Hide Forgot
+++ This bug was initially created as a clone of Bug #1032315 +++ This bug is created as a clone of upstream ticket: https://fedorahosted.org/389/ticket/47596 When doing client cert based authentication for replication or chaining, and attrcrypt attempts to find the server's cert and key, it can get confused and attempt to use the wrong key. Apparently in openldap's NSS implementation, the cert can end up on a token that has not been logged out, and the server will try to read the pin for the token/slot on stdin.
Hi Rich, can you add steps to verify this bugzilla?
(In reply to Sankar Ramalingam from comment #1) > Hi Rich, can you add steps to verify this bugzilla? I'm not sure. I see this every time I run the mmrepl/accept/accept.sh test. It seems to have something to do with using server to server client cert auth with replication, and using attribute encryption.
(In reply to Rich Megginson from comment #2) > (In reply to Sankar Ramalingam from comment #1) > > Hi Rich, can you add steps to verify this bugzilla? > > I'm not sure. I see this every time I run the mmrepl/accept/accept.sh test. > It seems to have something to do with using server to server client cert > auth with replication, and using attribute encryption. There are two test failures currently reported. I am not sure whether this is related to attribute encryption. Do you have test case failure details that you encountered? dn: nsuniqueid=698c9222-84d411e3-92278292-18165987,cn=bug914305,o=airius.com Search for tombstone entry Try to delete tombstone entry: nsuniqueid=698c9222-84d411e3-92278292-18165987,cn=bug914305,o=airius.com. ldap_delete: Operations error bug914305: expect=0 actual=1 FAIL stopped slapd-s1 TestCase [bug1009122] result-> [FAIL]
(In reply to Sankar Ramalingam from comment #4) > (In reply to Rich Megginson from comment #2) > > (In reply to Sankar Ramalingam from comment #1) > > > Hi Rich, can you add steps to verify this bugzilla? > > > > I'm not sure. I see this every time I run the mmrepl/accept/accept.sh test. > > It seems to have something to do with using server to server client cert > > auth with replication, and using attribute encryption. > > There are two test failures currently reported. I am not sure whether this > is related to attribute encryption. Do you have test case failure details > that you encountered? > > dn: nsuniqueid=698c9222-84d411e3-92278292-18165987,cn=bug914305,o=airius.com > Search for tombstone entry > Try to delete tombstone entry: > nsuniqueid=698c9222-84d411e3-92278292-18165987,cn=bug914305,o=airius.com. > ldap_delete: Operations error > bug914305: expect=0 actual=1 > FAIL > > stopped slapd-s1 > TestCase [bug1009122] result-> [FAIL] This is a different issue. If bug1009122 is the first test failure, then the test run proceeded well past the failure caused by the cert attrcrypt issue.
One of the failures reported in mmrepl/accept is not related to attribute encryption. Which is the actual test failure for bug1009122, which is a clone of bug1009679. I am currently troubleshooting this failure. Another failure reported with mmrepl/accept is related to deleting tombstone entry. which is bug914305. This is also not related to attribute encryption. Hence, marking the bug as verified. Build tested - 389-ds-base-1.3.1.6-18.
This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request.