Bug 1758404
| Summary: | KRA authentication fails when IPA CA has custom Subject DN | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Fraser Tweedale <ftweedal> | |
| Component: | ipa | Assignee: | Thomas Woerner <twoerner> | |
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 8.0 | CC: | frenaud, ksiddiqu, myusuf, pasik, pcech, rcritten, tscherf | |
| Target Milestone: | rc | |||
| Target Release: | 8.0 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1758406 (view as bug list) | Environment: | ||
| Last Closed: | 2020-04-28 15:43:29 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1758406 | |||
|
Description
Fraser Tweedale
2019-10-04 03:59:46 UTC
How to verify:
1. Create IPA server with custom CA subject DN, and KRA, e.g.
ipa-server-install --ca-subject "CN=IPA CA 201910041439,DC=redhat,DC=com" --setup-kra
2. Confirm uid=ipakra user entry 'description' attribute contains correct value:
% ldapsearch -LLL -D cn=directory\ manager -w "$DM_PASSWORD" -b o=ipaca '(|(uid=ipara)(uid=ipakra))' description |less
dn: uid=ipara,ou=people,o=ipaca
description: 2;7;CN=IPA CA 201910041418,DC=redhat,DC=com;CN=IPA RA,O=IPA.LOCAL
dn: uid=ipakra,ou=people,o=kra,o=ipaca
description: 2;7;CN=IPA CA 201910041418,DC=redhat,DC=com;CN=IPA RA,O=IPA.LOCAL
uid=ipakra 'description' attribute should contain the --ca-subject and should match the uid=ipara 'description' attribute.
3. Confirm KRA operations succeed, e.g. "ipa vault-add foo --password Secret.123"
Workaround: fix the "description" attribute of the entry uid=ipakra,ou=people,o=kra,o=ipaca The value can be taken from the "description" attribute of the entry uid=ipara,ou=people,o=ipaca: $ kinit admin $ ldapsearch -LLL -o ldif-wrap=no -Y GSSAPI -b uid=ipara,ou=people,o=ipaca description SASL/GSSAPI authentication started SASL username: admin SASL SSF: 256 SASL data security layer installed. dn: uid=ipara,ou=people,o=ipaca description: 2;7;CN=Certificate Authority,O=DOMAIN.COM;CN=IPA RA,O=DOMAIN.COM ^^ note the value from this command $ ldapmodify -D cn=directory\ manager -W Enter LDAP Password: dn: uid=ipakra,ou=people,o=kra,o=ipaca changetype: modify replace: description description: <paste the value from the prev output> modifying entry "uid=ipakra,ou=people,o=kra,o=ipaca" Fixed upstream master: https://pagure.io/freeipa/c/326d417d98b092e175623cd28e46586df00e60a2 https://pagure.io/freeipa/c/7ea50ff76d2ee5367b75d999c2baa2a7a480f34a https://pagure.io/freeipa/c/e767386e7120be3515d6a34529b51ae658248038 The last commit adds a test in ipatests/test_integration/test_ca_custom_sdn.py (this is a new file, downstream metadata needs to be created to trigger the test). Upstream ticket: https://pagure.io/freeipa/issue/8084 ipa-4-8: https://pagure.io/freeipa/c/09c6db7 https://pagure.io/freeipa/c/23f4e00 https://pagure.io/freeipa/c/5d68d04 Based on the above logs, marking the bug as verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2020:1640 |