Bug 1112698 - Broken dereference control with the FreeIPA 4.0 ACIs
Summary: Broken dereference control with the FreeIPA 4.0 ACIs
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.6
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: Martin Kosek
QA Contact: Namita Soman
URL:
Whiteboard:
Depends On:
Blocks: 1112702 1112824
TreeView+ depends on / blocked
 
Reported: 2014-06-24 13:55 UTC by Martin Kosek
Modified: 2014-10-14 07:32 UTC (History)
3 users (show)

Fixed In Version: ipa-3.0.0-42.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1112702 (view as bug list)
Environment:
Last Closed: 2014-10-14 07:32:59 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:1383 normal SHIPPED_LIVE ipa bug fix and enhancement update 2014-10-14 01:21:36 UTC

Description Martin Kosek 2014-06-24 13:55:37 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/4389

I've been triaging a login error issue mkosek had today and I believe the problem is actually on the server side. I'm not sure if it's in IPA (due to the new ACIs maybe) or 389DS.

With the latest F20 IPA + 389DS combination I've been unable to use the OpenLDAP dereference control:
{{{
ldapsearch -Y GSSAPI -h vm-236.idm.lab.eng.brq.redhat.com -b fqdn=vm-086.idm.lab.bos.redhat.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com -E 'deref=managedBy:objectClass'
}}}

Normally, what the result should be is a tuple of dereferenced DN and the requested attribute (objectClass in this case). I'm only seeing the DN, though.

What I expect to see in the result is:
{{{
# vm-067.idm.lab.bos.redhat.com, computers, accounts, idm.lab.bos.redhat.com
dn: fqdn=vm-067.idm.lab.bos.redhat.com,cn=computers,cn=accounts,dc=idm,dc=lab,
 dc=bos,dc=redhat,dc=com
control: 1.3.6.1.4.1.4203.666.5.16 false MIQAAAEeMIQAAAEYBAltYW5hZ2VkQnkEYWZxZ
 G49dm0tMDY3LmlkbS5sYWIuYm9zLnJlZGhhdC5jb20sY249Y29tcHV0ZXJzLGNuPWFjY291bnRzLG
 RjPWlkbSxkYz1sYWIsZGM9Ym9zLGRjPXJlZGhhdCxkYz1jb22ghAAAAKQwhAAAAJ4EC29iamVjdEN
 sYXNzMYQAAACLBAN0b3AECWlwYW9iamVjdAQGbnNob3N0BAdpcGFob3N0BAppcGFzZXJ2aWNlBAdw
 a2l1c2VyBA9rcmJwcmluY2lwYWxhdXgEDGtyYnByaW5jaXBhbAQSa3JidGlja2V0cG9saWN5YXV4B
 AppcGFzc2hob3N0BBRpcGFTc2hHcm91cE9mUHViS2V5cw==
# managedBy: <objectClass=top>;<objectClass=ipaobject>;<objectClass=nshost>;<
 objectClass=ipahost>;<objectClass=ipaservice>;<objectClass=pkiuser>;<objectC
 lass=krbprincipalaux>;<objectClass=krbprincipal>;<objectClass=krbticketpolic
 yaux>;<objectClass=ipasshhost>;<objectClass=ipaSshGroupOfPubKeys>;fqdn=vm-06
 7.idm.lab.bos.redhat.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,dc=re
 dhat,dc=com
}}}

That works with ipa-server-3.3.3-28.el7.x86_64 and 389-ds-base-1.3.1.6-25.el7.x86_64.

What I'm seeing with freeipa-server-3.3.90GITfaf8f1e-0.fc20.x86_64 and 389-ds-base-1.3.2.16-1.fc20.x86_64 is
{{{
# vm-086.idm.lab.bos.redhat.com, computers, accounts, idm.lab.eng.brq.redhat.
 com
dn: fqdn=vm-086.idm.lab.bos.redhat.com,cn=computers,cn=accounts,dc=idm,dc=lab,
 dc=eng,dc=brq,dc=redhat,dc=com
control: 1.3.6.1.4.1.4203.666.5.16 false MIQAAAB7MIQAAAB1BAltYW5hZ2VkQnkEaGZxZ
 G49dm0tMDg2LmlkbS5sYWIuYm9zLnJlZGhhdC5jb20sY249Y29tcHV0ZXJzLGNuPWFjY291bnRzLG
 RjPWlkbSxkYz1sYWIsZGM9ZW5nLGRjPWJycSxkYz1yZWRoYXQsZGM9Y29t
# managedBy: fqdn=vm-086.idm.lab.bos.redhat.com,cn=computers,cn=accounts,dc=i
 dm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com
}}}

Comment 1 Martin Kosek 2014-06-24 13:58:23 UTC
Within this bug, we will just set the proper Requires on 389-ds-base fixed in Bug 1112702. That said, SanityOnly test is sufficient.

Comment 2 Petr Viktorin 2014-07-04 17:01:40 UTC
Spec file fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/5434851efd394c27ab6445a4b7544767452e20a5

Comment 4 Scott Poore 2014-07-21 18:13:58 UTC
Verified.

Version ::

ipa-server-3.0.0-42.el6.x86_64

Results ::

[root@rhel6-1 ~]# rpm -q --requires ipa-server|grep 389
389-ds-base >= 1.2.11.15-38

[root@rhel6-1 ~]# ipa-server-install --setup-dns --forwarder=$DNSFORWARD --hostname=$MASTER \
>     -r $REALM -n $DOMAIN -p Secret123 -P Secret123 -a Secret123 -U

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)

To accept the default shown in brackets, press the Enter key.

Warning: skipping DNS resolution of host master.ipa1.example.test
Using reverse zone 122.168.192.in-addr.arpa.

The IPA Master Server will be configured with:
Hostname:      master.ipa1.example.test
IP address:    192.168.122.61
Domain name:   ipa1.example.test
Realm name:    IPA1.EXAMPLE.TEST

BIND DNS server will be configured to serve IPA domain with:
Forwarders:    192.168.122.1
Reverse zone:  122.168.192.in-addr.arpa.

Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server for the CA (pkids): Estimated time 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
Done configuring directory server for the CA (pkids).
Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
  [1/21]: creating certificate server user
  [2/21]: creating pki-ca instance
  [3/21]: configuring certificate server instance
  [4/21]: disabling nonces
  [5/21]: creating CA agent PKCS#12 file in /root
  [6/21]: creating RA agent certificate database
  [7/21]: importing CA chain to RA certificate database
  [8/21]: fixing RA database permissions
  [9/21]: setting up signing cert profile
  [10/21]: set up CRL publishing
  [11/21]: set certificate subject base
  [12/21]: enabling Subject Key Identifier
  [13/21]: setting audit signing renewal to 2 years
  [14/21]: configuring certificate server to start on boot
  [15/21]: restarting certificate server
  [16/21]: requesting RA certificate from CA
  [17/21]: issuing RA agent certificate
  [18/21]: adding RA agent as a trusted user
  [19/21]: configure certificate renewals
  [20/21]: configure Server-Cert certificate renewal
  [21/21]: Configure HTTP to proxy connections
Done configuring certificate server (pki-cad).
Configuring directory server (dirsrv): Estimated time 1 minute
  [1/38]: creating directory server user
  [2/38]: creating directory server instance
  [3/38]: adding default schema
  [4/38]: enabling memberof plugin
  [5/38]: enabling winsync plugin
  [6/38]: configuring replication version plugin
  [7/38]: enabling IPA enrollment plugin
  [8/38]: enabling ldapi
  [9/38]: disabling betxn plugins
  [10/38]: configuring uniqueness plugin
  [11/38]: configuring uuid plugin
  [12/38]: configuring modrdn plugin
  [13/38]: enabling entryUSN plugin
  [14/38]: configuring lockout plugin
  [15/38]: creating indices
  [16/38]: enabling referential integrity plugin
  [17/38]: configuring ssl for ds instance
  [18/38]: configuring certmap.conf
  [19/38]: configure autobind for root
  [20/38]: configure new location for managed entries
  [21/38]: restarting directory server
  [22/38]: adding default layout
  [23/38]: adding delegation layout
  [24/38]: adding replication acis
  [25/38]: creating container for managed entries
  [26/38]: configuring user private groups
  [27/38]: configuring netgroups from hostgroups
  [28/38]: creating default Sudo bind user
  [29/38]: creating default Auto Member layout
  [30/38]: adding range check plugin
  [31/38]: creating default HBAC rule allow_all
  [32/38]: Upload CA cert to the directory
  [33/38]: initializing group membership
  [34/38]: adding master entry
  [35/38]: configuring Posix uid/gid generation
  [36/38]: enabling compatibility plugin
  [37/38]: tuning directory server
  [38/38]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds
  [1/10]: adding sasl mappings to the directory
  [2/10]: adding kerberos container to the directory
  [3/10]: configuring KDC
  [4/10]: initialize kerberos container
  [5/10]: adding default ACIs
  [6/10]: creating a keytab for the directory
  [7/10]: creating a keytab for the machine
  [8/10]: adding the password extension to the directory
  [9/10]: starting the KDC
  [10/10]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa_memcached
  [1/2]: starting ipa_memcached 
  [2/2]: configuring ipa_memcached to start on boot
Done configuring ipa_memcached.
Configuring the web interface (httpd): Estimated time 1 minute
  [1/13]: setting mod_nss port to 443
  [2/13]: setting mod_nss password file
  [3/13]: enabling mod_nss renegotiate
  [4/13]: adding URL rewriting rules
  [5/13]: configuring httpd
  [6/13]: setting up ssl
  [7/13]: setting up browser autoconfig
  [8/13]: publish CA cert
  [9/13]: creating a keytab for httpd
  [10/13]: clean up any existing httpd ccache
  [11/13]: configuring SELinux for httpd
  [12/13]: restarting httpd
  [13/13]: configuring httpd to start on boot
Done configuring the web interface (httpd).
Applying LDAP updates
Restarting the directory server
Restarting the KDC
Configuring DNS (named)
  [1/9]: adding DNS container
  [2/9]: setting up our zone
  [3/9]: setting up reverse zone
  [4/9]: setting up our own record
  [5/9]: setting up kerberos principal
  [6/9]: setting up named.conf
  [7/9]: restarting named
  [8/9]: configuring named to start on boot
  [9/9]: changing resolv.conf to point to ourselves
Done configuring DNS (named).

Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files

Restarting the web server
==============================================================================
Setup complete

Next steps:
	1. You must make sure these network ports are open:
		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		  * 53: bind
		UDP Ports:
		  * 88, 464: kerberos
		  * 53: bind
		  * 123: ntp

	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.

Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password
[root@rhel6-1 ~]# ipactl status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
DNS Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING

[root@rhel6-1 ~]# kinit admin
Password for admin@IPA1.EXAMPLE.TEST: 

[root@rhel6-1 ~]# ldapsearch -Y GSSAPI -h $(hostname) -b "fqdn=$(hostname),cn=computers,cn=accounts,dc=ipa1,dc=example,dc=test" -E 'deref=managedBy:objectClass'
SASL/GSSAPI authentication started
SASL username: admin@IPA1.EXAMPLE.TEST
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <fqdn=master.ipa1.example.test,cn=computers,cn=accounts,dc=ipa1,dc=example,dc=test> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
# with dereference control
#

# master.ipa1.example.test, computers, accounts, ipa1.example.test
dn: fqdn=master.ipa1.example.test,cn=computers,cn=accounts,dc=ipa1,dc=example,
 dc=test
control: 1.3.6.1.4.1.4203.666.5.16 false MIQAAAEOMIQAAAEIBAltYW5hZ2VkQnkEUWZxZ
 G49bWFzdGVyLmlwYTEuZXhhbXBsZS50ZXN0LGNuPWNvbXB1dGVycyxjbj1hY2NvdW50cyxkYz1pcG
 ExLGRjPWV4YW1wbGUsZGM9dGVzdKCEAAAApDCEAAAAngQLb2JqZWN0Q2xhc3MxhAAAAIsEA3RvcAQ
 JaXBhb2JqZWN0BAZuc2hvc3QEB2lwYWhvc3QECmlwYXNlcnZpY2UEB3BraXVzZXIED2tyYnByaW5j
 aXBhbGF1eAQMa3JicHJpbmNpcGFsBBJrcmJ0aWNrZXRwb2xpY3lhdXgECmlwYXNzaGhvc3QEFGlwY
 VNzaEdyb3VwT2ZQdWJLZXlz
# managedBy: <objectClass=top>;<objectClass=ipaobject>;<objectClass=nshost>;<
 objectClass=ipahost>;<objectClass=ipaservice>;<objectClass=pkiuser>;<objectC
 lass=krbprincipalaux>;<objectClass=krbprincipal>;<objectClass=krbticketpolic
 yaux>;<objectClass=ipasshhost>;<objectClass=ipaSshGroupOfPubKeys>;fqdn=maste
 r.ipa1.example.test,cn=computers,cn=accounts,dc=ipa1,dc=example,dc=test

cn: master.ipa1.example.test
objectClass: top
objectClass: ipaobject
objectClass: nshost
objectClass: ipahost
objectClass: ipaservice
objectClass: pkiuser
objectClass: krbprincipalaux
objectClass: krbprincipal
objectClass: krbticketpolicyaux
objectClass: ipasshhost
objectClass: ipaSshGroupOfPubKeys
krbLastPwdChange: 20140721173410Z
fqdn: master.ipa1.example.test
managedBy: fqdn=master.ipa1.example.test,cn=computers,cn=accounts,dc=ipa1,dc=e
 xample,dc=test
krbExtraData:: AAIST81Tcm9vdC9hZG1pbkBJUEExLkVYQU1QTEUuVEVTVAA=
krbPrincipalName: host/master.ipa1.example.test@IPA1.EXAMPLE.TEST
serverHostName: master
ipaUniqueID: 39ad08b8-10fd-11e4-a866-0000c0a87a3d
krbLastSuccessfulAuth: 20140721180720Z
ipaSshPubKey: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5tB3d/zF8RXKetLMaFUIuKWBeHEY
 7U0ZZpQIjszl9V9DF+m+1EnRArk1hgMdZrfYjjZmj1zab0MxBaVdMvXUIInzNkPHIxSyzsrnwz9i8
 S2Tz0zLsvR31byqFqgqKCe454P/Qcq89XwzGJHFQdu7RT6iO34HqSnQK6TCzgQgSmn1oQL60hjYwQ
 CQos7vA61CnB03C+3L/nQRcJ7QRutIy2rtS6SKBGPUlNZdgc6pUanWmF+sRIItNhQDDOGwX3FR9In
 U/7abJVTCTQv8dR8IDiSke+YjdggkLHXnTYYlovneSa44l6+lekmJpYr9XaQ/kcPswv0dlvVIKWiV
 nCGUWw==
ipaSshPubKey: ssh-dss AAAAB3NzaC1kc3MAAACBAP4jMl3UrmanG5WVQJP068daa9rDRSdtOAzE
 cltYEuEaxP4D5gm1k+ANsaMmxR7tNNloFUKiYRMYmjStFyyGMOQ1p5BLUgtKJeD/tNBDqtQ3nvn0r
 Awl2sxnuNY3ly6pvgBHj5diq7ifQvoFz6ytAkXyJmAggUnOu4J+nka4/4hJAAAAFQCaS3KCpEuzU6
 RoqdoJFpZy5/Q95QAAAIEAv0n2quWl8tjAwF4HKOvOTtrszHPURTM+Adx2y/2KGGKmGOrA/h/I+HF
 EUDvMilQKXn6NfxRTg6Ce1b8AlS2eGC67oY4nRc9ddv9yYIZVFv9c5v5eTfSdCynTQZOrPlYuRe4a
 bSVOyBgk54peOTzkAoiGC1cl9LVQsJdTrh+7c+YAAACBAIsACHSOInsmz2o2faiOKBzW/IxQhmk74
 ZkAdFsKR17dyW1WEj3FzMm8wd+DD5ZMIKebpu74gyqVXr+9ajK98CdIX9b89ZCtdVX05z0R5sOo4+
 FCtX0r6dDfaVyxu3Rz2HP61GPngwDAHK/Vfa6ym4YuLWn3TKv4LlBcq0xXkW2q

# search result
search: 4
result: 0 Success

# numResponses: 2
# numEntries: 1

Comment 6 errata-xmlrpc 2014-10-14 07:32:59 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1383.html


Note You need to log in before you can comment on or make changes to this bug.