Hide Forgot
Description of problem: When generating a replica file (by running ipa-replica-prepare) with both --dirsrv_pkcs12 and --http_pkcs12. Two observations : - pins provided for these p12 files are not validated, aka, random invalid pins are accepted - *blank* pin is accepted as well for both p12 files This was discovered while shanks and myself was testing replication w/ OPTIONS Version-Release number of selected component (if applicable): ============== [root@jetfire ~]# rpm -qi ipa-server | head -6 Name : ipa-server Relocations: (not relocatable) Version : 2.1.3 Vendor: Red Hat, Inc. Release : 9.el6 Build Date: Mon 07 Nov 2011 03:00:54 PM EST Install Date: Fri 11 Nov 2011 01:02:45 AM EST Build Host: x86-001.build.bos.redhat.com Group : System Environment/Base Source RPM: ipa-2.1.3-9.el6.src.rpm Size : 3382131 License: GPLv3+ [root@jetfire ~]# ============== How reproducible: All the time Steps to Reproduce: 1. Have a working master IPA instance (host 'jetfire') 2. Prepare replica for host 'ratchet': We just provided a random password for dirsrv pkcs12 and http pkcs12 ##################################### [root@jetfire ~]# ipa-replica-prepare --dirsrv_pkcs12=dirsrv.p12 --http_pkcs12=apache-ssl-cert.p12 --dirsrv_pin=invalidpasswd --http_pin=in validpasswd --ip-address=10.65.201.69 ratchet.testrelm -p Secret123 Warning: Hostname (ratchet.testrelm) not found in DNS Preparing replica for ratchet.testrelm from jetfire.testrelm Copying SSL certificate for the Directory Server from dirsrv.p12 Creating SSL certificate for the dogtag Directory Server Copying SSL certificate for the Web Server from apache-ssl-cert.p12 Copying additional files Finalizing configuration Packaging replica information into /var/lib/ipa/replica-info-ratchet.testrelm.gpg Adding DNS records for ratchet.testrelm Using reverse zone 201.65.10.in-addr.arpa. [root@jetfire ~]# ##################################### => W/o providing *any* passwords(aka blank passwords) ##################################### [root@jetfire ~]# ipa-replica-prepare --dirsrv_pkcs12=dirsrv.p12 --http_pkcs12=apache-ssl-cert.p12 --dirsrv_pin= --http_pin= --ip-address=1 0.65.201.69 ratchet.testrelm -p Secret123 Preparing replica for ratchet.testrelm from jetfire.testrelm Copying SSL certificate for the Directory Server from dirsrv.p12 Creating SSL certificate for the dogtag Directory Server Copying SSL certificate for the Web Server from apache-ssl-cert.p12 Copying additional files Finalizing configuration Packaging replica information into /var/lib/ipa/replica-info-ratchet.testrelm.gpg Adding DNS records for ratchet.testrelm Using reverse zone 201.65.10.in-addr.arpa. [root@jetfire ~]# ##################################### Actual results: Replica gpg file is created w/o any errors despite providing incorrect pins(or no pins) Expected results: Passwords for both the p12 files should be validated ; appropriate error should be thrown
Upstream ticket: https://fedorahosted.org/freeipa/ticket/2155
These options were being updated and refactored in Bug 1129558 (upstream ticket https://fedorahosted.org/freeipa/ticket/4489). The PIN should be now used for loading the PKCS#12 files in internal NSS database. Wrong PINs would be therefore reported. Closing the Bug as fixed in current release then. If you manage to reproduce this issue, please feel free to re-open this bug.