Bug 658832 - 389-ds-base 1.2.7 breaks ipa_pwd_extop
Summary: 389-ds-base 1.2.7 breaks ipa_pwd_extop
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: ipa
Version: 14
Hardware: x86_64
OS: Linux
low
high
Target Milestone: ---
Assignee: Simo Sorce
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-12-01 12:48 UTC by Charles Leclerc
Modified: 2011-02-07 19:57 UTC (History)
8 users (show)

Fixed In Version: ipa-1.2.2-6.fc14
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-02-07 19:57:58 UTC
Type: ---


Attachments (Terms of Use)
Rich's backport patch to fix ldap libs issues (15.39 KB, patch)
2011-01-28 19:19 UTC, Simo Sorce
no flags Details | Diff

Description Charles Leclerc 2010-12-01 12:48:52 UTC
The problem appeared after an update on 389-ds-base from 1.2.6.1-2 to 1.2.7-2, on Fedora 14 x86_64 . The ipa-getkeytab command failed with 'unable to set key' error. In the dirsrv error log, we found the following lines :

ipa_pwd_extop - encoding asn1 EncryptionKey failed
ipa_pwd_extop - encoding asn1 KrbSalt failed
ipa_pwd_extop - key encryption/encoding failed

Suspecting some update broke things, I did a fresh re-install, and had an issue in the ipa-server-install script (xxx replacing real values) :

Unable to set admin password Command '/usr/lib64/mozldap/ldappasswd -D cn=Directory Manager -w xxx -P /etc/dirsrv/slapd-xxx//cert8.db -ZZZ -s xxx uid=admin,cn=users,cn=accounts,dc=internal,dc=mynet,dc=com' returned non-zero exit status 1 

The dirsrv error log was similar to the above.

The only workaround I found was to downgrade 389-ds-base to the previous working version (1.2.6.1-2), and things went back to normal.

Comment 1 Rob Crittenden 2010-12-01 20:49:16 UTC
What version of IPA is this?

Comment 2 Dmitri Pal 2010-12-01 20:52:16 UTC
Can you please provide more information about the IPA version you are using? Is it 1.2.x? If so then yes there might be some incompatibilities with latest 389. We are actively working on the v2 which is coming out pretty soon that will take advantage of the latest 389 changes. Sorry for the inconvenience.

Comment 3 Charles Leclerc 2010-12-02 06:33:49 UTC
It is last ipa-1.2.2-5 from updates repository.

Comment 4 Dmitri Pal 2010-12-02 22:11:44 UTC
Well, this is unfortunate but expected. Would you mind if I close the bug with WONTFIX? The issue will not be there when IPA v2 lands into Fedora.

Comment 5 Simo Sorce 2010-12-02 23:06:41 UTC
We are seeing the same problem with IPA v2 code.
It may be happening because 1.2.7 switched to use openldap libraries internally.
If the investigation on the v2 code yields a simple patch we will respin ipa 1.2.2 packages for F14 too.

Comment 6 Daniel Scott 2010-12-16 15:58:52 UTC
I'm seeing a similar (identical?) issue with a FreeIPA server upgraded from Fedora 13 to 14 when attempting to reset a user's password:

A database error occurred: Operations error: Failed to update password

The log file contains the following entries:
[16/Dec/2010:10:47:08 -0500] ipa_pwd_extop - encoding asn1 EncryptionKey failed
[16/Dec/2010:10:47:08 -0500] ipa_pwd_extop - encoding asn1 KrbSalt failed
[16/Dec/2010:10:47:08 -0500] ipa_pwd_extop - key encryption/encoding failed

Packages:
389-ds-base-1.2.7.4-1.fc14.x86_64
ipa-server-1.2.2-5.fc14.x86_64

Comment 7 Patrick Dubois 2010-12-29 01:58:12 UTC
I've also run into this issue while installing FreeIPA on Fedora14. Running 'ipa-server-install --debug' confirms the asn1 encoding issue mentioned above.

Looking forward to V2.

Comment 8 Rich Megginson 2011-01-27 22:19:11 UTC
In order to reproduce the error, do I just have to run ipa-getkeytab?

Comment 9 Simo Sorce 2011-01-27 22:46:35 UTC
Usually that's enough to make the ipa-pwd-extop plugin operate and drag in the mozldap libraries. This in turn should cause issues as there are symbol names that conflict with openldap libs.

Comment 10 Fedora Update System 2011-01-28 19:16:20 UTC
ipa-1.2.2-6.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/ipa-1.2.2-6.fc14

Comment 11 Simo Sorce 2011-01-28 19:19:40 UTC
Created attachment 475857 [details]
Rich's backport patch to fix ldap libs issues

This is the patch Richm kindly provided for ipa 1.2
It is the backport of the patch we did for v 2.0

This should fix all password related issues lately seen on Fedora 14.

Please test the package and give karma, or note here in the bug, if it works for you.

Comment 12 Fedora Update System 2011-01-29 17:25:56 UTC
ipa-1.2.2-6.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update ipa'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/ipa-1.2.2-6.fc14

Comment 13 Fedora Update System 2011-02-07 19:57:53 UTC
ipa-1.2.2-6.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.