When IPA CA has a custom subject DN (i.e. not CN=Certificate Authority,{subject-base}), KRA authentication always fails, because the description attribute of the uid=ipakra people entry is not set up correctly.
CN=Certificate Authority,{subject-base}
description
uid=ipakra
CN=IPA CA 201910021714,DC=redhat,DC=com
ipa vault-add
Communication with KRA fails.
Communication with KRA succeeds.
4.8 and possibly every version of IPA ever (since we supported custom subject DN).
The probably is clearly seen in the following ldapsearch output:
ldapsearch
% ldapsearch -LLL -D cn=directory\ manager -w4me2Test -b o=ipaca '(|(uid=ipara)(uid=ipakra))' description |less dn: uid=ipara,ou=people,o=ipaca description: 2;7;CN=IPA CA 201910021714,DC=redhat,DC=com;CN=IPA RA,O=IPA.LOCAL dn: uid=ipakra,ou=people,o=kra,o=ipaca description: 2;7;CN=Certificate Authority,O=IPA.LOCAL;CN=IPA RA,O=IPA.LOCAL
The probably may be improper initialisation of the KRAInstance object during installation. See discussion from mailing list:
KRAInstance
> This looks like actual IPA RA subject is fixed in the code in > ipaserver/install/krainstance.py: > > class KRAInstance(DogtagInstance): > ..... > def __create_kra_agent(self): > ..... > # create ipakra user with RA agent certificate > user_dn = DN(('uid', "ipakra"), ('ou', 'people'), self.basedn) > entry = conn.make_entry( > user_dn, > objectClass=['top', 'person', 'organizationalPerson', > 'inetOrgPerson', 'cmsuser'], > uid=["ipakra"], > sn=["IPA KRA User"], > cn=["IPA KRA User"], > usertype=["undefined"], > userCertificate=[cert], > description=['2;%s;%s;%s' % ( > cert.serial_number, > DN(self.subject), > DN(('CN', 'IPA RA'), self.subject_base))]) > conn.add_entry(entry) > > I think it should be picked up from the cert. Time for a ticket? > Time for a ticket, yes. But the above code looks ok. The problem is 'self.subject' (the issuer DN) contains the wrong value. I'll follow the reproducer steps to see what's going on. I suspect KRAInstance instance is not initialised properly for some operation.
RHEL 7 BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1758406
RHEL 8 BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1758404
PR: https://github.com/freeipa/freeipa/pull/3764
master:
Metadata Update from @frenaud: - Custom field test_case adjusted to ipatests/test_integration/test_ca_custom_sdn.py
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1758406
Issue linked to Bugzilla: Bug 1758406
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1758406, https://bugzilla.redhat.com/show_bug.cgi?id=1758404 (was: https://bugzilla.redhat.com/show_bug.cgi?id=1758406)
Issue linked to Bugzilla: Bug 1758404
ipa-4-8:
ipa-4-7:
ipa-4-6:
Metadata Update from @ftweedal: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.