Bug 948928

Summary: LDAP upload CA cert sometimes double-encodes the value
Product: Red Hat Enterprise Linux 6 Reporter: Najmuddin Chirammal <nc>
Component: ipaAssignee: Martin Kosek <mkosek>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: high Docs Contact:
Priority: high    
Version: 6.5CC: dpal, francesco.trentini, lmiksik, mkosek, nsoman, rcritten, yjog
Target Milestone: rcKeywords: Regression, ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ipa-3.0.0-30.el6 Doc Type: Bug Fix
Doc Text:
Cause: Identity Management upgrade process double-encoded CA certificate stored in the Directory Server in some situations. Consequence: Some Identity Management clients (e.g. in RHEL-5 platform) failed to decode the CA certificate and client installation failed. Fix: Upgrade process no longer double-encodes the CA certificate. Result: Client installation CA certificate is correctly retrieved from IdM server and installation continues.
 Story Points: ---
Clone Of: 918262 Environment:
Last Closed: 2013-11-21 20:52:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 918262    
Bug Blocks: 960054, 964128    

Description Najmuddin Chirammal 2013-04-05 14:29:20 UTC 
+++ This bug was initially created as a clone of Bug #918262 +++

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3477

I found a situation where the CA certificate is stored in base64 encoding in a binary attribute, so for example, ldapsearch returns it double-encoded.

To duplicate this:

 * Install IPA (I tested with master)
 * ldapdelete ... cn=CAcert,cn=ipa,cn=etc,dc=example,dc=com
 * ipa-ldap-updater --plugins
 * ldapsearch -o  ldif-wrap=no -x -b cn=CAcert,cn=ipa,cn=etc,dc=example,dc=com

--- Additional comment from Martin Kosek on 2013-03-07 14:11:43 IST ---

Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/f6f8307be282e96df4fa4f35e83f1ff17403cf86
ipa-3-1: https://fedorahosted.org/freeipa/changeset/80b544eb5a6dbb99620c0e196126c0d934134e7b
Comment 3 Martin Kosek 2013-04-22 08:40:08 UTC 
*** Bug 947889 has been marked as a duplicate of this bug. ***
Comment 4 Martin Kosek 2013-04-22 08:41:12 UTC 
Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/f6f8307be282e96df4fa4f35e83f1ff17403cf86
ipa-3-1: https://fedorahosted.org/freeipa/changeset/80b544eb5a6dbb99620c0e196126c0d934134e7b

Moving to POST.
Comment 10 Namita Soman 2013-09-11 21:20:56 UTC 
Verified using ipa-server-3.0.0-35

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: LDAP upload CA cert sometimes double-encodes the value bz964128 6.5 - bz 948928
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: ldapsearch for Cert (Expected 0, got 0)
cACertificate;binary:: MIIDmjCCAoKgAwIBAgIBATANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQ
 KEwxURVNUUkVMTS5DT00xHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xMzA5MTEy
 MDQ4NDZaFw0zMzA5MTEyMDQ4NDZaMDcxFTATBgNVBAoTDFRFU1RSRUxNLkNPTTEeMBwGA1UEAxMVQ
 2VydGlmaWNhdGUgQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtBVVMS
 agxK+NUWpyjR6XU+QggwZZ6gdFeG8AF9qt0Xkgd0Bv3GnPfTuY9TME1MTjOcO2XhHaL78DkyuF/EU
 GNxdmH+cdJkYOjnaAWMKDwHjJJ9wxK8OHxbAAjLKW6WXHbdlCxZZqfSZjWE2IBtnuaGDnh5Bjs/IT
 h4P0waNJ+kUzmmkrVV1pUWA1rsOiLn1zFmGjP/lwOCJr1Mq9ZkdNO0lMwQDVQscnh3q6MVnOo33xe
 gE6w2hmyOa3W6ig5QUFE8H4DY689YHFN/s6uPBA6Ep72Wcndw8qS6DdymotrMW8EaUPj/LxcUTV20
 Ytpqbo4R3ZxNNlbjyhIb1im7srSQIDAQABo4GwMIGtMB8GA1UdIwQYMBaAFAASa4XhYEWDgw+giGF
 sVS7uvxWAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgHGMB0GA1UdDgQWBBQAEmuF4WBF
 g4MPoIhhbFUu7r8VgDBKBggrBgEFBQcBAQQ+MDwwOgYIKwYBBQUHMAGGLmh0dHA6Ly9jbG91ZC1xZ
 S0xLXZtLTMudGVzdHJlbG0uY29tOjgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAE3gP7gAsk
 X2KcsTQbs+34nNzluHcLf8lLdZpoeqY4USFG9lgffE+4NRewhUj9DMSvYjC78eNzcfkZsc/dapBD6
 BJsPYn3rw6EVegrqo1EeKhiTeorPuDfqww+7kBUmzNFrOf4CmuVwzZp0h7gzXnia4l5Jy1w05Kdbo
 ZTCQL4r3vNiIobDkukKq8mzrewWrpfTjoavaURLHwdlXsM1cCoAbh0ri0gfSUsVHZS1nsVaEuM0xM
 X+Y+cgLcMDznkUH2WtdDIj2IK2i05wkZHEy1exHUTAbkcnLWI2UzxKAB2+7qACX4m8As/TWaGr4LX
 RFXB1UyfJHJS94h20mJzRdbxQ=

# search result
:: [   PASS   ] :: Cert before deletion (Expected 0, got 0)
:: [   PASS   ] :: ldap delete cert (Expected 0, got 0)
# extended LDIF
#
# LDAPv3
# base <cn=CACert,cn=ipa,cn=etc,dc=testrelm,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object
matchedDN: cn=ipa,cn=etc,dc=testrelm,dc=com

# numResponses: 1
:: [   PASS   ] :: Making sure cert is deleted (Expected 32, got 32)

:: [   PASS   ] :: Running ldap-updater with --plugins (Expected 0, got 0)
:: [   PASS   ] :: ldapsearch for Cert after ldap-updater (Expected 0, got 0)
cACertificate;binary:: MIIDmjCCAoKgAwIBAgIBATANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQ
 KEwxURVNUUkVMTS5DT00xHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xMzA5MTEy
 MDQ4NDZaFw0zMzA5MTEyMDQ4NDZaMDcxFTATBgNVBAoTDFRFU1RSRUxNLkNPTTEeMBwGA1UEAxMVQ
 2VydGlmaWNhdGUgQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtBVVMS
 agxK+NUWpyjR6XU+QggwZZ6gdFeG8AF9qt0Xkgd0Bv3GnPfTuY9TME1MTjOcO2XhHaL78DkyuF/EU
 GNxdmH+cdJkYOjnaAWMKDwHjJJ9wxK8OHxbAAjLKW6WXHbdlCxZZqfSZjWE2IBtnuaGDnh5Bjs/IT
 h4P0waNJ+kUzmmkrVV1pUWA1rsOiLn1zFmGjP/lwOCJr1Mq9ZkdNO0lMwQDVQscnh3q6MVnOo33xe
 gE6w2hmyOa3W6ig5QUFE8H4DY689YHFN/s6uPBA6Ep72Wcndw8qS6DdymotrMW8EaUPj/LxcUTV20
 Ytpqbo4R3ZxNNlbjyhIb1im7srSQIDAQABo4GwMIGtMB8GA1UdIwQYMBaAFAASa4XhYEWDgw+giGF
 sVS7uvxWAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgHGMB0GA1UdDgQWBBQAEmuF4WBF
 g4MPoIhhbFUu7r8VgDBKBggrBgEFBQcBAQQ+MDwwOgYIKwYBBQUHMAGGLmh0dHA6Ly9jbG91ZC1xZ
 S0xLXZtLTMudGVzdHJlbG0uY29tOjgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAE3gP7gAsk
 X2KcsTQbs+34nNzluHcLf8lLdZpoeqY4USFG9lgffE+4NRewhUj9DMSvYjC78eNzcfkZsc/dapBD6
 BJsPYn3rw6EVegrqo1EeKhiTeorPuDfqww+7kBUmzNFrOf4CmuVwzZp0h7gzXnia4l5Jy1w05Kdbo
 ZTCQL4r3vNiIobDkukKq8mzrewWrpfTjoavaURLHwdlXsM1cCoAbh0ri0gfSUsVHZS1nsVaEuM0xM
 X+Y+cgLcMDznkUH2WtdDIj2IK2i05wkZHEy1exHUTAbkcnLWI2UzxKAB2+7qACX4m8As/TWaGr4LX
 RFXB1UyfJHJS94h20mJzRdbxQ=

# search result
:: [   PASS   ] :: Cert after deletion (Expected 0, got 0)
:: [   PASS   ] :: Files /tmp/tmp.9tRte31EBW/sfile1 and /tmp/tmp.9tRte31EBW/sfile2 should not differ 
:: [   PASS   ] :: CA cert is not double-encoded
Comment 12 errata-xmlrpc 2013-11-21 20:52:52 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1651.html