[Bug 619549] New: LDAP based Kerberos Server configuration fails with TLS error
http://bugzilla.novell.com/show_bug.cgi?id=619549 http://bugzilla.novell.com/show_bug.cgi?id=619549#c0 Summary: LDAP based Kerberos Server configuration fails with TLS error Classification: openSUSE Product: openSUSE 11.3 Version: RC 2 Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: YaST2 AssignedTo: mc@novell.com ReportedBy: rhafer@novell.com QAContact: jsrain@novell.com Found By: Development Blocker: --- After fixing bug#615805 I ran into the next bug. Because we now have Certificate checks enabled by default in /etc/openldap/ldap.conf (bug#575146) the kerberos-server module fails with a Verification error (in SetupLdapClient() it seems). -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=619549 http://bugzilla.novell.com/show_bug.cgi?id=619549#c1 Ralf Haferkamp <rhafer@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |jsuchome@novell.com --- Comment #1 from Ralf Haferkamp <rhafer@novell.com> 2010-07-02 16:07:09 CEST --- AFAIK kerberos-server creates the certificates by default. So all that's missing is telling ldap-client the correct location of the CA certificate (I guess). @jsuchome: How can that be achieved? -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=619549 http://bugzilla.novell.com/show_bug.cgi?id=619549#c2 Jiří Suchomel <jsuchome@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW CC| |jsuchome@novell.com InfoProvider|jsuchome@novell.com | --- Comment #2 from Jiří Suchomel <jsuchome@novell.com> 2010-07-02 14:16:17 UTC --- See Ldap::tls_cacertdir Ldap::tls_cacertfile they are accessible directly or using Export/Import -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=619549 http://bugzilla.novell.com/show_bug.cgi?id=619549#c3 --- Comment #3 from Ralf Haferkamp <rhafer@novell.com> 2010-07-06 11:50:03 CEST --- Hm the correct fix would probably be to write the correct settings to /etc/openldap/ldap.conf from the ldap-server module (The ldap-server module writes /etc/openldap/ldap.conf when using the UI wizward) . However I ran into a bit of a problem with that. 1. If I write /etc/openldap/ldap.conf using the etc.ldap_conf agent, even with flushing the caches Write(.src.ldap_conf, "force"), the kerberos-server module seems to ignore the values. I don't know exactly what it does but it just seems to be using the ldap-client/ldap modules. 2. The ldap-server module writes "host localhost" to the /etc/openldap/ldap.conf, but during the run of kerberos-server this is somehow changed to "host 127.0.0.1" which will break the certificate verification of libldap. Only when "localhost" is used libldap will try to figure out the real hostname for certificate verification. I have no idea where this change from localhost to "127.0.0.1" happens, it might be ldap-client or kerberos-server. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=619549 http://bugzilla.novell.com/show_bug.cgi?id=619549#c4 --- Comment #4 from Ralf Haferkamp <rhafer@novell.com> 2010-07-06 15:23:39 CEST --- FYI, you can find the above mention fix (updating /etc/openldap/ldap.conf from yast2-ldap-server) and the fix for bug#615805 in YaST:Head in obs. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=619549 http://bugzilla.novell.com/show_bug.cgi?id=619549#c Ralf Haferkamp <rhafer@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |615805 -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=619549 http://bugzilla.novell.com/show_bug.cgi?id=619549#c Bug 619549 depends on bug 615805, which changed state. Bug 615805 Summary: YaST fails to create a kerberos server configuration http://bugzilla.novell.com/show_bug.cgi?id=615805 What |Old Value |New Value ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |FIXED -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=619549 http://bugzilla.novell.com/show_bug.cgi?id=619549#c6 Ralf Haferkamp <rhafer@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|mc@novell.com |rhafer@novell.com --- Comment #6 from Ralf Haferkamp <rhafer@novell.com> 2010-07-21 18:37:36 CEST --- I think I found the problem. Even after closing every connection the OpenLDAP library seem to only read /etc/openldap/ldap.conf on the first ldap_initialize/ldap_init call. yast2-ldap-server uses the ldap-agent before it wrote /etc/openldap/ldap.conf. And after than when yast2-kerberos-server calls Ldap->WriteNow() the file is not re-read. I think I can re-arrange yast2-ldap-server so that it calls into the ldap-agent after it wrote /etc/openldap/ldap.conf. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=619549 http://bugzilla.novell.com/show_bug.cgi?id=619549#c7 --- Comment #7 from Ralf Haferkamp <rhafer@novell.com> 2010-07-22 13:49:54 CEST --- Fixed yast2-ldap-server submitted to 11.3 (Submitrequest #43734). There is however still a problem in the kerberos-server code. It doesn't set the correct hostname int SetupLdapClient(). I'll attach a patch for that. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=619549 http://bugzilla.novell.com/show_bug.cgi?id=619549#c8 --- Comment #8 from Ralf Haferkamp <rhafer@novell.com> 2010-07-22 13:50:54 CEST --- Created an attachment (id=377728) --> (http://bugzilla.novell.com/attachment.cgi?id=377728) proposed patch for yast2-kerberos-server -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=619549 http://bugzilla.novell.com/show_bug.cgi?id=619549#c Ralf Haferkamp <rhafer@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|rhafer@novell.com |mc@novell.com -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=619549 http://bugzilla.novell.com/show_bug.cgi?id=619549#c9 Marcus Meissner <meissner@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@novell.com --- Comment #9 from Marcus Meissner <meissner@novell.com> 2010-07-23 08:52:19 UTC --- yast2-kerberos-server submissionm still missing -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=619549 http://bugzilla.novell.com/show_bug.cgi?id=619549#c10 Michael Calmer <mc@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED Target Milestone|--- |Final --- Comment #10 from Michael Calmer <mc@novell.com> 2010-07-23 09:19:14 UTC --- submitted. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=619549 https://bugzilla.novell.com/show_bug.cgi?id=619549#c11 Swamp Workflow Management <swamp@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard| |maint:released:11.3:34687 --- Comment #11 from Swamp Workflow Management <swamp@suse.com> 2010-10-18 20:01:57 UTC --- Update released for: yast2-kerberos-server, yast2-ldap-server, yast2-ldap-server-debuginfo, yast2-ldap-server-debugsource Products: openSUSE 11.3 (debug, i586, x86_64) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=619549 https://bugzilla.novell.com/show_bug.cgi?id=619549#c Ralf Haferkamp <rhafer@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |684475 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=619549 https://bugzilla.novell.com/show_bug.cgi?id=619549#c12 --- Comment #12 from Bernhard Wiedemann <bwiedemann@novell.com> 2011-04-11 11:55:17 CEST --- This bug (619549) was mentioned in https://build.opensuse.org/request/show/66789 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=619549 https://bugzilla.novell.com/show_bug.cgi?id=619549#c13 Swamp Workflow Management <swamp@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:released:11.3:34687 |maint:released:11.3:34687 | |maint:released:11.4:40212 --- Comment #13 from Swamp Workflow Management <swamp@suse.com> 2011-04-26 14:39:12 UTC --- Update released for: yast2-kerberos-server Products: openSUSE 11.4 (i586) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=619549 https://bugzilla.novell.com/show_bug.cgi?id=619549#c14 --- Comment #14 from Bernhard Wiedemann <bwiedemann@novell.com> 2011-04-28 13:49:27 CEST --- This is an autogenerated message for OBS integration: This bug (619549) was mentioned in https://build.opensuse.org/request/show/67269 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=619549 https://bugzilla.novell.com/show_bug.cgi?id=619549#c15 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:released:11.3:34687 |maint:released:11.3:34687 |maint:released:11.4:40212 |maint:released:11.4:40212 | |maint:released:sle11-sp1:44 | |396 --- Comment #15 from Swamp Workflow Management <swamp@suse.de> 2011-12-29 19:17:58 UTC --- Update released for: yast2-kerberos-server Products: SLE-SDK 11-SP1 (i386, x86_64) SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP1-TERADATA (x86_64) SLES4VMWARE 11-SP1 (i386, x86_64) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=619549 http://bugzilla.novell.com/show_bug.cgi?id=619549#c16 --- Comment #16 from Bernhard Wiedemann <bwiedemann@suse.com> --- This is an autogenerated message for OBS integration: This bug (619549) was mentioned in https://build.opensuse.org/request/show/42654 Factory / yast2-ldap-server https://build.opensuse.org/request/show/43734 11.3:Test / yast2-ldap-server https://build.opensuse.org/request/show/43816 11.3:Test / yast2-kerberos-server -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com