Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1505925
Description of problem: kdc segfault was observed when the certauth plugin points to ipadb.so. It starts on RHEL-7.3 when ipa-server-4.5.0-20.el7 (from RHEL-7.4) is installed. Backtrace goes down from krb5 through ipa to openldap. Not sure is the issue is in openldap triggered by the ipa krb5 plugin or in the ipa plugin itself. As it is triggered by the ipa-server plugin filing it for ipa now, but feel free to move it to the right component. Also tested on the latest builds, the issue is still there. #0 __strlen_sse2_pminub () at ../sysdeps/x86_64/multiarch/strlen-sse2-pminub.S:38 #1 0x00007fefc29d2954 in ber_strdup_x (s=s@entry=0x1 <Address 0x1 out of bounds>, ctx=ctx@entry=0x0) at memory.c:637 #2 0x00007fefc2c12658 in ldap_str2charray (str_in=str_in@entry=0x1 <Address 0x1 out of bounds>, brkstr=brkstr@entry=0x7fefc2c2282e ", ") at charray.c:188 #3 0x00007fefc2c07b46 in ldap_url_parselist_int (ludlist=ludlist@entry=0x7ffe708282d0, url=url@entry=0x1 <Address 0x1 out of bounds>, sep=0x7fefc2c2282e ", ", sep@entry=0x0, flags=flags@entry=3) at url.c:1293 #4 0x00007fefc2c07c75 in ldap_url_parselist_ext (ludlist=ludlist@entry=0x7ffe708282d0, url=url@entry=0x1 <Address 0x1 out of bounds>, sep=sep@entry=0x0, flags=flags@entry=3) at url.c:1324 #5 0x00007fefc2c0a89b in ldap_set_option (ld=0x55f6dc442b30, option=option@entry=20486, invalue=invalue@entry=0x1) at options.c:584 #6 0x00007fefc2bee2fb in ldap_initialize (ldp=ldp@entry=0x55f6dc4524a0, url=0x1 <Address 0x1 out of bounds>) at open.c:245 #7 0x00007fefc3e1c169 in ipadb_get_connection (ipactx=ipactx@entry=0x55f6dc452470) at ipa_kdb.c:399 #8 0x00007fefc3e1ca20 in ipadb_check_connection (ipactx=0x55f6dc452470, ipactx@entry=0x2) at ipa_kdb_common.c:164 #9 ipadb_simple_search (ipactx=ipactx@entry=0x55f6dc452470, basedn=0x55f6dc447900 "cn=certmap,/var/kerberos/krb5kdc/principal", scope=scope@entry=2, filter=filter@entry=0x7fefc3e2b8b8 "(&(objectClass=ipaCertMapRule)(ipaEnabledFlag=TRUE))", attrs=attrs@entry=0x7ffe708284c0, res=res@entry=0x7ffe708284a0) at ipa_kdb_common.c:176 #10 0x00007fefc3e27081 in ipa_get_init_data (moddata_out=0x55f6dc439f70, kcontext=0x55f6dc452ef0) at ipa_kdb_certauth.c:160 #11 ipa_certauth_authorize (context=0x55f6dc452ef0, moddata=0x55f6dc439f70, cert=0x55f6dc4482c0 "0\202\003r0\202\002?\003\002\001\002\002\t", cert_len=886, princ=<optimized out>, opts=<optimized out>, db_entry=0x55f6dc43c880, authinds_out=0x7ffe70828638) at ipa_kdb_certauth.c:280 #12 0x00007fefc4abfd0d in authorize_cert (client=<optimized out>, rock=0x55f6dc4550c0, cb=0x55f6da9d9020 <callbacks>, reqctx=0x55f6dc43cab0, plgctx=0x55f6dc425d30, certauth_modules=<optimized out>, context=0x55f6dc452ef0) at pkinit_srv.c:367 #13 pkinit_server_verify_padata (context=0x55f6dc452ef0, req_pkt=<optimized out>, request=<optimized out>, enc_tkt_reply=0x55f6dc454f88, data=0x55f6dc4543b0, cb=0x55f6da9d9020 <callbacks>, rock=0x55f6dc4550c0, moddata=0x55f6dc40b2c0, respond=0x55f6da7c71a0 <finish_verify_padata>, arg=0x55f6dc43eef0) at pkinit_srv.c:507 #14 0x000055f6da7c7123 in next_padata (state=<optimized out>) at kdc_preauth.c:1209 #15 0x000055f6da7be7d5 in process_as_req (request=<optimized out>, req_pkt=req_pkt@entry=0x55f6dc43b1f8, from=from@entry=0x55f6dc453628, kdc_active_realm=0x55f6dc405300, vctx=vctx@entry=0x55f6dc415a20, respond=respond@entry=0x55f6da7bca00 <finish_dispatch_cache>, arg=arg@entry=0x55f6dc43a200) at do_as_req.c:819 #16 0x000055f6da7bcd22 in dispatch (cb=0x55f6da9d92c0 <shandle>, local_saddr=<optimized out>, from=0x55f6dc453628, pkt=pkt@entry=0x55f6dc43b1f8, is_tcp=is_tcp@entry=1, vctx=vctx@entry=0x55f6dc415a20, respond=respond@entry=0x55f6da7d00f0 <process_tcp_response>, arg=arg@entry=0x55f6dc43b170) at dispatch.c:190 #17 0x000055f6da7d03d0 in process_tcp_connection_read (ctx=0x55f6dc415a20, ev=0x55f6dc4536d0) at net-server.c:1409 #18 0x00007fefcc0a6cd8 in verto_fire (ev=0x55f6dc4536d0) at verto.c:947 #19 0x00007fefc4ce6a14 in event_process_active_single_queue (activeq=0x55f6dc425770, base=0x55f6dc425340) at event.c:1350 #20 event_process_active (base=<optimized out>) at event.c:1420 #21 event_base_loop (base=0x55f6dc425340, flags=0) at event.c:1621 #22 0x000055f6da7bb9ff in main (argc=2, argv=0x7ffe70828c88) at main.c:1065 Version-Release number of selected component (if applicable): openldap-2.4.44-5.el7 krb5-server-1.15.1-8.el7 ipa-server-4.5.0-20.el7 How reproducible: always Steps to Reproduce: 1. Install ipa-server package and make sure certauth plugin points to ipadb.so # cat /etc/krb5.conf.d/ipa-certauth [plugins] certauth = { module = ipakdb:kdb/ipadb.so enable_only = ipakdb } 2. Do not setup ipa server, just create certs and set up KDC with pkinit # cat /etc/krb5.conf includedir /etc/krb5.conf.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false default_realm = EXAMPLE.COM default_ccache_name = KEYRING:persistent:%{uid} EXAMPLE.COM = { pkinit_anchors = FILE:/etc/krb5/cacert.pem pkinit_identities = FILE:/etc/krb5/client.pem,/etc/krb5/clientkey.pem kdc = kerberos.example.com admin_server = kerberos.example.com } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM # cat /var/kerberos/krb5kdc/kdc.conf [kdcdefaults] pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem,/var/kerberos/krb5kdc/kdckey.pem kdc_ports = 88 kdc_tcp_ports = 88 [realms] EXAMPLE.COM = { acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal } 3. Configure a principal with preath required and do kinit Actual results: kdc segfault Expected results: no segfault Additional info: #0 __strlen_sse2_pminub () at ../sysdeps/x86_64/multiarch/strlen-sse2-pminub.S:38 #1 0x00007fefc29d2954 in ber_strdup_x (s=s@entry=0x1 <Address 0x1 out of bounds>, ctx=ctx@entry=0x0) at memory.c:637 #2 0x00007fefc2c12658 in ldap_str2charray (str_in=str_in@entry=0x1 <Address 0x1 out of bounds>, brkstr=brkstr@entry=0x7fefc2c2282e ", ") at charray.c:188 #3 0x00007fefc2c07b46 in ldap_url_parselist_int (ludlist=ludlist@entry=0x7ffe708282d0, url=url@entry=0x1 <Address 0x1 out of bounds>, sep=0x7fefc2c2282e ", ", sep@entry=0x0, flags=flags@entry=3) at url.c:1293 #4 0x00007fefc2c07c75 in ldap_url_parselist_ext (ludlist=ludlist@entry=0x7ffe708282d0, url=url@entry=0x1 <Address 0x1 out of bounds>, sep=sep@entry=0x0, flags=flags@entry=3) at url.c:1324 #5 0x00007fefc2c0a89b in ldap_set_option (ld=0x55f6dc442b30, option=option@entry=20486, invalue=invalue@entry=0x1) at options.c:584 #6 0x00007fefc2bee2fb in ldap_initialize (ldp=ldp@entry=0x55f6dc4524a0, url=0x1 <Address 0x1 out of bounds>) at open.c:245 #7 0x00007fefc3e1c169 in ipadb_get_connection (ipactx=ipactx@entry=0x55f6dc452470) at ipa_kdb.c:399 #8 0x00007fefc3e1ca20 in ipadb_check_connection (ipactx=0x55f6dc452470, ipactx@entry=0x2) at ipa_kdb_common.c:164 #9 ipadb_simple_search (ipactx=ipactx@entry=0x55f6dc452470, basedn=0x55f6dc447900 "cn=certmap,/var/kerberos/krb5kdc/principal", scope=scope@entry=2, filter=filter@entry=0x7fefc3e2b8b8 "(&(objectClass=ipaCertMapRule)(ipaEnabledFlag=TRUE))", attrs=attrs@entry=0x7ffe708284c0, res=res@entry=0x7ffe708284a0) at ipa_kdb_common.c:176 #10 0x00007fefc3e27081 in ipa_get_init_data (moddata_out=0x55f6dc439f70, kcontext=0x55f6dc452ef0) at ipa_kdb_certauth.c:160 #11 ipa_certauth_authorize (context=0x55f6dc452ef0, moddata=0x55f6dc439f70, cert=0x55f6dc4482c0 "0\202\003r0\202\002?\003\002\001\002\002\t", cert_len=886, princ=<optimized out>, opts=<optimized out>, db_entry=0x55f6dc43c880, authinds_out=0x7ffe70828638) at ipa_kdb_certauth.c:280 #12 0x00007fefc4abfd0d in authorize_cert (client=<optimized out>, rock=0x55f6dc4550c0, cb=0x55f6da9d9020 <callbacks>, reqctx=0x55f6dc43cab0, plgctx=0x55f6dc425d30, certauth_modules=<optimized out>, context=0x55f6dc452ef0) at pkinit_srv.c:367 #13 pkinit_server_verify_padata (context=0x55f6dc452ef0, req_pkt=<optimized out>, request=<optimized out>, enc_tkt_reply=0x55f6dc454f88, data=0x55f6dc4543b0, cb=0x55f6da9d9020 <callbacks>, rock=0x55f6dc4550c0, moddata=0x55f6dc40b2c0, respond=0x55f6da7c71a0 <finish_verify_padata>, arg=0x55f6dc43eef0) at pkinit_srv.c:507 #14 0x000055f6da7c7123 in next_padata (state=<optimized out>) at kdc_preauth.c:1209 #15 0x000055f6da7be7d5 in process_as_req (request=<optimized out>, req_pkt=req_pkt@entry=0x55f6dc43b1f8, from=from@entry=0x55f6dc453628, kdc_active_realm=0x55f6dc405300, vctx=vctx@entry=0x55f6dc415a20, respond=respond@entry=0x55f6da7bca00 <finish_dispatch_cache>, arg=arg@entry=0x55f6dc43a200) at do_as_req.c:819 #16 0x000055f6da7bcd22 in dispatch (cb=0x55f6da9d92c0 <shandle>, local_saddr=<optimized out>, from=0x55f6dc453628, pkt=pkt@entry=0x55f6dc43b1f8, is_tcp=is_tcp@entry=1, vctx=vctx@entry=0x55f6dc415a20, respond=respond@entry=0x55f6da7d00f0 <process_tcp_response>, arg=arg@entry=0x55f6dc43b170) at dispatch.c:190 #17 0x000055f6da7d03d0 in process_tcp_connection_read (ctx=0x55f6dc415a20, ev=0x55f6dc4536d0) at net-server.c:1409 #18 0x00007fefcc0a6cd8 in verto_fire (ev=0x55f6dc4536d0) at verto.c:947 #19 0x00007fefc4ce6a14 in event_process_active_single_queue (activeq=0x55f6dc425770, base=0x55f6dc425340) at event.c:1350 #20 event_process_active (base=<optimized out>) at event.c:1420 #21 event_base_loop (base=0x55f6dc425340, flags=0) at event.c:1621 #22 0x000055f6da7bb9ff in main (argc=2, argv=0x7ffe70828c88) at main.c:1065 (gdb) bt f #0 __strlen_sse2_pminub () at ../sysdeps/x86_64/multiarch/strlen-sse2-pminub.S:38 No locals. #1 0x00007fefc29d2954 in ber_strdup_x (s=s@entry=0x1 <Address 0x1 out of bounds>, ctx=ctx@entry=0x0) at memory.c:637 p = <optimized out> len = <optimized out> #2 0x00007fefc2c12658 in ldap_str2charray (str_in=str_in@entry=0x1 <Address 0x1 out of bounds>, brkstr=brkstr@entry=0x7fefc2c2282e ", ") at charray.c:188 res = <optimized out> str = <optimized out> s = <optimized out> lasts = 0x7ffe7082824f "" i = <optimized out> #3 0x00007fefc2c07b46 in ldap_url_parselist_int (ludlist=ludlist@entry=0x7ffe708282d0, url=url@entry=0x1 <Address 0x1 out of bounds>, sep=0x7fefc2c2282e ", ", sep@entry=0x0, flags=flags@entry=3) at url.c:1293 i = <optimized out> rc = <optimized out> ludp = 0x28 urls = <optimized out> __PRETTY_FUNCTION__ = "ldap_url_parselist_int" #4 0x00007fefc2c07c75 in ldap_url_parselist_ext (ludlist=ludlist@entry=0x7ffe708282d0, url=url@entry=0x1 <Address 0x1 out of bounds>, sep=sep@entry=0x0, flags=flags@entry=3) at url.c:1324 No locals. #5 0x00007fefc2c0a89b in ldap_set_option (ld=0x55f6dc442b30, option=option@entry=20486, invalue=invalue@entry=0x1) at options.c:584 urls = 0x1 <Address 0x1 out of bounds> ludlist = 0x0 lo = 0x55f6dc4479e0 dbglvl = 0x0 rc = 0 __PRETTY_FUNCTION__ = "ldap_set_option" #6 0x00007fefc2bee2fb in ldap_initialize (ldp=ldp@entry=0x55f6dc4524a0, url=0x1 <Address 0x1 out of bounds>) at open.c:245 rc = <optimized out> ld = 0x55f6dc442b30 #7 0x00007fefc3e1c169 in ipadb_get_connection (ipactx=ipactx@entry=0x55f6dc452470) at ipa_kdb.c:399 tv = {tv_sec = 5, tv_usec = 0} res = 0x0 first = <optimized out> ret = <optimized out> v3 = 22006 #8 0x00007fefc3e1ca20 in ipadb_check_connection (ipactx=0x55f6dc452470, ipactx@entry=0x2) at ipa_kdb_common.c:164 No locals. #9 ipadb_simple_search (ipactx=ipactx@entry=0x55f6dc452470, basedn=0x55f6dc447900 "cn=certmap,/var/kerberos/krb5kdc/principal", scope=scope@entry=2, filter=filter@entry=0x7fefc3e2b8b8 "(&(objectClass=ipaCertMapRule)(ipaEnabledFlag=TRUE))", attrs=attrs@entry=0x7ffe708284c0, res=res@entry=0x7ffe708284a0) at ipa_kdb_common.c:176 ret = <optimized out> #10 0x00007fefc3e27081 in ipa_get_init_data (moddata_out=0x55f6dc439f70, kcontext=0x55f6dc452ef0) at ipa_kdb_certauth.c:160 ret = <optimized out> prio = 32766 ipactx = 0x55f6dc452470 result = 0x0 le = <optimized out> ctx = 0x0 kerr = <optimized out> c = <optimized out> match_rule = 0x0 domains = 0x0 certmap_attrs = {0x7fefc3e2a6f8 "objectClass", 0x7fefc3e2b990 "ipaCertMapPriority", 0x7fefc3e2b9a3 "ipaCertMapMatchRule", 0x7fefc3e2b9b7 "ipaCertMapMapRule", ---Type <return> to continue, or q <return> to quit--- 0x7fefc3e2b9c9 "associatedDomain", 0x7fefc3e2b9da "ipaEnabledFlag", 0x0} basedn = 0x55f6dc447900 "cn=certmap,/var/kerberos/krb5kdc/principal" lc = <optimized out> map_rule = 0x0 #11 ipa_certauth_authorize (context=0x55f6dc452ef0, moddata=0x55f6dc439f70, cert=0x55f6dc4482c0 "0\202\003r0\202\002?\003\002\001\002\002\t", cert_len=886, princ=<optimized out>, opts=<optimized out>, db_entry=0x55f6dc43c880, authinds_out=0x7ffe70828638) at ipa_kdb_certauth.c:280 cert_filter = 0x0 domains = 0x0 ret = <optimized out> c = <optimized out> principal = 0x0 auth_inds = 0x0 res = 0x0 kerr = <optimized out> lentry = 0x0 #12 0x00007fefc4abfd0d in authorize_cert (client=<optimized out>, rock=0x55f6dc4550c0, cb=0x55f6da9d9020 <callbacks>, reqctx=0x55f6dc43cab0, plgctx=0x55f6dc425d30, certauth_modules=<optimized out>, context=0x55f6dc452ef0) at pkinit_srv.c:367 opts = {cb = 0x55f6da9d9020 <callbacks>, rock = 0x55f6dc4550c0, plgctx = 0x55f6dc425d30, reqctx = 0x55f6dc43cab0} cert = 0x55f6dc4482c0 "0\202\003r0\202\002?\003\002\001\002\002\t" ais = 0x0 ret = <optimized out> h = 0x55f6dc439f30 db_ent = 0x0 ai = <optimized out> accepted = 0 i = <optimized out> cert_len = 886 #13 pkinit_server_verify_padata (context=0x55f6dc452ef0, req_pkt=<optimized out>, request=<optimized out>, enc_tkt_reply=0x55f6dc454f88, data=0x55f6dc4543b0, cb=0x55f6da9d9020 <callbacks>, rock=0x55f6dc4550c0, moddata=0x55f6dc40b2c0, respond=0x55f6da7c71a0 <finish_verify_padata>, arg=0x55f6dc43eef0) at pkinit_srv.c:507 retval = 0 authp_data = {magic = 0, length = 943, data = 0x55f6dc443450 "0\202\003\253\240<0:\240\005\002\003\001\036s\ 241\021\030\017\062\060\061\067\061\060\062\064\061\064\063\062\065\063Z\242\00 6\002\004\031\336My\243\026\004\024\001\362T\020\274eo\036H\202x\355\071\215)\0 35\314\307\346?\202\003+0\202\003'0\202\002\031\006\a*\206H\316>\002\001\060\20 2\002\f\002\202\001\001"} krb5_authz = {magic = 0, length = 504, data = 0x55f6dc4480c0 "0\202\001\364\060\202\001\004\200o0m1\v0\t\006 \003U\004\006\023\002CZ1\020\060\016\006\003U\004\b\f\aMoravia1\r0\v\006\003U\0 04\a\f\004Brno1\031\060\027\006\003U\004\n\f\020DummyCompany Ltd1\022\060\020\0 06\003U\004\v\f\tdummyunit1\016\060\f\006\003U\004\003\f\005alice\201y0w0j1\v0\ t\006\003U\004\006\023\002CZ1\020\060\016\006\003U\004\b\f\aMoravia1\r0\v\006\0 03U\004\a\f\004Brno1\031\060\027\006\003U\004\n\f\020DummyCompany Ltd"...} reqp = 0x55f6dc43eac0 reqp9 = 0x0 auth_pack = 0x0 auth_pack9 = 0x0 plgctx = 0x55f6dc425d30 reqctx = 0x55f6dc43cab0 cksum = {magic = 0, checksum_type = 0, length = 0, contents = 0x0} der_req = 0x0 k5data = {magic = 32, length = 2495, data = 0x55f6dc4543d0 "0\202\t\273\200\202\b\305\060\202\b\301\006\t* \206H\206\367\r\001\a\002\240\202\b\262\060\202\b\256\002\001\003\061\v0\t\006\ 005+\016\003\002\032\005"} is_signed = 1 e_data = 0x0 modreq = 0x0 sp = <optimized out> #14 0x000055f6da7c7123 in next_padata (state=<optimized out>) at kdc_preauth.c:1209 __PRETTY_FUNCTION__ = "next_padata" #15 0x000055f6da7be7d5 in process_as_req (request=<optimized out>, req_pkt=req_pkt@entry=0x55f6dc43b1f8, from=from@entry=0x55f6dc453628, kdc_active_realm=0x55f6dc405300, vctx=vctx@entry=0x55f6dc415a20, ---Type <return> to continue, or q <return> to quit--- respond=respond@entry=0x55f6da7bca00 <finish_dispatch_cache>, arg=arg@entry=0x55f6dc43a200) at do_as_req.c:819 errcode = <optimized out> s_flags = <optimized out> encoded_req_body = {magic = 4, length = 151, data = 0x55f6dc455ccc "0\201\224\240\a\003\005"} useenctype = <optimized out> au_state = 0x55f6dc43c6d0 #16 0x000055f6da7bcd22 in dispatch (cb=0x55f6da9d92c0 <shandle>, local_saddr=<optimized out>, from=0x55f6dc453628, pkt=pkt@entry=0x55f6dc43b1f8, is_tcp=is_tcp@entry=1, vctx=vctx@entry=0x55f6dc415a20, respond=respond@entry=0x55f6da7d00f0 <process_tcp_response>, arg=arg@entry=0x55f6dc43b170) at dispatch.c:190 retval = <optimized out> as_req = 0x55f6dc4542c0 response = 0x0 kdc_err_context = 0x55f6dc402200 #17 0x000055f6da7d03d0 in process_tcp_connection_read (ctx=0x55f6dc415a20, ev=0x55f6dc4536d0) at net-server.c:1409 local_saddrlen = 16 local_saddrp = <optimized out> state = 0x55f6dc43b170 conn = <optimized out> nread = <optimized out> len = 2719 #18 0x00007fefcc0a6cd8 in verto_fire (ev=0x55f6dc4536d0) at verto.c:947 priv = <optimized out> __PRETTY_FUNCTION__ = "verto_fire" #19 0x00007fefc4ce6a14 in event_process_active_single_queue (activeq=0x55f6dc425770, base=0x55f6dc425340) at event.c:1350 ev = 0x55f6dc453730 count = 1 #20 event_process_active (base=<optimized out>) at event.c:1420 activeq = 0x55f6dc425770 i = 1 c = 0 #21 event_base_loop (base=0x55f6dc425340, flags=0) at event.c:1621 evsel = 0x7fefc4f1bbe0 <epollops> tv = {tv_sec = 94518715951064, tv_usec = 94515050315781} tv_p = <optimized out> res = <optimized out> done = 0 retval = 0 __func__ = "event_base_loop" #22 0x000055f6da7bb9ff in main (argc=2, argv=0x7ffe70828c88) at main.c:1065 retval = <optimized out> kcontext = 0x55f6dc402200 realm = <optimized out> ctx = 0x55f6dc415a20 tcp_listen_backlog = 5 i = <optimized out>
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1505925
Metadata Update from @pvoborni: - Issue priority set to: critical - Issue tagged with: bug
https://github.com/freeipa/freeipa/pull/1537
master:
ipa-4-6:
ipa-4-5:
Metadata Update from @cheimes: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @frenaud: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/1537
Login to comment on this ticket.