RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1032316 - attrcrypt fails to find unlocked key
Summary: attrcrypt fails to find unlocked key
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base
Version: 7.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Rich Megginson
QA Contact: Sankar Ramalingam
URL:
Whiteboard:
Depends On: 1032315
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-11-20 00:37 UTC by Rich Megginson
Modified: 2020-09-13 20:50 UTC (History)
4 users (show)

Fixed In Version: 389-ds-base-1.3.1.6-12.el7
Doc Type: Bug Fix
Doc Text:
Clone Of: 1032315
Environment:
Last Closed: 2014-06-13 12:06:19 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github 389ds 389-ds-base issues 933 0 None None None 2020-09-13 20:50:32 UTC

Description Rich Megginson 2013-11-20 00:37:48 UTC 
+++ This bug was initially created as a clone of Bug #1032315 +++

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/47596

When doing client cert based authentication for replication or chaining, and attrcrypt attempts to find the server's cert and key, it can get confused and attempt to use the wrong key.  Apparently in openldap's NSS implementation, the cert can end up on a token that has not been logged out, and the server will try to read the pin for the token/slot on stdin.
Comment 1 Sankar Ramalingam 2013-11-25 17:25:44 UTC 
Hi Rich, can you add steps to verify this bugzilla?
Comment 2 Rich Megginson 2013-11-25 17:30:03 UTC 
(In reply to Sankar Ramalingam from comment #1)
> Hi Rich, can you add steps to verify this bugzilla?

I'm not sure.  I see this every time I run the mmrepl/accept/accept.sh test.  It seems to have something to do with using server to server client cert auth with replication, and using attribute encryption.
Comment 4 Sankar Ramalingam 2014-02-01 03:50:24 UTC 
(In reply to Rich Megginson from comment #2)
> (In reply to Sankar Ramalingam from comment #1)
> > Hi Rich, can you add steps to verify this bugzilla?
> 
> I'm not sure.  I see this every time I run the mmrepl/accept/accept.sh test.
> It seems to have something to do with using server to server client cert
> auth with replication, and using attribute encryption.

There are two test failures currently reported. I am not sure whether this is related to attribute encryption. Do you have test case failure details that you encountered?

dn: nsuniqueid=698c9222-84d411e3-92278292-18165987,cn=bug914305,o=airius.com
Search for tombstone entry
Try to delete tombstone entry: nsuniqueid=698c9222-84d411e3-92278292-18165987,cn=bug914305,o=airius.com.
ldap_delete: Operations error
bug914305: expect=0 actual=1
FAIL

stopped slapd-s1
TestCase [bug1009122] result-> [FAIL]
Comment 5 Rich Megginson 2014-02-03 15:33:46 UTC 
(In reply to Sankar Ramalingam from comment #4)
> (In reply to Rich Megginson from comment #2)
> > (In reply to Sankar Ramalingam from comment #1)
> > > Hi Rich, can you add steps to verify this bugzilla?
> > 
> > I'm not sure.  I see this every time I run the mmrepl/accept/accept.sh test.
> > It seems to have something to do with using server to server client cert
> > auth with replication, and using attribute encryption.
> 
> There are two test failures currently reported. I am not sure whether this
> is related to attribute encryption. Do you have test case failure details
> that you encountered?
> 
> dn: nsuniqueid=698c9222-84d411e3-92278292-18165987,cn=bug914305,o=airius.com
> Search for tombstone entry
> Try to delete tombstone entry:
> nsuniqueid=698c9222-84d411e3-92278292-18165987,cn=bug914305,o=airius.com.
> ldap_delete: Operations error
> bug914305: expect=0 actual=1
> FAIL
> 
> stopped slapd-s1
> TestCase [bug1009122] result-> [FAIL]

This is a different issue.  If bug1009122 is the first test failure, then the test run proceeded well past the failure caused by the cert attrcrypt issue.
Comment 6 Sankar Ramalingam 2014-02-14 11:28:13 UTC 
One of the failures reported in mmrepl/accept is not related to attribute encryption. Which is the actual test failure for bug1009122, which is a clone of bug1009679. I am currently troubleshooting this failure.

Another failure reported with mmrepl/accept is related to deleting tombstone entry. which is bug914305. This is also not related to attribute encryption.

Hence, marking the bug as verified.
Build tested - 389-ds-base-1.3.1.6-18.
Comment 7 Ludek Smid 2014-06-13 12:06:19 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.
Note You need to log in before you can comment on or make changes to this bug.