https://bugzilla.redhat.com/show_bug.cgi?id=756942
Description of problem: When generating a replica file (by running ipa-replica-prepare) with both --dirsrv_pkcs12 and --http_pkcs12. Two observations : - pins provided for these p12 files are not validated, aka, random invalid pins are accepted - *blank* pin is accepted as well for both p12 files This was discovered while shanks and myself was testing replication w/ OPTIONS Version-Release number of selected component (if applicable): ============== [root@jetfire ~]# rpm -qi ipa-server | head -6 Name : ipa-server Relocations: (not relocatable) Version : 2.1.3 Vendor: Red Hat, Inc. Release : 9.el6 Build Date: Mon 07 Nov 2011 03:00:54 PM EST Install Date: Fri 11 Nov 2011 01:02:45 AM EST Build Host: x86-001.build.bos.redhat.com Group : System Environment/Base Source RPM: ipa-2.1.3-9.el6.src.rpm Size : 3382131 License: GPLv3+ [root@jetfire ~]# ============== How reproducible: All the time Steps to Reproduce: 1. Have a working master IPA instance (host 'jetfire') 2. Prepare replica for host 'ratchet': We just provided a random password for dirsrv pkcs12 and http pkcs12 ##################################### [root@jetfire ~]# ipa-replica-prepare --dirsrv_pkcs12=dirsrv.p12 --http_pkcs12=apache-ssl-cert.p12 --dirsrv_pin=invalidpasswd --http_pin=in validpasswd --ip-address=10.65.201.69 ratchet.testrelm -p Secret123 Warning: Hostname (ratchet.testrelm) not found in DNS Preparing replica for ratchet.testrelm from jetfire.testrelm Copying SSL certificate for the Directory Server from dirsrv.p12 Creating SSL certificate for the dogtag Directory Server Copying SSL certificate for the Web Server from apache-ssl-cert.p12 Copying additional files Finalizing configuration Packaging replica information into /var/lib/ipa/replica-info-ratchet.testrelm.gpg Adding DNS records for ratchet.testrelm Using reverse zone 201.65.10.in-addr.arpa. [root@jetfire ~]# ##################################### => W/o providing *any* passwords(aka blank passwords) ##################################### [root@jetfire ~]# ipa-replica-prepare --dirsrv_pkcs12=dirsrv.p12 --http_pkcs12=apache-ssl-cert.p12 --dirsrv_pin= --http_pin= --ip-address=1 0.65.201.69 ratchet.testrelm -p Secret123 Preparing replica for ratchet.testrelm from jetfire.testrelm Copying SSL certificate for the Directory Server from dirsrv.p12 Creating SSL certificate for the dogtag Directory Server Copying SSL certificate for the Web Server from apache-ssl-cert.p12 Copying additional files Finalizing configuration Packaging replica information into /var/lib/ipa/replica-info-ratchet.testrelm.gpg Adding DNS records for ratchet.testrelm Using reverse zone 201.65.10.in-addr.arpa. [root@jetfire ~]# ##################################### Actual results: Replica gpg file is created w/o any errors despite providing incorrect pins(or no pins) Expected results: Passwords for both the p12 files should be validated ; appropriate error should be thrown
This should be already fixed by the refactoring done in #4489.
Metadata Update from @mkosek: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 4.1
Login to comment on this ticket.