This bug is created as a clone of upstream ticket: https://fedorahosted.org/freeipa/ticket/3477 I found a situation where the CA certificate is stored in base64 encoding in a binary attribute, so for example, ldapsearch returns it double-encoded. To duplicate this: * Install IPA (I tested with master) * ldapdelete ... cn=CAcert,cn=ipa,cn=etc,dc=example,dc=com * ipa-ldap-updater --plugins * ldapsearch -o ldif-wrap=no -x -b cn=CAcert,cn=ipa,cn=etc,dc=example,dc=com
Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/f6f8307be282e96df4fa4f35e83f1ff17403cf86 ipa-3-1: https://fedorahosted.org/freeipa/changeset/80b544eb5a6dbb99620c0e196126c0d934134e7b
Verified against ipa-server-3.3.3-12.el7.x86_64 [root@zippyvm8 ~]# /usr/bin/ldapdelete -x -D "$ROOTDN" -w $ROOTDNPWD 'cn=CAcert,cn=ipa,cn=etc,dc=example,dc=com' [root@zippyvm8 ~]# ipa-ldap-updater --plugins <Many lines of output> [root@zippyvm8 ~]# ldapsearch -o ldif-wrap=no -x -b cn=CAcert,cn=ipa,cn=etc,dc=example,dc=com # extended LDIF # # LDAPv3 # base <cn=CAcert,cn=ipa,cn=etc,dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # CACert, ipa, etc, example.com dn: cn=CACert,cn=ipa,cn=etc,dc=example,dc=com objectClass: nsContainer objectClass: pkiCA objectClass: top cn: CAcert cACertificate;binary:: MIIDoDCCAoigAwIBAgIBATANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKEwtFWEFNUExFLkNPTTEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE0MDEyOTIxNDgzNFoXDTM0MDEyOTIxNDgzNFowNjEUMBIGA1UEChMLRVhBTVBMRS5DT00xHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMWvb9EQoek8UwtxA1ljbYygwEwogHueC+vU847ib0ifanivBgeYin68SsVHIvjVacVPQZG6xukGe5qqMwsU96IFJaSPAic1pkU3rm3rkTDWzmyD9p6S6ymnnqpYTBzlqhyTdkAXv3BhEQgnifuF/QtETVM9Zonik8vIOFc2vMkdodme6zNhSXlOowe0ktIaEUT5VYfM62/ZO4/MS2pBgpDbxMAO1YsLtKiwOOT/4HWudb/MfBdZ3L2+10nY7U0PYzY8YlqZmSdztK00FTWtiqPflVM9ey6RsjjvNj8VHcXPcFh5wEkVcmd1rrG2RoEJveqmikimu9i4L/l2AXHztE8CAwEAAaOBuDCBtTAfBgNVHSMEGDAWgBTmTkLsyjStVBE/Rb0hAv/8E3ACyDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQU5k5C7Mo0rVQRP0W9IQL//BNwAsgwUgYIKwYBBQUHAQEERjBEMEIGCCsGAQUFBzABhjZodHRwOi8vemlwcHl2bTguaWRtLmxhYi5lbmcucmR1Mi5yZWRoYXQuY29tOjgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBALsYEZUB36tw0Icjq0pixie6JeuVs4SOOFsB6T11tCR3wtE04AWTwSIQN3owknrsLmSUietufI0bTI+j7ROzQiH6jkjY0Eo5oMrowSKqTHk3xhuAEQ17JulL0KI2bb4iBC4/DPRJORin378SSB3xSkSPo7IdIyuMdUDb1OSTtExWojtXZR4PSVOtKO47naj5u8K2+oYI53crFSQQmNaoxqMpgCU71sPe9c82YG2J6ev+e7b2ZL1f4T+TqizeIBHutTlhxgKCK1PlzKVHSlBe9lcmFd425Yuv4YnmL9BOuhjwLiE7FUypqeXrUSw1uQjCrjz0CSiWg0W3DVkjh+tsVvE= # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request.