RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1658302 - ipaldap: invalid modlist when attribute encoding can vary
Summary: ipaldap: invalid modlist when attribute encoding can vary
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: ipa
Version: 8.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.0
Assignee: IPA Maintainers
QA Contact: Kaleem
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-12-11 17:27 UTC by Thomas Woerner
Modified: 2019-06-14 01:44 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-14 01:44:10 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Thomas Woerner 2018-12-11 17:27:22 UTC 
This bug is created as a clone of upstream ticket:
https://pagure.io/freeipa/issue/7750

ipaldap does not take into account the possibility of the attribute encoding
as returned by 389DS differing from the attribute encoding produced by FreeIPA.
This can occur especially in DNs that require escpaing of special characters.
For example, 389DS escapes special characters using hex encoding:

CN=Test Sub-CA 201604041620,OU=ftweedal,O=Red Hat\2C Inc.,L=Brisbane,C=AU

Whereas FreeIPA escapes the character directly.

CN=Test Sub-CA 201604041620,OU=ftweedal,O=Red Hat\, Inc.,L=Brisbane,C=AU

Therefore it is possible to generate an invalid modlist. For example, during
external CA certificate renewal, if the issuer DN includes a comma in one of the
attribute values (as above), an invalid modlist will be generated:

[ (ldap.MOD_ADD, 'ipacaissuerdn', [b'CN=Test Sub-CA 201604041620,OU=ftweedal,O=Red Hat\, Inc.,L=Brisbane,C=AU'])
, (ldap.MOD_DELETE, 'ipacaissuerdn', [b'CN=Test Sub-CA 201604041620,OU=ftweedal,O=Red Hat\2C Inc.,L=Brisbane,C=AU'])
]

In the above case, the attribute already exists, and LDAP error 20 (attributeOrValueExists)
occurs.
Comment 3 Fraser Tweedale 2019-01-02 04:43:28 UTC 
Kaleem,

To verify this bug, follow the transcript below.

1) On the server, kinit (the user doesn't really matter)

  [f29-0:~] ftweedal% kinit admin
  Password for admin: XXXXXXXX


2) Fire up the python REPL and initialise the API
 
  [f29-0:~] ftweedal% python3
  Python 3.7.1 (default, Nov 23 2018, 10:01:49)
  [GCC 8.2.1 20181105 (Red Hat 8.2.1-5)] on linux
  Type "help", "copyright", "credits" or "license" for more information.
  >>> from ipalib import api
  >>> api.bootstrap(context='cli', in_server=True)
  ipa: ERROR: Cannot open log file '/var/log/ipa/cli.log': [Errno 13] Permission denied: '/var/log/ipa/cli.log'                                                                  
  >>> api.finalize()


3) Connect LDAP and create an LDAPEntry object.  We are not actually going to
   add the entry to the database; we just need it to test the modlist generation.

>>> api.Backend.ldap2.connect()
>>> from ipapython.ipaldap import LDAPEntry
>>> from ipapython.dn import DN
>>> entry = LDAPEntry(api.Backend.ldap2, DN('cn=fake'), cn='fake')


4) Add an attribute that uses distinguished name syntax.  We assign a
   RAW value, using a serialisation that DIFFERS from what the
   ipapython.dn.DN type would produce.

>>> entry.raw['distinguishedName'] = [b'O=Red Hat\\2C Inc.']


5) Trick the entry into believing that that value was part of the original
   data we received from LDAP.

>>> entry.reset_modlist()


6) Assign the distinguishedName value back onto itself.

>>> entry['distinguishedName'] = [entry['distinguishedName'][0]]


7) Generate the modlist.  We expect to see a delete, and an add.  The values are in fact
   equal, but have different serialisations.  The delete (represented by '1')
   MUST COME BEFORE the add (represented by '0').

>>> entry.generate_modlist()
[(1, 'distinguishedName', [b'O=Red Hat\\2C Inc.']), (0, 'distinguishedName', [b'O=Red Hat\\, Inc.'])]


Possible outcomes:

- If the output is as above, fix is verified.

- If the add (operation '0') precedes the delete ('1'), fail QA.

- If you get anything else, please needinfo me for further clarification.

HTH,
Fraser
Comment 4 anuja 2019-01-22 06:46:02 UTC 
Verified using :
ipa-server-4.7.1-10.module+el8+2699+aa606a46.x86_64

Verified using Steps:

[root@vm-idm-001 ~]# kinit admin
Password for admin: 

[root@vm-idm-001 ~]# python3
Python 3.6.8 (default, Jan 11 2019, 02:17:16) 
[GCC 8.2.1 20180905 (Red Hat 8.2.1-3)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from ipalib import api
>>> api.bootstrap(context='cli', in_server=True)
>>> api.finalize()
>>> api.Backend.ldap2.connect()
>>> from ipapython.ipaldap import LDAPEntry
>>> from ipapython.dn import DN
>>> entry = LDAPEntry(api.Backend.ldap2, DN('cn=fake'), cn='fake')
>>> entry.raw['distinguishedName'] = [b'O=Red Hat\\2C Inc.']
>>> entry.reset_modlist()
>>> entry['distinguishedName'] = [entry['distinguishedName'][0]]
>>> entry.generate_modlist()
[(1, 'distinguishedName', [b'O=Red Hat\\2C Inc.']), (0, 'distinguishedName', [b'O=Red Hat\\, Inc.'])]
>>> 

Based on this marking bz as verified.
Note You need to log in before you can comment on or make changes to this bug.