ipaldap does not take into account the possibility of the attribute encoding as returned by 389DS differing from the attribute encoding produced by FreeIPA. This can occur especially in DNs that require escpaing of special characters. For example, 389DS escapes special characters using hex encoding:
CN=Test Sub-CA 201604041620,OU=ftweedal,O=Red Hat\2C Inc.,L=Brisbane,C=AU
Whereas FreeIPA escapes the character directly.
CN=Test Sub-CA 201604041620,OU=ftweedal,O=Red Hat\, Inc.,L=Brisbane,C=AU
Therefore it is possible to generate an invalid modlist. For example, during external CA certificate renewal, if the issuer DN includes a comma in one of the attribute values (as above), an invalid modlist will be generated:
[ (ldap.MOD_ADD, 'ipacaissuerdn', [b'CN=Test Sub-CA 201604041620,OU=ftweedal,O=Red Hat\, Inc.,L=Brisbane,C=AU']) , (ldap.MOD_DELETE, 'ipacaissuerdn', [b'CN=Test Sub-CA 201604041620,OU=ftweedal,O=Red Hat\2C Inc.,L=Brisbane,C=AU']) ]
In the above case, the attribute already exists, and LDAP error 20 (attributeOrValueExists) occurs.
Metadata Update from @ftweedal: - Issue assigned to ftweedal
PR: https://github.com/freeipa/freeipa/pull/2511
Metadata Update from @ftweedal: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/2511
master:
ipa-4-6:
ipa-4-5:
ipa-4-7:
Metadata Update from @cheimes: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.