Bug 1032316 - attrcrypt fails to find unlocked key
attrcrypt fails to find unlocked key
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base (Show other bugs)
7.0
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Rich Megginson
Sankar Ramalingam
:
Depends On: 1032315
Blocks:
  Show dependency treegraph
 
Reported: 2013-11-19 19:37 EST by Rich Megginson
Modified: 2014-06-17 23:01 EDT (History)
4 users (show)

See Also:
Fixed In Version: 389-ds-base-1.3.1.6-12.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1032315
Environment:
Last Closed: 2014-06-13 08:06:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Rich Megginson 2013-11-19 19:37:48 EST
+++ This bug was initially created as a clone of Bug #1032315 +++

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/47596

When doing client cert based authentication for replication or chaining, and attrcrypt attempts to find the server's cert and key, it can get confused and attempt to use the wrong key.  Apparently in openldap's NSS implementation, the cert can end up on a token that has not been logged out, and the server will try to read the pin for the token/slot on stdin.
Comment 1 Sankar Ramalingam 2013-11-25 12:25:44 EST
Hi Rich, can you add steps to verify this bugzilla?
Comment 2 Rich Megginson 2013-11-25 12:30:03 EST
(In reply to Sankar Ramalingam from comment #1)
> Hi Rich, can you add steps to verify this bugzilla?

I'm not sure.  I see this every time I run the mmrepl/accept/accept.sh test.  It seems to have something to do with using server to server client cert auth with replication, and using attribute encryption.
Comment 4 Sankar Ramalingam 2014-01-31 22:50:24 EST
(In reply to Rich Megginson from comment #2)
> (In reply to Sankar Ramalingam from comment #1)
> > Hi Rich, can you add steps to verify this bugzilla?
> 
> I'm not sure.  I see this every time I run the mmrepl/accept/accept.sh test.
> It seems to have something to do with using server to server client cert
> auth with replication, and using attribute encryption.

There are two test failures currently reported. I am not sure whether this is related to attribute encryption. Do you have test case failure details that you encountered?

dn: nsuniqueid=698c9222-84d411e3-92278292-18165987,cn=bug914305,o=airius.com
Search for tombstone entry
Try to delete tombstone entry: nsuniqueid=698c9222-84d411e3-92278292-18165987,cn=bug914305,o=airius.com.
ldap_delete: Operations error
bug914305: expect=0 actual=1
FAIL

stopped slapd-s1
TestCase [bug1009122] result-> [FAIL]
Comment 5 Rich Megginson 2014-02-03 10:33:46 EST
(In reply to Sankar Ramalingam from comment #4)
> (In reply to Rich Megginson from comment #2)
> > (In reply to Sankar Ramalingam from comment #1)
> > > Hi Rich, can you add steps to verify this bugzilla?
> > 
> > I'm not sure.  I see this every time I run the mmrepl/accept/accept.sh test.
> > It seems to have something to do with using server to server client cert
> > auth with replication, and using attribute encryption.
> 
> There are two test failures currently reported. I am not sure whether this
> is related to attribute encryption. Do you have test case failure details
> that you encountered?
> 
> dn: nsuniqueid=698c9222-84d411e3-92278292-18165987,cn=bug914305,o=airius.com
> Search for tombstone entry
> Try to delete tombstone entry:
> nsuniqueid=698c9222-84d411e3-92278292-18165987,cn=bug914305,o=airius.com.
> ldap_delete: Operations error
> bug914305: expect=0 actual=1
> FAIL
> 
> stopped slapd-s1
> TestCase [bug1009122] result-> [FAIL]

This is a different issue.  If bug1009122 is the first test failure, then the test run proceeded well past the failure caused by the cert attrcrypt issue.
Comment 6 Sankar Ramalingam 2014-02-14 06:28:13 EST
One of the failures reported in mmrepl/accept is not related to attribute encryption. Which is the actual test failure for bug1009122, which is a clone of bug1009679. I am currently troubleshooting this failure.

Another failure reported with mmrepl/accept is related to deleting tombstone entry. which is bug914305. This is also not related to attribute encryption.

Hence, marking the bug as verified.
Build tested - 389-ds-base-1.3.1.6-18.
Comment 7 Ludek Smid 2014-06-13 08:06:19 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.