https://bugzilla.novell.com/show_bug.cgi?id=690585 https://bugzilla.novell.com/show_bug.cgi?id=690585#c0 Summary: dhcpd: Copy certificates to chroot when using ldaps/start_tls Classification: openSUSE Product: openSUSE 11.4 Version: Final Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Network AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: joschibrauchle@gmx.de QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 When running a DHCPD in chroot, which is configured to connect to a LDAP server that is secured with TLS or LDAPS, the DHCPD does not start because it is missing the required certificates for the SSL/TLS operation. My /etc/dhcpd.conf contains: ------------ .. ldap-ssl ldaps; ldap-tls-ca-file "/etc/ssl/myCA.pem"; #ldap-ssl start_tls; ldap-tls-reqcert hard; #ldap-tls-ca-dir "/etc/ssl"; #ldap-tls-cert #ldap-tls-key #ldap-tls-crlcheck #ldap-tls-ciphers #ldap-tls-randfile .. ------------ So I am using LDAPS, and the DHCPD needs access to "/etc/ssl/myCA.pem" in order to check the LDAP certificate. Thus, all files specified in the directives: - ldap-tls-ca-file - ldap-tls-ca-dir - ldap-tls-cert - ldap-tls-key - ldap-tls-randfile should be copied to the chroot in case they are not empty. The files can be force to be copied to the chroot with the "DHCPD_CONF_INCLUDE_FILES" variable in "/etc/sysconfig/dhcpd", thus in my case: -------- DHCPD_CONF_INCLUDE_FILES="/etc/ssl/myCA.pem" -------- I just think the init script COULD take care of this automatically, sparing the user a LOT of headaches... :-) Reproducible: Always Steps to Reproduce: 1. Configure DHCP to use CHROOT 2. Configure DHCP to use LDAPS with path to CA cert in dhcpd.conf 3. Start DHCPD Actual Results: Start fails with connection error, as LDAP cert cannot be checked due to missing CA cert. Expected Results: Init script should copy the needed certs and DHCP should start normally. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.