Bug 1659492
| Summary: | searching for ipa users by certificate fails [rhel-7.6.z] | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | RAD team bot copy to z-stream <autobot-eus-copy> |
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.6 | CC: | frenaud, jreznik, lmanasko, myusuf, pvoborni, rcritten, tscherf |
| Target Milestone: | rc | Keywords: | Regression, ZStream |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-4.6.4-10.el7_6.2 | Doc Type: | Bug Fix |
| Doc Text: |
Previously, the source code internally looking cor certificates in the LDAP server built a wrong search filter. As a consequence, the "ipa user-find --certificate=<cert>" failed to find users who had the provided certificate. With this update, the source code that builds the LDAP search filter has been fixed. As a result, the ipa user-find --certificate=<cert> command now properly finds users with the provided certificate.
|
Story Points: | --- |
| Clone Of: | 1651834 | Environment: | |
| Last Closed: | 2019-01-29 17:24:34 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1651834 | ||
| Bug Blocks: | |||
|
Description
RAD team bot copy to z-stream
2018-12-14 14:23:55 UTC
version: ipa-server-dns-4.6.4-10.el7_6.2.noarch ipa-server-common-4.6.4-10.el7_6.2.noarch ipa-server-4.6.4-10.el7_6.2.x86_64 Steps: 1. install ipa master and add user 2. create a certificate for user and add certificate to user 3. find user by --certificate option. Actual result: [root@master ~]# openssl req -x509 -newkey rsa:2048 -days 365 -nodes -keyout private.key -out cert.pem -subj '/CN=user2' Generating a 2048 bit RSA private key .......................+++ ..........................................+++ writing new private key to 'private.key' ----- [root@master ~]# openssl x509 -outform der -in cert.pem -out cert.der [root@master ~]# [root@master ~]# ipa user-add-cert user2 --certificate="$(base64 cert.der)" ---------------------------------- Added certificates to user "user2" ---------------------------------- User login: user2 Certificate: MIIC8zCCAdugAwIBAgIJALjFlwUEuuBLMA0GCSqGSIb3DQEBCwUAMBAxDjAMBgNVBAMMBXVzZXIyMB4XDTE5MDExNjE0MTc1OFoXDTIwMDExNjE0MTc1OFowEDEOMAwGA1UEAwwFdXNlcjIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDbl8Xl+z8n3kE9TJEbEYpzYPrIIAQaJvTBHjCNWhvItBlm5uQ3+yz6ZZR5tqd1hV0lOF9D5nvEXwtr1T3F6Zl+i6wVQgSPvQX6PeD37hM2RW/LxD7PN75++7Ou4oLcCegjb627/DsF196jxYXwYPtgHpIvR3AL0GgrNeiAEfe+9JlITm9tqIFZ/7DJ24nvAW6WAWCOd5kAI6a8Z9pz7kFkpQd3PP6X08M9aPrkH0NgAtUFXW9LR4lNC+ymbjSZOYi01fEPm38qDirdSieDDel13kZ20etduwN1v4/jKJZPuc99eMrIH895sSk3fbxQLmzMBMUTs5s7VIecq2jhNntdAgMBAAGjUDBOMB0GA1UdDgQWBBRpoUEI1RZgiqhti0285t8vlSED4jAfBgNVHSMEGDAWgBRpoUEI1RZgiqhti0285t8vlSED4jAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQB5pY8wOs4QavgbHO1VcE/29w4wG+yhvug9Sh2wAO+7qXlyJ/uTCSR0O/6YQHRngBHnyBL9msezE3qMQy35wQ3ikyM+NFD+oKndNTPgkYFlAEY13Tz1lMhRvnMYSx8oj/kFoAbDIJdcsNd/Q3LTmjGbkOA4mhmkYurZNsRLCkFJ0MwcKGbBIz4BIcbh0cVWZ2DXweXr+7YwpUoLPVHPguS9/UAUlCvnDF8UpVf9TiBzQT//YjfsmNATkUJrzAzxPRR8RhYVKKT1R6GniWNLyxz9IMaNzwZyYf11mQsOX/JEeTNpceAkmn2p2k52aOp33afzSCE63Eu5oQ0ptddYd3EG [root@master ~]# [root@master ~]# ipa user-add-cert user2 --certificate="$(base64 cert.der)" ipa: ERROR: 'usercertificate;binary' already contains one or more values [root@master ~]# ipa user-find --certificate="$(base64 cert.der)" -------------- 1 user matched -------------- User login: user2 First name: user Last name: test Home directory: /home/user2 Login shell: /bin/sh Principal name: user2 Principal alias: user2 Email address: user2 UID: 1993600003 GID: 1993600003 Certificate: MIIC8zCCAdugAwIBAgIJALjFlwUEuuBLMA0GCSqGSIb3DQEBCwUAMBAxDjAMBgNVBAMMBXVzZXIyMB4XDTE5MDExNjE0MTc1OFoXDTIwMDExNjE0MTc1OFowEDEOMAwGA1UEAwwFdXNlcjIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDbl8Xl+z8n3kE9TJEbEYpzYPrIIAQaJvTBHjCNWhvItBlm5uQ3+yz6ZZR5tqd1hV0lOF9D5nvEXwtr1T3F6Zl+i6wVQgSPvQX6PeD37hM2RW/LxD7PN75++7Ou4oLcCegjb627/DsF196jxYXwYPtgHpIvR3AL0GgrNeiAEfe+9JlITm9tqIFZ/7DJ24nvAW6WAWCOd5kAI6a8Z9pz7kFkpQd3PP6X08M9aPrkH0NgAtUFXW9LR4lNC+ymbjSZOYi01fEPm38qDirdSieDDel13kZ20etduwN1v4/jKJZPuc99eMrIH895sSk3fbxQLmzMBMUTs5s7VIecq2jhNntdAgMBAAGjUDBOMB0GA1UdDgQWBBRpoUEI1RZgiqhti0285t8vlSED4jAfBgNVHSMEGDAWgBRpoUEI1RZgiqhti0285t8vlSED4jAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQB5pY8wOs4QavgbHO1VcE/29w4wG+yhvug9Sh2wAO+7qXlyJ/uTCSR0O/6YQHRngBHnyBL9msezE3qMQy35wQ3ikyM+NFD+oKndNTPgkYFlAEY13Tz1lMhRvnMYSx8oj/kFoAbDIJdcsNd/Q3LTmjGbkOA4mhmkYurZNsRLCkFJ0MwcKGbBIz4BIcbh0cVWZ2DXweXr+7YwpUoLPVHPguS9/UAUlCvnDF8UpVf9TiBzQT//YjfsmNATkUJrzAzxPRR8RhYVKKT1R6GniWNLyxz9IMaNzwZyYf11mQsOX/JEeTNpceAkmn2p2k52aOp33afzSCE63Eu5oQ0ptddYd3EG Account disabled: False ---------------------------- Number of entries returned 1 ---------------------------- [root@master ~]# [root@master ~]# [root@master ~]# ipa user-find user2 --certificate="$(base64 cert.der)" -------------- 1 user matched -------------- User login: user2 First name: user Last name: test Home directory: /home/user2 Login shell: /bin/sh Principal name: user2 Principal alias: user2 Email address: user2 UID: 1993600003 GID: 1993600003 Certificate: MIIC8zCCAdugAwIBAgIJALjFlwUEuuBLMA0GCSqGSIb3DQEBCwUAMBAxDjAMBgNVBAMMBXVzZXIyMB4XDTE5MDExNjE0MTc1OFoXDTIwMDExNjE0MTc1OFowEDEOMAwGA1UEAwwFdXNlcjIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDbl8Xl+z8n3kE9TJEbEYpzYPrIIAQaJvTBHjCNWhvItBlm5uQ3+yz6ZZR5tqd1hV0lOF9D5nvEXwtr1T3F6Zl+i6wVQgSPvQX6PeD37hM2RW/LxD7PN75++7Ou4oLcCegjb627/DsF196jxYXwYPtgHpIvR3AL0GgrNeiAEfe+9JlITm9tqIFZ/7DJ24nvAW6WAWCOd5kAI6a8Z9pz7kFkpQd3PP6X08M9aPrkH0NgAtUFXW9LR4lNC+ymbjSZOYi01fEPm38qDirdSieDDel13kZ20etduwN1v4/jKJZPuc99eMrIH895sSk3fbxQLmzMBMUTs5s7VIecq2jhNntdAgMBAAGjUDBOMB0GA1UdDgQWBBRpoUEI1RZgiqhti0285t8vlSED4jAfBgNVHSMEGDAWgBRpoUEI1RZgiqhti0285t8vlSED4jAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQB5pY8wOs4QavgbHO1VcE/29w4wG+yhvug9Sh2wAO+7qXlyJ/uTCSR0O/6YQHRngBHnyBL9msezE3qMQy35wQ3ikyM+NFD+oKndNTPgkYFlAEY13Tz1lMhRvnMYSx8oj/kFoAbDIJdcsNd/Q3LTmjGbkOA4mhmkYurZNsRLCkFJ0MwcKGbBIz4BIcbh0cVWZ2DXweXr+7YwpUoLPVHPguS9/UAUlCvnDF8UpVf9TiBzQT//YjfsmNATkUJrzAzxPRR8RhYVKKT1R6GniWNLyxz9IMaNzwZyYf11mQsOX/JEeTNpceAkmn2p2k52aOp33afzSCE63Eu5oQ0ptddYd3EG Account disabled: False ---------------------------- Number of entries returned 1 ---------------------------- [root@master ~]# [root@master ~]# [root@master ~]# ipa user-del user2 -------------------- Deleted user "user2" -------------------- [root@master ~]# [root@master ~]# [root@master ~]# ipa user-find --certificate="$(base64 cert.der)" --------------- 0 users matched --------------- ---------------------------- Number of entries returned 0 ---------------------------- [root@master ~]# Based on above observations, marking the bug as verified. Automations exists upstream: https://pagure.io/freeipa/c/653934071fdb1f71d83f230359531b631a0fb959 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:0190 |