Bug 740959 - 389-console put CA certificates into wrong database
Summary: 389-console put CA certificates into wrong database
Alias: None
Product: 389
Classification: Retired
Component: Directory Console
Version: 1.1.3
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Rich Megginson
QA Contact: Viktor Ashirov
: 750408 (view as bug list)
Depends On:
Blocks: 434915
TreeView+ depends on / blocked
Reported: 2011-09-23 21:43 UTC by Orion Poplawski
Modified: 2015-12-07 17:14 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-12-07 17:14:46 UTC

Attachments (Terms of Use)
0001-Bug-740959-389-console-put-CA-certificates-into-wron.patch (4.85 KB, patch)
2011-10-28 21:37 UTC, Rich Megginson
nhosoi: review+
Details | Diff

Description Orion Poplawski 2011-09-23 21:43:02 UTC
Description of problem:

Running 389-console-1.1.7-1.fc15 and connecting to 389 server on EL5.  I connected to the directory server and through manage certificates imported 3 CA certificates.  However, they went into the /etc/dirsrv/admin-serv database instead of the /etc/dirsrv/slapd-cora database.

How reproducible:
Haven't tried.

No 1.1.7 version in list, so chose 1.1.3 instead.

Comment 1 Orion Poplawski 2011-09-23 21:43:58 UTC
On the server:

Comment 2 Rich Megginson 2011-10-19 16:18:44 UTC
Was able to reproduce on f15 - using the directory server manage certificates ui, the cert is installed in the admin server cert db.

Comment 3 Rich Megginson 2011-10-20 03:38:39 UTC
Turns out that even though NSS_InitContext works for TLS/SSL, it doesn't really work for key/cert db management.  I'm afraid the only way to really get this to work properly is for security.c to do a full, complete, and total NSS shutdown, which means we need to find a way to pass that all the way through to the LDAP layer to make it release any NSS resources used doing LDAPS/startTLS.

Comment 4 Rich Megginson 2011-10-28 21:37:00 UTC
Created attachment 530746 [details]

Comment 5 Rich Megginson 2011-10-28 23:34:41 UTC
    To ssh://git.fedorahosted.org/git/389/admin.git
       65e4166..f2e6124  master -> master
    commit 1897c5ba53d4e385f16c88a75c13f7fb7a24cd92
    Author: Rich Megginson <rmeggins@redhat.com>
    Date:   Fri Oct 28 15:33:06 2011 -0600
        Reviewed by: nhosoi (Thanks!)
        Branch: master
        Fix Description: Now that the openldap/NSS memory leaks have been fixed, we
        do not need the workaround of using NSS_InitContext, which doesn't work
        anyway for cert db management.  The fix is to revert to the old behavior
        of using NSS_Shutdown/NSS_Initialize so that we can be sure we are using
        the correct NSS database.
        Platforms tested: RHEL6 x86_64
        Flag Day: no
        Doc impact: no

Comment 6 Rich Megginson 2011-11-07 21:56:08 UTC
*** Bug 750408 has been marked as a duplicate of this bug. ***

Comment 7 Amita Sharma 2011-11-16 09:22:56 UTC
Installed CA cert from DS console and It is listed under :
[root@snmaptest ~]# cd /etc/dirsrv/slapd-snmaptest
[root@snmaptest slapd-snmaptest]# certutil -L -d . 

Certificate Nickname                                         Trust Attributes

Example Certificate Authority                                CT,, 
server-cert                                                  u,u,u
CA cert                                                      CT,, 


Comment 8 Orion Poplawski 2012-01-13 21:46:01 UTC
Status update?

Comment 9 Rich Megginson 2012-01-13 22:04:19 UTC
(In reply to comment #8)
> Status update?

Fixed in 389-admin-1.1.25 in updates-testing

Comment 10 Marcelo Moreira de Mello 2012-03-05 02:02:11 UTC
Confirmed!! Worked after updating to 389-admin-1.1.25 in updates-testing

Note You need to log in before you can comment on or make changes to this bug.