Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1659492

Summary: searching for ipa users by certificate fails [rhel-7.6.z]
Product: Red Hat Enterprise Linux 7 Reporter: RAD team bot copy to z-stream <autobot-eus-copy>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: high Docs Contact:
Priority: high    
Version: 7.6CC: frenaud, jreznik, lmanasko, myusuf, pvoborni, rcritten, tscherf
Target Milestone: rcKeywords: Regression, ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ipa-4.6.4-10.el7_6.2 Doc Type: Bug Fix
Doc Text:
Previously, the source code internally looking cor certificates in the LDAP server built a wrong search filter. As a consequence, the "ipa user-find --certificate=<cert>" failed to find users who had the provided certificate. With this update, the source code that builds the LDAP search filter has been fixed. As a result, the ipa user-find --certificate=<cert> command now properly finds users with the provided certificate.
 Story Points: ---
Clone Of: 1651834 Environment:
Last Closed: 2019-01-29 17:24:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1651834    
Bug Blocks:    

Description RAD team bot copy to z-stream 2018-12-14 14:23:55 UTC 
This bug has been copied from bug #1651834 and has been proposed to be backported to 7.6 z-stream (EUS).
Comment 4 Mohammad Rizwan 2019-01-17 05:44:45 UTC 
version:
ipa-server-dns-4.6.4-10.el7_6.2.noarch
ipa-server-common-4.6.4-10.el7_6.2.noarch
ipa-server-4.6.4-10.el7_6.2.x86_64


Steps:
1. install ipa master and add user
2. create a certificate for user and add certificate to user
3. find user by --certificate option.


Actual result:

[root@master ~]# openssl req -x509 -newkey rsa:2048 -days 365 -nodes -keyout private.key -out cert.pem -subj '/CN=user2'
Generating a 2048 bit RSA private key
.......................+++
..........................................+++
writing new private key to 'private.key'
-----

[root@master ~]#  openssl x509 -outform der -in cert.pem -out cert.der
[root@master ~]# 

[root@master ~]# ipa user-add-cert user2 --certificate="$(base64 cert.der)"
----------------------------------
Added certificates to user "user2"
----------------------------------
  User login: user2
  Certificate: MIIC8zCCAdugAwIBAgIJALjFlwUEuuBLMA0GCSqGSIb3DQEBCwUAMBAxDjAMBgNVBAMMBXVzZXIyMB4XDTE5MDExNjE0MTc1OFoXDTIwMDExNjE0MTc1OFowEDEOMAwGA1UEAwwFdXNlcjIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDbl8Xl+z8n3kE9TJEbEYpzYPrIIAQaJvTBHjCNWhvItBlm5uQ3+yz6ZZR5tqd1hV0lOF9D5nvEXwtr1T3F6Zl+i6wVQgSPvQX6PeD37hM2RW/LxD7PN75++7Ou4oLcCegjb627/DsF196jxYXwYPtgHpIvR3AL0GgrNeiAEfe+9JlITm9tqIFZ/7DJ24nvAW6WAWCOd5kAI6a8Z9pz7kFkpQd3PP6X08M9aPrkH0NgAtUFXW9LR4lNC+ymbjSZOYi01fEPm38qDirdSieDDel13kZ20etduwN1v4/jKJZPuc99eMrIH895sSk3fbxQLmzMBMUTs5s7VIecq2jhNntdAgMBAAGjUDBOMB0GA1UdDgQWBBRpoUEI1RZgiqhti0285t8vlSED4jAfBgNVHSMEGDAWgBRpoUEI1RZgiqhti0285t8vlSED4jAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQB5pY8wOs4QavgbHO1VcE/29w4wG+yhvug9Sh2wAO+7qXlyJ/uTCSR0O/6YQHRngBHnyBL9msezE3qMQy35wQ3ikyM+NFD+oKndNTPgkYFlAEY13Tz1lMhRvnMYSx8oj/kFoAbDIJdcsNd/Q3LTmjGbkOA4mhmkYurZNsRLCkFJ0MwcKGbBIz4BIcbh0cVWZ2DXweXr+7YwpUoLPVHPguS9/UAUlCvnDF8UpVf9TiBzQT//YjfsmNATkUJrzAzxPRR8RhYVKKT1R6GniWNLyxz9IMaNzwZyYf11mQsOX/JEeTNpceAkmn2p2k52aOp33afzSCE63Eu5oQ0ptddYd3EG
[root@master ~]# 

[root@master ~]# ipa user-add-cert user2 --certificate="$(base64 cert.der)"
ipa: ERROR: 'usercertificate;binary' already contains one or more values


[root@master ~]# ipa user-find  --certificate="$(base64 cert.der)"
--------------
1 user matched
--------------
  User login: user2
  First name: user
  Last name: test
  Home directory: /home/user2
  Login shell: /bin/sh
  Principal name: user2
  Principal alias: user2
  Email address: user2
  UID: 1993600003
  GID: 1993600003
  Certificate: MIIC8zCCAdugAwIBAgIJALjFlwUEuuBLMA0GCSqGSIb3DQEBCwUAMBAxDjAMBgNVBAMMBXVzZXIyMB4XDTE5MDExNjE0MTc1OFoXDTIwMDExNjE0MTc1OFowEDEOMAwGA1UEAwwFdXNlcjIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDbl8Xl+z8n3kE9TJEbEYpzYPrIIAQaJvTBHjCNWhvItBlm5uQ3+yz6ZZR5tqd1hV0lOF9D5nvEXwtr1T3F6Zl+i6wVQgSPvQX6PeD37hM2RW/LxD7PN75++7Ou4oLcCegjb627/DsF196jxYXwYPtgHpIvR3AL0GgrNeiAEfe+9JlITm9tqIFZ/7DJ24nvAW6WAWCOd5kAI6a8Z9pz7kFkpQd3PP6X08M9aPrkH0NgAtUFXW9LR4lNC+ymbjSZOYi01fEPm38qDirdSieDDel13kZ20etduwN1v4/jKJZPuc99eMrIH895sSk3fbxQLmzMBMUTs5s7VIecq2jhNntdAgMBAAGjUDBOMB0GA1UdDgQWBBRpoUEI1RZgiqhti0285t8vlSED4jAfBgNVHSMEGDAWgBRpoUEI1RZgiqhti0285t8vlSED4jAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQB5pY8wOs4QavgbHO1VcE/29w4wG+yhvug9Sh2wAO+7qXlyJ/uTCSR0O/6YQHRngBHnyBL9msezE3qMQy35wQ3ikyM+NFD+oKndNTPgkYFlAEY13Tz1lMhRvnMYSx8oj/kFoAbDIJdcsNd/Q3LTmjGbkOA4mhmkYurZNsRLCkFJ0MwcKGbBIz4BIcbh0cVWZ2DXweXr+7YwpUoLPVHPguS9/UAUlCvnDF8UpVf9TiBzQT//YjfsmNATkUJrzAzxPRR8RhYVKKT1R6GniWNLyxz9IMaNzwZyYf11mQsOX/JEeTNpceAkmn2p2k52aOp33afzSCE63Eu5oQ0ptddYd3EG
  Account disabled: False
----------------------------
Number of entries returned 1
----------------------------
[root@master ~]# 
[root@master ~]# 
[root@master ~]# ipa user-find user2  --certificate="$(base64 cert.der)"
--------------
1 user matched
--------------
  User login: user2
  First name: user
  Last name: test
  Home directory: /home/user2
  Login shell: /bin/sh
  Principal name: user2
  Principal alias: user2
  Email address: user2
  UID: 1993600003
  GID: 1993600003
  Certificate: MIIC8zCCAdugAwIBAgIJALjFlwUEuuBLMA0GCSqGSIb3DQEBCwUAMBAxDjAMBgNVBAMMBXVzZXIyMB4XDTE5MDExNjE0MTc1OFoXDTIwMDExNjE0MTc1OFowEDEOMAwGA1UEAwwFdXNlcjIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDbl8Xl+z8n3kE9TJEbEYpzYPrIIAQaJvTBHjCNWhvItBlm5uQ3+yz6ZZR5tqd1hV0lOF9D5nvEXwtr1T3F6Zl+i6wVQgSPvQX6PeD37hM2RW/LxD7PN75++7Ou4oLcCegjb627/DsF196jxYXwYPtgHpIvR3AL0GgrNeiAEfe+9JlITm9tqIFZ/7DJ24nvAW6WAWCOd5kAI6a8Z9pz7kFkpQd3PP6X08M9aPrkH0NgAtUFXW9LR4lNC+ymbjSZOYi01fEPm38qDirdSieDDel13kZ20etduwN1v4/jKJZPuc99eMrIH895sSk3fbxQLmzMBMUTs5s7VIecq2jhNntdAgMBAAGjUDBOMB0GA1UdDgQWBBRpoUEI1RZgiqhti0285t8vlSED4jAfBgNVHSMEGDAWgBRpoUEI1RZgiqhti0285t8vlSED4jAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQB5pY8wOs4QavgbHO1VcE/29w4wG+yhvug9Sh2wAO+7qXlyJ/uTCSR0O/6YQHRngBHnyBL9msezE3qMQy35wQ3ikyM+NFD+oKndNTPgkYFlAEY13Tz1lMhRvnMYSx8oj/kFoAbDIJdcsNd/Q3LTmjGbkOA4mhmkYurZNsRLCkFJ0MwcKGbBIz4BIcbh0cVWZ2DXweXr+7YwpUoLPVHPguS9/UAUlCvnDF8UpVf9TiBzQT//YjfsmNATkUJrzAzxPRR8RhYVKKT1R6GniWNLyxz9IMaNzwZyYf11mQsOX/JEeTNpceAkmn2p2k52aOp33afzSCE63Eu5oQ0ptddYd3EG
  Account disabled: False
----------------------------
Number of entries returned 1
----------------------------
[root@master ~]# 
[root@master ~]# 
[root@master ~]# ipa user-del user2
--------------------
Deleted user "user2"
--------------------
[root@master ~]# 
[root@master ~]# 
[root@master ~]# ipa user-find  --certificate="$(base64 cert.der)"
---------------
0 users matched
---------------
----------------------------
Number of entries returned 0
----------------------------
[root@master ~]#

Based on above observations, marking the bug as verified.
Comment 5 Mohammad Rizwan 2019-01-17 05:50:48 UTC 
Automations exists upstream:
https://pagure.io/freeipa/c/653934071fdb1f71d83f230359531b631a0fb959
Comment 8 errata-xmlrpc 2019-01-29 17:24:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0190