Bug 1517886

Summary: double ca acl provoke console error.
Product: Red Hat Enterprise Linux 7 Reporter: German Parente <gparente>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: low Docs Contact:
Priority: unspecified    
Version: 7.4CC: afarley, cheimes, frenaud, ndehadra, pasik, pvoborni, rcritten, ssidhaye, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.6.5-2.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-06 13:09:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description German Parente 2017-11-27 16:19:04 UTC 
Description of problem:

(logging this bug with low priority just for documentation of a customer issue)

There's a console "Operations Error" when accessing this in the console:

Authentication -> Certificates -> CA ACLs

When clicking on CA ACLs a dialog box pops up and states:
Operations Error

Version-Release number of selected component (if applicable): 
   ipa-server-4.4.0-14.el7_3.7.x86_64


the httpd logs are showing:

==========
[Wed Nov 22 17:07:59.459223 2017] [:error] [pid 2565] ipa: INFO: user: batch: caacl_show(u'hosts_services_caIPAserviceCert', no_members=True): SingleMatchExpected
==========

Then we search the ldap database and we find these objects:

dn: ipaUniqueID=f9f4a83a-ad67-11e5-a500-12958cd037e3,cn=caacls,cn=ca,dc=example,dc=com
ipaMemberCertProfile: cn=caIPAserviceCert,cn=certprofiles,cn=ca,dc=example,dc=com
serviceCategory: all
cn: hosts_services_caIPAserviceCert
objectClass: ipaassociation
objectClass: ipacaacl
hostCategory: all
ipaEnabledFlag: TRUE
ipaUniqueID: f9f4a83a-ad67-11e5-a500-12958cd037e3


dn: ipaUniqueID=f89ac5cc-ad68-11e5-aa96-001a4aa86515,cn=caacls,cn=ca,dc=example,dc=com
ipaMemberCertProfile: cn=caIPAserviceCert,cn=certprofiles,cn=ca,dc=example, dc=com
serviceCategory: all
cn: hosts_services_caIPAserviceCert
objectClass: ipaassociation
objectClass: ipacaacl
hostCategory: all
ipaEnabledFlag: TRUE
ipaUniqueID: f89ac5cc-ad68-11e5-aa96-001a4aa86515

So, once one deleted, the console is working fine. But we don't know how it has been generated.

A "ipa caacl-add" will check the cn attribute not to allow to have duplicates. But as the rdn of the distinguished name is ipaUniqueID instead of cn (why ?), a duplicated could be added into the database without any issue. 

the cn attribute uniqness is only enforced in ipa under:

uniqueness-attribute-name: cn
uniqueness-subtrees: cn=ng,cn=alt,dc=example,dc=com

uniqueness-attribute-name: cn
uniqueness-subtrees: cn=sudorules,cn=sudo,dc=example,dc=com

I consider this a bug since the console does not know how to cope when finding more than one caacls with same profile.
Comment 2 Florence Blanc-Renaud 2017-11-28 10:21:59 UTC 
The issue is reproducible and is a valid bug.

1. create a caacl with
ipa caacl-add acl1

2. create a different caacl with
ipa caacl-add newcaacl

3. find the ipauniqueid of the 2nd caacl with 
ipa caacl-show newcaacl --all
  dn: ipaUniqueID=5b2b560a-d424-11e7-9a48-001a4a2313b8,cn=caacls,cn=ca,dc=example,dc=com
  ACL name: newcaacl
  Enabled: TRUE
  ipauniqueid: 5b2b560a-d424-11e7-9a48-001a4a2313b8
  objectclass: ipaassociation, ipacaacl

4. edit the 2nd caacl with ldapmodify and replace its cn:
ldapmodify -D cn=directory\ manager -w $PASSWORD
dn: ipaUniqueID=5b2b560a-d424-11e7-9a48-001a4a2313b8,cn=caacls,cn=ca,dc=example,dc=com
changetype: modify
replace: cn
cn: acl1

5. list the existing caacls
ipa caacl-show acl1
ipa: ERROR: The search criteria was not specific enough. Expected 1 and found 2.

The 4th step should have been forbidden, but as German said, the uniqueness attribute plugin does not operate on cn in the cn=caacls,cn=ca,$SUFFIX subtree.
Comment 3 Florence Blanc-Renaud 2017-12-06 13:20:14 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/7304
Comment 4 Florence Blanc-Renaud 2018-02-20 08:41:08 UTC 
Fixed upstream

master:
    0e9ce73 Add uniqueness constraint on CA ACL name
Comment 6 Christian Heimes 2019-03-28 20:50:11 UTC 
Fixed upstream
ipa-4-6:
https://pagure.io/freeipa/c/2b442126cb7a47631cd6eb745790d2df944b2395
Comment 8 Sumedh Sidhaye 2019-06-14 08:17:02 UTC 
Build used for verification:
[root@qe-blade-06 ~]# rpm -qa ipa-server sssd 389-ds-base pki-ca
ipa-server-4.6.5-9.el7.x86_64
389-ds-base-1.3.9.1-9.el7.x86_64
sssd-1.16.4-21.el7.x86_64
pki-ca-10.5.16-2.el7.noarch
[root@qe-blade-06 ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.7 Beta (Maipo)
[root@qe-blade-06 ~]# ls /var/lib/pki/
pki-tomcat


Steps: 

[root@qe-blade-06 ~]# ipa caacl-add acl1
-------------------
Added CA ACL "acl1"
-------------------
  ACL name: acl1
  Enabled: TRUE
[root@qe-blade-06 ~]# ipa caacl-add newcaacl
-----------------------
Added CA ACL "newcaacl"
-----------------------
  ACL name: newcaacl
  Enabled: TRUE
[root@qe-blade-06 ~]# ipa caacl-show newcaacl --all
  dn: ipaUniqueID=745bcf02-8e7b-11e9-b3cb-00215e20333e,cn=caacls,cn=ca,dc=testrelm,dc=test
  ACL name: newcaacl
  Enabled: TRUE
  ipauniqueid: 745bcf02-8e7b-11e9-b3cb-00215e20333e
  objectclass: ipaassociation, ipacaacl


[root@qe-blade-06 ~]# ldapmodify -D cn="Directory Manager" -w Secret123
dn: ipaUniqueID=745bcf02-8e7b-11e9-b3cb-00215e20333e,cn=caacls,cn=ca,dc=testrelm,dc=test
changetype: modify
replace: cn
cn: acl1

modifying entry "ipaUniqueID=745bcf02-8e7b-11e9-b3cb-00215e20333e,cn=caacls,cn=ca,dc=testrelm,dc=test"
ldap_modify: Constraint violation (19)
	additional info: Another entry with the same attribute value already exists (attribute: "cn ")     <--------------------- ldapmodify operation fails since it is forbidden

[root@qe-blade-06 ~]# ipa caacl-show acl1
  ACL name: acl1
  Enabled: TRUE
[root@qe-blade-06 ~]# 

Based on above operations marking bugzilla verified.
Comment 10 errata-xmlrpc 2019-08-06 13:09:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2241