948928 – LDAP upload CA cert sometimes double-encodes the value

Bug 948928 - LDAP upload CA cert sometimes double-encodes the value

Summary: LDAP upload CA cert sometimes double-encodes the value

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	6.5
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Martin Kosek
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	947889 (view as bug list)
Depends On:	918262
Blocks:	960054 964128
TreeView+	depends on / blocked

Reported:	2013-04-05 14:29 UTC by Najmuddin Chirammal
Modified:	2015-05-12 07:14 UTC (History)
CC List:	7 users (show)
Fixed In Version:	ipa-3.0.0-30.el6
Doc Type:	Bug Fix
Doc Text:	Cause: Identity Management upgrade process double-encoded CA certificate stored in the Directory Server in some situations. Consequence: Some Identity Management clients (e.g. in RHEL-5 platform) failed to decode the CA certificate and client installation failed. Fix: Upgrade process no longer double-encodes the CA certificate. Result: Client installation CA certificate is correctly retrieved from IdM server and installation continues.
Clone Of:	918262
Environment:
Last Closed:	2013-11-21 20:52:52 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2013:1651	0	normal	SHIPPED_LIVE	ipa bug fix and enhancement update	2013-11-21 00:39:40 UTC

Description Najmuddin Chirammal 2013-04-05 14:29:20 UTC

+++ This bug was initially created as a clone of Bug #918262 +++

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3477

I found a situation where the CA certificate is stored in base64 encoding in a binary attribute, so for example, ldapsearch returns it double-encoded.

To duplicate this:

 * Install IPA (I tested with master)
 * ldapdelete ... cn=CAcert,cn=ipa,cn=etc,dc=example,dc=com
 * ipa-ldap-updater --plugins
 * ldapsearch -o  ldif-wrap=no -x -b cn=CAcert,cn=ipa,cn=etc,dc=example,dc=com

--- Additional comment from Martin Kosek on 2013-03-07 14:11:43 IST ---

Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/f6f8307be282e96df4fa4f35e83f1ff17403cf86
ipa-3-1: https://fedorahosted.org/freeipa/changeset/80b544eb5a6dbb99620c0e196126c0d934134e7b

Comment 3 Martin Kosek 2013-04-22 08:40:08 UTC

*** Bug 947889 has been marked as a duplicate of this bug. ***

Comment 4 Martin Kosek 2013-04-22 08:41:12 UTC

Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/f6f8307be282e96df4fa4f35e83f1ff17403cf86
ipa-3-1: https://fedorahosted.org/freeipa/changeset/80b544eb5a6dbb99620c0e196126c0d934134e7b

Moving to POST.

Comment 10 Namita Soman 2013-09-11 21:20:56 UTC

Verified using ipa-server-3.0.0-35

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: LDAP upload CA cert sometimes double-encodes the value bz964128 6.5 - bz 948928
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: ldapsearch for Cert (Expected 0, got 0)
cACertificate;binary:: MIIDmjCCAoKgAwIBAgIBATANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQ
 KEwxURVNUUkVMTS5DT00xHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xMzA5MTEy
 MDQ4NDZaFw0zMzA5MTEyMDQ4NDZaMDcxFTATBgNVBAoTDFRFU1RSRUxNLkNPTTEeMBwGA1UEAxMVQ
 2VydGlmaWNhdGUgQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtBVVMS
 agxK+NUWpyjR6XU+QggwZZ6gdFeG8AF9qt0Xkgd0Bv3GnPfTuY9TME1MTjOcO2XhHaL78DkyuF/EU
 GNxdmH+cdJkYOjnaAWMKDwHjJJ9wxK8OHxbAAjLKW6WXHbdlCxZZqfSZjWE2IBtnuaGDnh5Bjs/IT
 h4P0waNJ+kUzmmkrVV1pUWA1rsOiLn1zFmGjP/lwOCJr1Mq9ZkdNO0lMwQDVQscnh3q6MVnOo33xe
 gE6w2hmyOa3W6ig5QUFE8H4DY689YHFN/s6uPBA6Ep72Wcndw8qS6DdymotrMW8EaUPj/LxcUTV20
 Ytpqbo4R3ZxNNlbjyhIb1im7srSQIDAQABo4GwMIGtMB8GA1UdIwQYMBaAFAASa4XhYEWDgw+giGF
 sVS7uvxWAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgHGMB0GA1UdDgQWBBQAEmuF4WBF
 g4MPoIhhbFUu7r8VgDBKBggrBgEFBQcBAQQ+MDwwOgYIKwYBBQUHMAGGLmh0dHA6Ly9jbG91ZC1xZ
 S0xLXZtLTMudGVzdHJlbG0uY29tOjgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAE3gP7gAsk
 X2KcsTQbs+34nNzluHcLf8lLdZpoeqY4USFG9lgffE+4NRewhUj9DMSvYjC78eNzcfkZsc/dapBD6
 BJsPYn3rw6EVegrqo1EeKhiTeorPuDfqww+7kBUmzNFrOf4CmuVwzZp0h7gzXnia4l5Jy1w05Kdbo
 ZTCQL4r3vNiIobDkukKq8mzrewWrpfTjoavaURLHwdlXsM1cCoAbh0ri0gfSUsVHZS1nsVaEuM0xM
 X+Y+cgLcMDznkUH2WtdDIj2IK2i05wkZHEy1exHUTAbkcnLWI2UzxKAB2+7qACX4m8As/TWaGr4LX
 RFXB1UyfJHJS94h20mJzRdbxQ=

# search result
:: [   PASS   ] :: Cert before deletion (Expected 0, got 0)
:: [   PASS   ] :: ldap delete cert (Expected 0, got 0)
# extended LDIF
#
# LDAPv3
# base <cn=CACert,cn=ipa,cn=etc,dc=testrelm,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object
matchedDN: cn=ipa,cn=etc,dc=testrelm,dc=com

# numResponses: 1
:: [   PASS   ] :: Making sure cert is deleted (Expected 32, got 32)

:: [   PASS   ] :: Running ldap-updater with --plugins (Expected 0, got 0)
:: [   PASS   ] :: ldapsearch for Cert after ldap-updater (Expected 0, got 0)
cACertificate;binary:: MIIDmjCCAoKgAwIBAgIBATANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQ
 KEwxURVNUUkVMTS5DT00xHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xMzA5MTEy
 MDQ4NDZaFw0zMzA5MTEyMDQ4NDZaMDcxFTATBgNVBAoTDFRFU1RSRUxNLkNPTTEeMBwGA1UEAxMVQ
 2VydGlmaWNhdGUgQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtBVVMS
 agxK+NUWpyjR6XU+QggwZZ6gdFeG8AF9qt0Xkgd0Bv3GnPfTuY9TME1MTjOcO2XhHaL78DkyuF/EU
 GNxdmH+cdJkYOjnaAWMKDwHjJJ9wxK8OHxbAAjLKW6WXHbdlCxZZqfSZjWE2IBtnuaGDnh5Bjs/IT
 h4P0waNJ+kUzmmkrVV1pUWA1rsOiLn1zFmGjP/lwOCJr1Mq9ZkdNO0lMwQDVQscnh3q6MVnOo33xe
 gE6w2hmyOa3W6ig5QUFE8H4DY689YHFN/s6uPBA6Ep72Wcndw8qS6DdymotrMW8EaUPj/LxcUTV20
 Ytpqbo4R3ZxNNlbjyhIb1im7srSQIDAQABo4GwMIGtMB8GA1UdIwQYMBaAFAASa4XhYEWDgw+giGF
 sVS7uvxWAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgHGMB0GA1UdDgQWBBQAEmuF4WBF
 g4MPoIhhbFUu7r8VgDBKBggrBgEFBQcBAQQ+MDwwOgYIKwYBBQUHMAGGLmh0dHA6Ly9jbG91ZC1xZ
 S0xLXZtLTMudGVzdHJlbG0uY29tOjgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAE3gP7gAsk
 X2KcsTQbs+34nNzluHcLf8lLdZpoeqY4USFG9lgffE+4NRewhUj9DMSvYjC78eNzcfkZsc/dapBD6
 BJsPYn3rw6EVegrqo1EeKhiTeorPuDfqww+7kBUmzNFrOf4CmuVwzZp0h7gzXnia4l5Jy1w05Kdbo
 ZTCQL4r3vNiIobDkukKq8mzrewWrpfTjoavaURLHwdlXsM1cCoAbh0ri0gfSUsVHZS1nsVaEuM0xM
 X+Y+cgLcMDznkUH2WtdDIj2IK2i05wkZHEy1exHUTAbkcnLWI2UzxKAB2+7qACX4m8As/TWaGr4LX
 RFXB1UyfJHJS94h20mJzRdbxQ=

# search result
:: [   PASS   ] :: Cert after deletion (Expected 0, got 0)
:: [   PASS   ] :: Files /tmp/tmp.9tRte31EBW/sfile1 and /tmp/tmp.9tRte31EBW/sfile2 should not differ 
:: [   PASS   ] :: CA cert is not double-encoded

Comment 12 errata-xmlrpc 2013-11-21 20:52:52 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1651.html

Note You need to log in before you can comment on or make changes to this bug.