Description of problem: Running 389-console-1.1.7-1.fc15 and connecting to 389 server on EL5. I connected to the directory server and through manage certificates imported 3 CA certificates. However, they went into the /etc/dirsrv/admin-serv database instead of the /etc/dirsrv/slapd-cora database. How reproducible: Haven't tried. No 1.1.7 version in list, so chose 1.1.3 instead.
On the server: 389-admin-1.1.23-1.el5 389-admin-console-1.1.8-1.el5 389-admin-console-doc-1.1.8-1.el5 389-adminutil-1.1.14-1.el5 389-console-1.1.7-1.el5 389-ds-1.2.1-1.el5 389-ds-base-1.2.9.9-1.el5 389-ds-base-debuginfo-1.2.7.5-1.el5 389-ds-base-libs-1.2.9.9-1.el5 389-ds-console-1.2.6-1.el5 389-ds-console-doc-1.2.6-1.el5 389-dsgw-1.1.7-1.el5
Was able to reproduce on f15 - using the directory server manage certificates ui, the cert is installed in the admin server cert db.
Turns out that even though NSS_InitContext works for TLS/SSL, it doesn't really work for key/cert db management. I'm afraid the only way to really get this to work properly is for security.c to do a full, complete, and total NSS shutdown, which means we need to find a way to pass that all the way through to the LDAP layer to make it release any NSS resources used doing LDAPS/startTLS.
Created attachment 530746 [details] 0001-Bug-740959-389-console-put-CA-certificates-into-wron.patch
To ssh://git.fedorahosted.org/git/389/admin.git 65e4166..f2e6124 master -> master commit 1897c5ba53d4e385f16c88a75c13f7fb7a24cd92 Author: Rich Megginson <rmeggins> Date: Fri Oct 28 15:33:06 2011 -0600 Reviewed by: nhosoi (Thanks!) Branch: master Fix Description: Now that the openldap/NSS memory leaks have been fixed, we do not need the workaround of using NSS_InitContext, which doesn't work anyway for cert db management. The fix is to revert to the old behavior of using NSS_Shutdown/NSS_Initialize so that we can be sure we are using the correct NSS database. Platforms tested: RHEL6 x86_64 Flag Day: no Doc impact: no
*** Bug 750408 has been marked as a duplicate of this bug. ***
Installed CA cert from DS console and It is listed under : [root@snmaptest ~]# cd /etc/dirsrv/slapd-snmaptest [root@snmaptest slapd-snmaptest]# certutil -L -d . Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Example Certificate Authority CT,, server-cert u,u,u CA cert CT,, Hence VERIFIED
Status update?
(In reply to comment #8) > Status update? Fixed in 389-admin-1.1.25 in updates-testing
Confirmed!! Worked after updating to 389-admin-1.1.25 in updates-testing