948928 – LDAP upload CA cert sometimes double-encodes the value

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 948928 - LDAP upload CA cert sometimes double-encodes the value

Summary: LDAP upload CA cert sometimes double-encodes the value

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	6.5
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Martin Kosek
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	947889 (view as bug list)
Depends On:	918262
Blocks:	960054 964128
TreeView+	depends on / blocked

Reported:	2013-04-05 14:29 UTC by Najmuddin Chirammal
Modified:	2015-05-12 07:14 UTC (History)
CC List:	7 users (show)
Fixed In Version:	ipa-3.0.0-30.el6
Doc Type:	Bug Fix
Doc Text:	Cause: Identity Management upgrade process double-encoded CA certificate stored in the Directory Server in some situations. Consequence: Some Identity Management clients (e.g. in RHEL-5 platform) failed to decode the CA certificate and client installation failed. Fix: Upgrade process no longer double-encodes the CA certificate. Result: Client installation CA certificate is correctly retrieved from IdM server and installation continues.
Clone Of:	918262
Environment:
Last Closed:	2013-11-21 20:52:52 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2013:1651	0	normal	SHIPPED_LIVE	ipa bug fix and enhancement update	2013-11-21 00:39:40 UTC

Description Najmuddin Chirammal 2013-04-05 14:29:20 UTC

+++ This bug was initially created as a clone of Bug #918262 +++

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3477

I found a situation where the CA certificate is stored in base64 encoding in a binary attribute, so for example, ldapsearch returns it double-encoded.

To duplicate this:

 * Install IPA (I tested with master)
 * ldapdelete ... cn=CAcert,cn=ipa,cn=etc,dc=example,dc=com
 * ipa-ldap-updater --plugins
 * ldapsearch -o  ldif-wrap=no -x -b cn=CAcert,cn=ipa,cn=etc,dc=example,dc=com

--- Additional comment from Martin Kosek on 2013-03-07 14:11:43 IST ---

Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/f6f8307be282e96df4fa4f35e83f1ff17403cf86
ipa-3-1: https://fedorahosted.org/freeipa/changeset/80b544eb5a6dbb99620c0e196126c0d934134e7b

Comment 3 Martin Kosek 2013-04-22 08:40:08 UTC

*** Bug 947889 has been marked as a duplicate of this bug. ***

Comment 4 Martin Kosek 2013-04-22 08:41:12 UTC

Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/f6f8307be282e96df4fa4f35e83f1ff17403cf86
ipa-3-1: https://fedorahosted.org/freeipa/changeset/80b544eb5a6dbb99620c0e196126c0d934134e7b

Moving to POST.

Comment 10 Namita Soman 2013-09-11 21:20:56 UTC

Verified using ipa-server-3.0.0-35

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: LDAP upload CA cert sometimes double-encodes the value bz964128 6.5 - bz 948928
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: ldapsearch for Cert (Expected 0, got 0)
cACertificate;binary:: MIIDmjCCAoKgAwIBAgIBATANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQ
 KEwxURVNUUkVMTS5DT00xHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xMzA5MTEy
 MDQ4NDZaFw0zMzA5MTEyMDQ4NDZaMDcxFTATBgNVBAoTDFRFU1RSRUxNLkNPTTEeMBwGA1UEAxMVQ
 2VydGlmaWNhdGUgQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtBVVMS
 agxK+NUWpyjR6XU+QggwZZ6gdFeG8AF9qt0Xkgd0Bv3GnPfTuY9TME1MTjOcO2XhHaL78DkyuF/EU
 GNxdmH+cdJkYOjnaAWMKDwHjJJ9wxK8OHxbAAjLKW6WXHbdlCxZZqfSZjWE2IBtnuaGDnh5Bjs/IT
 h4P0waNJ+kUzmmkrVV1pUWA1rsOiLn1zFmGjP/lwOCJr1Mq9ZkdNO0lMwQDVQscnh3q6MVnOo33xe
 gE6w2hmyOa3W6ig5QUFE8H4DY689YHFN/s6uPBA6Ep72Wcndw8qS6DdymotrMW8EaUPj/LxcUTV20
 Ytpqbo4R3ZxNNlbjyhIb1im7srSQIDAQABo4GwMIGtMB8GA1UdIwQYMBaAFAASa4XhYEWDgw+giGF
 sVS7uvxWAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgHGMB0GA1UdDgQWBBQAEmuF4WBF
 g4MPoIhhbFUu7r8VgDBKBggrBgEFBQcBAQQ+MDwwOgYIKwYBBQUHMAGGLmh0dHA6Ly9jbG91ZC1xZ
 S0xLXZtLTMudGVzdHJlbG0uY29tOjgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAE3gP7gAsk
 X2KcsTQbs+34nNzluHcLf8lLdZpoeqY4USFG9lgffE+4NRewhUj9DMSvYjC78eNzcfkZsc/dapBD6
 BJsPYn3rw6EVegrqo1EeKhiTeorPuDfqww+7kBUmzNFrOf4CmuVwzZp0h7gzXnia4l5Jy1w05Kdbo
 ZTCQL4r3vNiIobDkukKq8mzrewWrpfTjoavaURLHwdlXsM1cCoAbh0ri0gfSUsVHZS1nsVaEuM0xM
 X+Y+cgLcMDznkUH2WtdDIj2IK2i05wkZHEy1exHUTAbkcnLWI2UzxKAB2+7qACX4m8As/TWaGr4LX
 RFXB1UyfJHJS94h20mJzRdbxQ=

# search result
:: [   PASS   ] :: Cert before deletion (Expected 0, got 0)
:: [   PASS   ] :: ldap delete cert (Expected 0, got 0)
# extended LDIF
#
# LDAPv3
# base <cn=CACert,cn=ipa,cn=etc,dc=testrelm,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object
matchedDN: cn=ipa,cn=etc,dc=testrelm,dc=com

# numResponses: 1
:: [   PASS   ] :: Making sure cert is deleted (Expected 32, got 32)

:: [   PASS   ] :: Running ldap-updater with --plugins (Expected 0, got 0)
:: [   PASS   ] :: ldapsearch for Cert after ldap-updater (Expected 0, got 0)
cACertificate;binary:: MIIDmjCCAoKgAwIBAgIBATANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQ
 KEwxURVNUUkVMTS5DT00xHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xMzA5MTEy
 MDQ4NDZaFw0zMzA5MTEyMDQ4NDZaMDcxFTATBgNVBAoTDFRFU1RSRUxNLkNPTTEeMBwGA1UEAxMVQ
 2VydGlmaWNhdGUgQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtBVVMS
 agxK+NUWpyjR6XU+QggwZZ6gdFeG8AF9qt0Xkgd0Bv3GnPfTuY9TME1MTjOcO2XhHaL78DkyuF/EU
 GNxdmH+cdJkYOjnaAWMKDwHjJJ9wxK8OHxbAAjLKW6WXHbdlCxZZqfSZjWE2IBtnuaGDnh5Bjs/IT
 h4P0waNJ+kUzmmkrVV1pUWA1rsOiLn1zFmGjP/lwOCJr1Mq9ZkdNO0lMwQDVQscnh3q6MVnOo33xe
 gE6w2hmyOa3W6ig5QUFE8H4DY689YHFN/s6uPBA6Ep72Wcndw8qS6DdymotrMW8EaUPj/LxcUTV20
 Ytpqbo4R3ZxNNlbjyhIb1im7srSQIDAQABo4GwMIGtMB8GA1UdIwQYMBaAFAASa4XhYEWDgw+giGF
 sVS7uvxWAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgHGMB0GA1UdDgQWBBQAEmuF4WBF
 g4MPoIhhbFUu7r8VgDBKBggrBgEFBQcBAQQ+MDwwOgYIKwYBBQUHMAGGLmh0dHA6Ly9jbG91ZC1xZ
 S0xLXZtLTMudGVzdHJlbG0uY29tOjgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAE3gP7gAsk
 X2KcsTQbs+34nNzluHcLf8lLdZpoeqY4USFG9lgffE+4NRewhUj9DMSvYjC78eNzcfkZsc/dapBD6
 BJsPYn3rw6EVegrqo1EeKhiTeorPuDfqww+7kBUmzNFrOf4CmuVwzZp0h7gzXnia4l5Jy1w05Kdbo
 ZTCQL4r3vNiIobDkukKq8mzrewWrpfTjoavaURLHwdlXsM1cCoAbh0ri0gfSUsVHZS1nsVaEuM0xM
 X+Y+cgLcMDznkUH2WtdDIj2IK2i05wkZHEy1exHUTAbkcnLWI2UzxKAB2+7qACX4m8As/TWaGr4LX
 RFXB1UyfJHJS94h20mJzRdbxQ=

# search result
:: [   PASS   ] :: Cert after deletion (Expected 0, got 0)
:: [   PASS   ] :: Files /tmp/tmp.9tRte31EBW/sfile1 and /tmp/tmp.9tRte31EBW/sfile2 should not differ 
:: [   PASS   ] :: CA cert is not double-encoded

Comment 12 errata-xmlrpc 2013-11-21 20:52:52 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1651.html

Note You need to log in before you can comment on or make changes to this bug.