Bug 1781799
Summary: | ipa-client-install towards RHEL7.6 IPA server is failing | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | mpanaous | ||||
Component: | ipa | Assignee: | Thomas Woerner <twoerner> | ||||
Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> | ||||
Severity: | urgent | Docs Contact: | |||||
Priority: | urgent | ||||||
Version: | 8.1 | CC: | abokovoy, afarley, alsharma, cheimes, dpal, fcami, frenaud, gael.queri, ipa-maint, kludhwan, ksiddiqu, msauton, pasik, rcritten, rmarigny, tmihinto, tscherf, twoerner, vmishra | ||||
Target Milestone: | rc | ||||||
Target Release: | 8.0 | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2020-04-28 15:44:12 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 1788572 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Comment 4
Florence Blanc-Renaud
2019-12-17 10:49:34 UTC
Hi, there was a change in openldap that may explain the issue. Can you check the content of the LDAP server certificate? On the master, run: $ certutil -L -d /etc/dirsrv/slap-<domain> -n Server-Cert and check if there are "Certificate Subject Alt Name" extensions. The SAN extension must contain the hostname. And on the client, check the version of openldap: $ rpm -qa openldap Before openldap-2.4.46-10.el8, the validation was falling back to the content of the CN field if there was no SAN extension matching the host name. Since openldap-2.4.46-10.el8, the validation fails if there is no SAN extension matching the host name. (see BZ https://bugzilla.redhat.com/show_bug.cgi?id=1740070 and https://bugzilla.redhat.com/show_bug.cgi?id=1788572). Created attachment 1651344 [details]
Untested patch for OpenLDAP
This untested patch for OpenLDAP replaces the custom hostname verification code with OpenSSL 1.0.2 API calls to X509_check_host() and X509_check_ip().
We have further analyzed the issue and now feel confident that the issue is caused by a regression in openldap-2.4.46-10.el8. OpenDALP client libraries no longer fall back to Subject CN for hostname verification in case the server certificate contains only non-hostname subject alt name (SAN) entries. The hostname check should only skip the fallback in case one or more SAN entries are of type DNSName general name. In some cases IPA and AD include other SAN entries like Kerberos principal. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2020:1640 |