#6948 services entries missing krbCanonicalName attribute.
Closed: fixed 7 years ago Opened 7 years ago by pvoborni.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1446087

Description of problem:

unfortunately I have not reproduced this locally. But I will describe what I
see in customer environment.

- Customer has created a RHEL7 replica from a RHEL6 master.

- He tries to see the certificates associated to a service in the console. And
the certificates cannot be found.

- We see the query that is done has this filter:
'(&(&(objectClass=krbprincipal)(objectClass=krbprincipalaux)(objectClass=krbtic
ketpolicyaux)(objectClass=ipaobject)(objectClass=ipaservice)(objectClass=pkiuse
r))(krbCanonicalName=HTTP/<hostname>@<REALM>)(userCertificate=*))'
usercertificate

but the entries have no krbCanonicalName attribute. So, some queries like the
former one fails to find any information.


Version-Release number of selected component (if applicable):
ipa-server-4.4.0-14.el7_3.6.x86_64

How reproducible: only customer for the moment.


Additional info:

The workaround to generate the attribute would be:

ipa service-add-principal HTTP/`hostname` HTTP/work.around

ipa service-remove-principal HTTP/`hostname` HTTP/work.around

Cause is that cert-find --service krbCanonicalName in filter when it should not - this attr is not guaranteed to be present.


Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1446087

7 years ago

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1446087

7 years ago

Metadata Update from @pvoborni:
- Issue priority set to: major
- Issue set to the milestone: FreeIPA 4.5.1

7 years ago

Metadata Update from @fbarreto:
- Issue assigned to fbarreto

7 years ago

Metadata Update from @mbasti:
- Issue set to the milestone: FreeIPA 4.5.2 (was: FreeIPA 4.5.1)

7 years ago

Metadata Update from @mbasti:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

7 years ago

master:

  • 44bd5e3 Changing cert-find to do not use only primary key to search in LDAP.

ipa-4-5:

  • df1276e Changing cert-find to do not use only primary key to search in LDAP.

Log in to comment on this ticket.

Metadata