Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1245626
Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.
Description of problem: When TLS_CACERT is specified in /etc/openldap/ldap.conf when "ipa-client-install" is run, it creates line #TLS_CACERT /etc/ipa/ca.crt # modified by IPA which sysadmins are likely to modify into TLS_CACERT /etc/ipa/ca.crt # modified by IPA which will be ignored by openldap-client tools (correctly, as per manpage) Version-Release number of selected component (if applicable): ipa-client-4.* is affected, all of rhel7.0 and 7.1 ipa-client-3.* seems not affected, I checked on RHEL6.7GA How reproducible: always Steps to Reproduce: 1. setup rhel7.0 or rhel7.1 2. yum -y install ipa-server bind bind-dyndb-ldap 3. echo 'TLS_CACERT /etc/openldap/mycert.pem' >>/etc/openldap/ldap.conf 4. # do a plain ipa setup ipa-server-install --realm=FLUXCOIL.NET --domain=fluxcoil.net \ --ds-password=redhat12 --master-password=redhat12 \ --admin-password=redhat12 --hostname=$(hostname -f) --no-ntp \ --idstart=10000 --setup-dns --zonemgr=me@example.org --ssh-trust-dns \ --ip-address=$(ip addr s dev eth0|grep 'inet '|sed -e 's,.*inet ,,' \ -e 's,/.*,,') --no-forwarders -U 5. grep ca.crt /etc/openldap/ldap.conf Actual results: #TLS_CACERT /etc/ipa/ca.crt # modified by IPA Expected results: #TLS_CACERT /etc/ipa/ca.crt Additional info: - From 'man 5 ldap.conf' it seems like openldap-client is only covering '#' characters at the start of lines. I think rather our ipa-client-install should be modified to fix this. - From /usr/sbin/ipa-client-install we are calling /usr/lib/python2.7/site-packages/ipaclient/ipachangeconf.py to add the "# modified by IPA"
mhonek's proposal: move the comment to the line above
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1264437 (Fedora)
Metadata Update from @pvoborni: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5 backlog
Metadata Update from @abiagion: - Issue assigned to abiagion (was: someone)
Pull request: https://github.com/freeipa/freeipa/pull/2093
Metadata Update from @abiagion: - Issue close_status updated to: None
master:
Fix landed in master, but I had some trouble with backport. Please manually backport this patch into 4.6, too.
@cheimes there it is: https://github.com/freeipa/freeipa/pull/2103
ipa-4-6:
Metadata Update from @cheimes: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.