Bug 918262 - LDAP upload CA cert sometimes double-encodes the value
Summary: LDAP upload CA cert sometimes double-encodes the value
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.0
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: IDM QE LIST
URL:
Whiteboard:
Depends On:
Blocks: 948928
TreeView+ depends on / blocked
 
Reported: 2013-03-05 19:09 UTC by Namita Soman
Modified: 2014-06-18 00:07 UTC (History)
3 users (show)

Fixed In Version: ipa-3.2.1-1.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 948928 (view as bug list)
Environment:
Last Closed: 2014-06-13 12:02:17 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Namita Soman 2013-03-05 19:09:48 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3477

I found a situation where the CA certificate is stored in base64 encoding in a binary attribute, so for example, ldapsearch returns it double-encoded.

To duplicate this:

 * Install IPA (I tested with master)
 * ldapdelete ... cn=CAcert,cn=ipa,cn=etc,dc=example,dc=com
 * ipa-ldap-updater --plugins
 * ldapsearch -o  ldif-wrap=no -x -b cn=CAcert,cn=ipa,cn=etc,dc=example,dc=com
Comment 1 Martin Kosek 2013-03-07 08:41:43 UTC 
Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/f6f8307be282e96df4fa4f35e83f1ff17403cf86
ipa-3-1: https://fedorahosted.org/freeipa/changeset/80b544eb5a6dbb99620c0e196126c0d934134e7b
Comment 4 Michael Gregg 2014-01-29 23:46:50 UTC 
Verified against ipa-server-3.3.3-12.el7.x86_64

[root@zippyvm8 ~]# /usr/bin/ldapdelete -x -D "$ROOTDN" -w $ROOTDNPWD 'cn=CAcert,cn=ipa,cn=etc,dc=example,dc=com'
[root@zippyvm8 ~]# ipa-ldap-updater --plugins 

<Many lines of output>

[root@zippyvm8 ~]# ldapsearch -o ldif-wrap=no -x -b cn=CAcert,cn=ipa,cn=etc,dc=example,dc=com 
# extended LDIF
#
# LDAPv3
# base <cn=CAcert,cn=ipa,cn=etc,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# CACert, ipa, etc, example.com
dn: cn=CACert,cn=ipa,cn=etc,dc=example,dc=com
objectClass: nsContainer
objectClass: pkiCA
objectClass: top
cn: CAcert
cACertificate;binary:: MIIDoDCCAoigAwIBAgIBATANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKEwtFWEFNUExFLkNPTTEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE0MDEyOTIxNDgzNFoXDTM0MDEyOTIxNDgzNFowNjEUMBIGA1UEChMLRVhBTVBMRS5DT00xHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMWvb9EQoek8UwtxA1ljbYygwEwogHueC+vU847ib0ifanivBgeYin68SsVHIvjVacVPQZG6xukGe5qqMwsU96IFJaSPAic1pkU3rm3rkTDWzmyD9p6S6ymnnqpYTBzlqhyTdkAXv3BhEQgnifuF/QtETVM9Zonik8vIOFc2vMkdodme6zNhSXlOowe0ktIaEUT5VYfM62/ZO4/MS2pBgpDbxMAO1YsLtKiwOOT/4HWudb/MfBdZ3L2+10nY7U0PYzY8YlqZmSdztK00FTWtiqPflVM9ey6RsjjvNj8VHcXPcFh5wEkVcmd1rrG2RoEJveqmikimu9i4L/l2AXHztE8CAwEAAaOBuDCBtTAfBgNVHSMEGDAWgBTmTkLsyjStVBE/Rb0hAv/8E3ACyDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQU5k5C7Mo0rVQRP0W9IQL//BNwAsgwUgYIKwYBBQUHAQEERjBEMEIGCCsGAQUFBzABhjZodHRwOi8vemlwcHl2bTguaWRtLmxhYi5lbmcucmR1Mi5yZWRoYXQuY29tOjgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBALsYEZUB36tw0Icjq0pixie6JeuVs4SOOFsB6T11tCR3wtE04AWTwSIQN3owknrsLmSUietufI0bTI+j7ROzQiH6jkjY0Eo5oMrowSKqTHk3xhuAEQ17JulL0KI2bb4iBC4/DPRJORin378SSB3xSkSPo7IdIyuMdUDb1OSTtExWojtXZR4PSVOtKO47naj5u8K2+oYI53crFSQQmNaoxqMpgCU71sPe9c82YG2J6ev+e7b2ZL1f4T+TqizeIBHutTlhxgKCK1PlzKVHSlBe9lcmFd425Yuv4YnmL9BOuhjwLiE7FUypqeXrUSw1uQjCrjz0CSiWg0W3DVkjh+tsVvE=

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
Comment 5 Ludek Smid 2014-06-13 12:02:17 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.
Note You need to log in before you can comment on or make changes to this bug.