Bug 1436723
Summary: | cert-find does not find all certificates without sizelimit=0 | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Petr Vobornik <pvoborni> |
Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
Status: | CLOSED ERRATA | QA Contact: | Michal Reznik <mreznik> |
Severity: | unspecified | Docs Contact: | |
Priority: | medium | ||
Version: | 7.4 | CC: | mreznik, nsoman, pvoborni, rcritten, tscherf |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ipa-4.5.0-3.el7 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-08-01 09:47:49 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Petr Vobornik
2017-03-28 13:51:26 UTC
Upstream ticket: https://pagure.io/freeipa/issue/6716 master: 6de507c2cad255975665eca6dd6ef7c8f2458d51 cert: do not limit internal searches in cert-find ipa-4-5: 6382f9eee335907362a5ccb44b892f59de7d3751 cert: do not limit internal searches in cert-find Verified on: ipa-server-4.5.0-9.el7.x86_64 1. Install ipa server ipa-server-install -r TESTRELM.TEST -n testrelm.test -p 'XXX' -a 'XXX' --setup-dns --forwarder 192.168.222.1 -U 2. add "tester" user [root@master ~]# ipa user-add tester First name: test1 Last name: test2 ------------------- Added user "tester" ------------------- User login: tester First name: test1 Last name: test2 Full name: test1 test2 Display name: test1 test2 Initials: tt Home directory: /home/tester GECOS: test1 test2 Login shell: /bin/sh Principal name: tester Principal alias: tester Email address: tester UID: 38400001 GID: 38400001 Password: False Member of groups: ipausers Kerberos keys available: False [root@master ~]# 3. create "tester" user certificate [root@master ~]# ipa certprofile-show --out smime.cfg caIPAserviceCert ------------------------------------------------ Profile configuration stored in file 'smime.cfg' ------------------------------------------------ Profile ID: caIPAserviceCert Profile description: Standard profile for network services Store issued certificates: TRUE [root@master ~]# [root@master ~]# vim smime.cfg <snip> name=TestUsers policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.4 profileId=caIPATestUsers <snip> [root@master ~]# ipa certprofile-import caIPATestUsers --file smime.cfg --desc "caIPATestUsers " --store TRUE ---------------------------- Imported profile "caIPATestUsers" ---------------------------- Profile ID: caIPATestUsers Profile description: caIPATestUsers Store issued certificates: TRUE [root@master ~]# ipa group-add tester-users ------------------------ Added group "tester-users" ------------------------ Group name: tester-users GID: 38400003 [root@master ~]# [root@master ~]# ipa caacl-add testerusers_acl ---------------------------- Added CA ACL "testerusers_acl" ---------------------------- ACL name: testerusers_acl Enabled: TRUE [root@master ~]# [root@master ~]# ipa caacl-add-profile testerusers_acl --certprofile caIPATestUsers ACL name: testerusers_acl Enabled: TRUE Profiles: caIPATestUsers User Groups: tester-users ------------------------- Number of members added 1 ------------------------- [root@master ~]# [root@master ~]# openssl genrsa -out key.pem 2048 Generating RSA private key, 2048 bit long modulus ..............................................+++ ..................+++ e is 65537 (0x10001) [root@master ~]# [root@master ~]# cat ./tester.conf [ req ] prompt = no encrypt_key = no distinguished_name = dn req_extensions = exts [ dn ] commonName = "tester" [ exts ] subjectAltName=email:tester [root@master ~]# [root@master ~]# openssl req -new -key key.pem -out tester.csr -config tester.conf [root@master ~]# [root@master ~]# ipa cert-request tester.csr --principal tester --profile-id caIPATestUsers Issuing CA: ipa Certificate: MIIEAjCCAuqgAwIBAgIBCzANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwNTI2MTQxNzQxWhcNMTkwNTI3MTQxNzQxWjApMRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMQ8wDQYDVQQDDAZ0ZXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDk7WqaeWnA+mDCWMLuacxPkjnW2t0B88iH+t21yd621K6BMQaLA6Nah75KbPCTgNe+6gcag4ne5v3nqDDQqCzLhvSEbplFLwkiOdvWqRsws+Bukr4cOlMTCIMOrlp/qig0UXT59LwYI3trOTsyJY9G6L/WE6UcS4zj8xKp1hIgscwT+8tzxOHyZ+ZAGxF2668C5SUZ0FFNBg23xK0N9aoxdw7WJwsUWaXrmYJiYIaU9YA+FMTW4E4XwO0TWtXTuyZipY/liUCPHSZDM19JUlqMDpkEffKJ1qkYwu1OYEQiccfnYCWd7bCrtxHBRqJiwcWtUkGBPcRsarr3Tl6/kCyFAgMBAAGjggEkMIIBIDAfBgNVHSMEGDAWgBRV/JzTzxBocphYfVOIW17gGNQQVTA/BggrBgEFBQcBAQQzMDEwLwYIKwYBBQUHMAGGI2h0dHA6Ly9pcGEtY2EudGVzdHJlbG0udGVzdC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DATBgNVHSUEDDAKBggrBgEFBQcDBDB4BgNVHR8EcTBvMG2gNaAzhjFodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBTVC83hlijYcpJQkzXcMynZNskGoTANBgkqhkiG9w0BAQsFAAOCAQEAYAuPABeWmHRLs7ZG76OmRRJxvsqM4pt9F6suy94iXk3PckpJlobHWJ0aq5BbkVn5OXkGsaxNn/NesRq1tUwTbxqBvTmbISftLqtQzjRV95UGgAL97cC1YOgaVc0un4J+ZjjD8mgW53QhY4XVsustFlkS2Uf2gc6l2wWGHzYOJ1PQGR+zWoZMsxGExnlbIudk9xxk4Kc0uhvZsva9CUaT0PzkogCfjo0rDGgwSwkY0s8xu59GA8fqMQuvx6rWJ/1QZHBVxfMOIH5fP4eKOcZ4mfl3mfylYv1KneIbKPQUMtZCiWFZrrD4d0mKPm1heJijkZzdOWnesq5DieTN6DKGog== Subject: CN=tester,O=TESTRELM.TEST Issuer: CN=Certificate Authority,O=TESTRELM.TEST Not Before: Fri May 26 14:17:41 2017 UTC Not After: Mon May 27 14:17:41 2019 UTC Serial number: 11 Serial number (hex): 0xB [root@master ~]# [root@master ~]# ipa user-show tester User login: tester First name: test1 Last name: test2 Home directory: /home/tester Login shell: /bin/sh Principal name: tester Principal alias: tester Email address: tester UID: 38400004 GID: 38400004 Certificate: MIIEAjCCAuqgAwIBAgIBCzANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwNTI2MTQxNzQxWhcNMTkwNTI3MTQxNzQxWjApMRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMQ8wDQYDVQQDDAZ0ZXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDk7WqaeWnA+mDCWMLuacxPkjnW2t0B88iH+t21yd621K6BMQaLA6Nah75KbPCTgNe+6gcag4ne5v3nqDDQqCzLhvSEbplFLwkiOdvWqRsws+Bukr4cOlMTCIMOrlp/qig0UXT59LwYI3trOTsyJY9G6L/WE6UcS4zj8xKp1hIgscwT+8tzxOHyZ+ZAGxF2668C5SUZ0FFNBg23xK0N9aoxdw7WJwsUWaXrmYJiYIaU9YA+FMTW4E4XwO0TWtXTuyZipY/liUCPHSZDM19JUlqMDpkEffKJ1qkYwu1OYEQiccfnYCWd7bCrtxHBRqJiwcWtUkGBPcRsarr3Tl6/kCyFAgMBAAGjggEkMIIBIDAfBgNVHSMEGDAWgBRV/JzTzxBocphYfVOIW17gGNQQVTA/BggrBgEFBQcBAQQzMDEwLwYIKwYBBQUHMAGGI2h0dHA6Ly9pcGEtY2EudGVzdHJlbG0udGVzdC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DATBgNVHSUEDDAKBggrBgEFBQcDBDB4BgNVHR8EcTBvMG2gNaAzhjFodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBTVC83hlijYcpJQkzXcMynZNskGoTANBgkqhkiG9w0BAQsFAAOCAQEAYAuPABeWmHRLs7ZG76OmRRJxvsqM4pt9F6suy94iXk3PckpJlobHWJ0aq5BbkVn5OXkGsaxNn/NesRq1tUwTbxqBvTmbISftLqtQzjRV95UGgAL97cC1YOgaVc0un4J+ZjjD8mgW53QhY4XVsustFlkS2Uf2gc6l2wWGHzYOJ1PQGR+zWoZMsxGExnlbIudk9xxk4Kc0uhvZsva9CUaT0PzkogCfjo0rDGgwSwkY0s8xu59GA8fqMQuvx6rWJ/1QZHBVxfMOIH5fP4eKOcZ4mfl3mfylYv1KneIbKPQUMtZCiWFZrrD4d0mKPm1heJijkZzdOWnesq5DieTN6DKGog== Account disabled: False Password: False Member of groups: ipausers Kerberos keys available: False [root@master ~]# [root@master ~]# ipa cert-find --users tester --------------------- 1 certificate matched --------------------- Issuing CA: ipa Subject: CN=tester,O=TESTRELM.TEST Issuer: CN=Certificate Authority,O=TESTRELM.TEST Not Before: Fri May 26 10:17:41 2017 UTC Not After: Mon May 27 10:17:41 2019 UTC Serial number: 11 Serial number (hex): 0xB Status: VALID Revoked: False ---------------------------- Number of entries returned 1 ---------------------------- [root@master ~]# Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2304 |