldapcpp has currently a bug wrt to global TLS options, which is handled in bug#683826. Using the attached patch with an unfixed libldapcpp will cause breakage in yast2-ldap-client. I'll submit the fix for bug#683826 as soon as possible.

Note 2: Even with the above patch yast2-kerberos-server does not yet work completely. There is another TLS issue, I am not yet sure whose fault that is :). I'll post a separate report for that.
Comment 3 Jiří Suchomel 2011-04-01 09:29:32 UTC 
What about SLE11SP2? 
ldap-agent is already there, should I apply the fix as well? If so, don't forget to fix the library there.
Comment 4 Jiří Suchomel 2011-04-01 09:34:50 UTC 
(In reply to comment #3)

> ldap-agent is already there,

I mean in subversion, not the package... but we'll need ssl support for sssd
Comment 5 Ralf Haferkamp 2011-04-01 09:36:56 UTC 
Currently the libldapcpp Version we have in SLE-11 doesn't provide the TlsOptions class. So LDAP Agent in SLE-11 doesn't have the affected code yet.

But in order to implement the various FATE requests around sssd and SLE11-SP2 we will need it there as well, yes. (Likely by updating libldapcpp to the current factory release, at least if it won't break the ABI)
Comment 6 Ralf Haferkamp 2011-04-01 12:32:19 UTC 
The remaining issue seems to be in yast2-kerberos-server and was already fixed once for 11.3, but never submitted to factory. (It's bug#684475 now).
Comment 7 Jiří Suchomel 2011-04-04 08:21:43 UTC 
OK, I'm commiting the patch (thanks!), and I assume it's all. If it was not enough, please reopen.
Comment 8 Bernhard Wiedemann 2011-04-04 09:19:47 UTC 
This bug (684395) was mentioned in
https://build.opensuse.org/request/show/65862