#8308 ipa service-del deletes the required principal when specified in lower/upper case
Closed: fixed 3 years ago by cheimes. Opened 3 years ago by myusuf.

Description of problem:
ipa service-del deletes the required principal when specified in lower/upper case

Version-Release number of selected component (if applicable):
ipa-server-4.6.8-1.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. Install ipa server
2. try to delete services: HTTP, DNS, ldap
3. try to delete services: http, dns, LDAP

Actual results:
Step 2 throws error
Step 3 deletes services

Expected results:
Step 3 should not delete services.

[root@master79 ~]# ipa service-find
------------------
5 services matched
------------------
  Principal name: DNS/master79.testrelm.test@TESTRELM.TEST
  Principal alias: DNS/master79.testrelm.test@TESTRELM.TEST
  Keytab: True

  Principal name: HTTP/master79.testrelm.test@TESTRELM.TEST
  Principal alias: HTTP/master79.testrelm.test@TESTRELM.TEST
  Certificate: MIIExzCCA6+gAwIBAgIBCTANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMjAwNDMwMDk1MDA1WhcNMjIwNTAxMDk1MDA1WjA5MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR8wHQYDVQQDDBZtYXN0ZXI3OS50ZXN0cmVsbS50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw4Ert8I/HSLcXBYwFt1D9KjSkWdGeM9GwjrTFW4UE5z2yoKJRjZWalfWDs21Qbk2bY8lURNUWnrwxOXzNhmHGERHKehlvDzV/wI+U8uHwR+vV/r6EXdfZ1/4KTcYdW44Sglsc4Q4nYrLoZ2sUVTKYN6hFFCoHH+XmOHBNQZ5+itV9RAanSjTm1O2ejXAS9ytSB9d6xMZ/aOsM/Chrkyb8vzNd2nnFeyJg3mMZIW8v7AhU990rUz0XQmJEneaD8R4YdF6zGWWVFzVNOf/baClhP0SyGBK4GBFLlm1AwXc1/sLiGs6w/eA3n8u2ezRX1p+Ts8lFU4mKIwlNqGUYkG2xwIDAQABo4IB2TCCAdUwHwYDVR0jBBgwFoAU0YYMtZwKxPDhk2Ero9aKR1DAke4wPwYIKwYBBQUHAQEEMzAxMC8GCCsGAQUFBzABhiNodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHgGA1UdHwRxMG8wbaA1oDOGMWh0dHA6Ly9pcGEtY2EudGVzdHJlbG0udGVzdC9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQyMDAxDjAMBgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHQYDVR0OBBYEFJIYwsrZ1wjX1+QSXRdmOQ0jlshDMIGoBgNVHREEgaAwgZ2CFm1hc3Rlcjc5LnRlc3RyZWxtLnRlc3SgOQYKKwYBBAGCNxQCA6ArDClIVFRQL21hc3Rlcjc5LnRlc3RyZWxtLnRlc3RAVEVTVFJFTE0uVEVTVKBIBgYrBgEFAgKgPjA8oA8bDVRFU1RSRUxNLlRFU1ShKTAnoAMCAQGhIDAeGwRIVFRQGxZtYXN0ZXI3OS50ZXN0cmVsbS50ZXN0MA0GCSqGSIb3DQEBCwUAA4IBAQBTesoKbTxPF5GJQRXMAa36zlEUWmWoAjvOoWJhsnGfRCMpVX7z/mRRv0k/q2IN6pmA5Wk5+MHA4gZ2kRA0rGI1HPXuAO6y9runkPLPgKUxnXqrDEhJt/yu0nLabjTtQYaVuytiChfYs63nVinYS6wlkRwL8KYtrLu/3tEMhaDuSjY+iYr3rm9XekbEkx/3emo5YxKjUZfoG71qFLC8RYzIldltmV0N8sTVURv1u0SqEwSi2WBh30ArsBTs/5Al1gm+GSZRy7chZM8D8sjCfkOhPO58dUxfX0hihvocSCmo774lztDCiGXyEVL6rJtGhwDjDtNBsvKIpdndENRGVvhQ
  Subject: CN=master79.testrelm.test,O=TESTRELM.TEST
  Serial Number: 9
  Serial Number (hex): 0x9
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Thu Apr 30 09:50:05 2020 UTC
  Not After: Sun May 01 09:50:05 2022 UTC
  Fingerprint (SHA1): 92:89:b1:30:52:c1:b2:88:ce:49:36:35:06:98:8b:81:dd:9a:48:8e
  Fingerprint (SHA256): 19:44:61:ff:62:3b:63:49:77:cc:a4:f7:f7:de:9a:fc:07:c3:fc:d7:0d:0b:8c:14:1f:5d:b4:37:f5:35:e2:20
  Keytab: True

  Principal name: dogtag/master79.testrelm.test@TESTRELM.TEST
  Principal alias: dogtag/master79.testrelm.test@TESTRELM.TEST
  Keytab: True

  Principal name: ipa-dnskeysyncd/master79.testrelm.test@TESTRELM.TEST
  Principal alias: ipa-dnskeysyncd/master79.testrelm.test@TESTRELM.TEST
  Keytab: True

  Principal name: ldap/master79.testrelm.test@TESTRELM.TEST
  Principal alias: ldap/master79.testrelm.test@TESTRELM.TEST
  Certificate: MIIExzCCA6+gAwIBAgIBCDANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMjAwNDMwMDk0OTMzWhcNMjIwNTAxMDk0OTMzWjA5MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR8wHQYDVQQDDBZtYXN0ZXI3OS50ZXN0cmVsbS50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzlQaZF2wQvCb9vH/ssXYLhAu2x6/9e1hpJNweghfpjT/3yYMwPFv1Kjn67qd3LDqkVAymWPoRAv3aSIc4EneDvnCg+QLnlUsVuMgkCLqNmFgR9YjTJgLBgp2HvyBUTKXmK5yPnZdfg/yWPy5mKhRWRw1Jyf+UiEAGoHRZ3Z8jllQOvN/INaAZCqHOvFdqi7cbuBMMTUjhqoOHK7kLtUphL/5nNvo7oO/iW/JyS71+4f7aHcqvF/qE3eOxR2Qc1Rqu8n9j29bDJN9YreQ1ANtI2QKjAomaW9XykJ1ihY5G2VxP3pRMVsrnRX8hnVIxyMMDFuvYqSE6IU7Ty/6JFdc2QIDAQABo4IB2TCCAdUwHwYDVR0jBBgwFoAU0YYMtZwKxPDhk2Ero9aKR1DAke4wPwYIKwYBBQUHAQEEMzAxMC8GCCsGAQUFBzABhiNodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHgGA1UdHwRxMG8wbaA1oDOGMWh0dHA6Ly9pcGEtY2EudGVzdHJlbG0udGVzdC9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQyMDAxDjAMBgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHQYDVR0OBBYEFPhzEyOlqGvZdAEI7pM7iqgYBmDxMIGoBgNVHREEgaAwgZ2CFm1hc3Rlcjc5LnRlc3RyZWxtLnRlc3SgOQYKKwYBBAGCNxQCA6ArDClsZGFwL21hc3Rlcjc5LnRlc3RyZWxtLnRlc3RAVEVTVFJFTE0uVEVTVKBIBgYrBgEFAgKgPjA8oA8bDVRFU1RSRUxNLlRFU1ShKTAnoAMCAQGhIDAeGwRsZGFwGxZtYXN0ZXI3OS50ZXN0cmVsbS50ZXN0MA0GCSqGSIb3DQEBCwUAA4IBAQCDAumdt5bkTNGawYKLPHE12ni4pNmiNzOgAeUGaIcwP7n5dm7uJbIWq5XyxQQ0g1xT1KMDdGekvhZB2Jquz/gbsq7PObJCwmC/MQIRyNVqtt5tYZnltpHYjINfghnbm1ob0So2+CgDtBG/rdy9pNKydaZgAG0CE5b0HGi47ln4TFZUL9XV9hgezWtix65Sw8QS+0L8U7YQMtzSVJUO5hVBzWtvUL4aCezCY8FR1J5hba5yO1TVtzwohVqXeWvnnHZqa/XC1/EK77UOuXanI0kW8UeAyjpz3GnD7KKlfCApFl/oEAhDsHqgif8CePlFibC2HacD+Uv2J0AmCBjqaHzC
  Subject: CN=master79.testrelm.test,O=TESTRELM.TEST
  Serial Number: 8
  Serial Number (hex): 0x8
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Thu Apr 30 09:49:33 2020 UTC
  Not After: Sun May 01 09:49:33 2022 UTC
  Fingerprint (SHA1): 60:a4:59:95:c8:02:6f:15:9f:a1:07:04:3f:34:85:8b:fb:c9:1e:eb
  Fingerprint (SHA256): fd:1d:8c:47:bb:3d:d5:4b:2a:c5:17:2e:b3:e8:ec:12:23:87:25:f3:9f:ba:ea:33:de:a4:69:4d:c7:6d:2c:eb
  Keytab: True
----------------------------
Number of entries returned 5
----------------------------
[root@master79 ~]# ipa service-del HTTP/master79.testrelm.test@TESTRELM.TEST
ipa: ERROR: invalid 'principal': This principal is required by the IPA master
[root@master79 ~]# 
[root@master79 ~]# 
[root@master79 ~]# ipa service-del DNS/master79.testrelm.test@TESTRELM.TEST
ipa: ERROR: invalid 'principal': This principal is required by the IPA master
[root@master79 ~]# 
[root@master79 ~]# ipa service-del ldap/master79.testrelm.test@TESTRELM.TEST
ipa: ERROR: invalid 'principal': This principal is required by the IPA master
[root@master79 ~]# 
[root@master79 ~]# 
[root@master79 ~]# ipa service-del http/master79.testrelm.test@TESTRELM.TEST
-----------------------------------------------------------
Deleted service "http/master79.testrelm.test@TESTRELM.TEST"
-----------------------------------------------------------
[root@master79 ~]# 
[root@master79 ~]# ipa service-del dns/master79.testrelm.test@TESTRELM.TEST
----------------------------------------------------------
Deleted service "dns/master79.testrelm.test@TESTRELM.TEST"
----------------------------------------------------------
[root@master79 ~]# 
[root@master79 ~]# ipa service-del LDAP/master79.testrelm.test@TESTRELM.TEST
-----------------------------------------------------------
Deleted service "LDAP/master79.testrelm.test@TESTRELM.TEST"
-----------------------------------------------------------
[root@master79 ~]# 
[root@master79 ~]# ipa service-find
------------------
2 services matched
------------------
  Principal name: dogtag/master79.testrelm.test@TESTRELM.TEST
  Principal alias: dogtag/master79.testrelm.test@TESTRELM.TEST
  Keytab: True

  Principal name: ipa-dnskeysyncd/master79.testrelm.test@TESTRELM.TEST
  Principal alias: ipa-dnskeysyncd/master79.testrelm.test@TESTRELM.TEST
  Keytab: True
----------------------------
Number of entries returned 2
----------------------------

Same behavior observed on RHEL8.2 ipa-server-4.8.4-7.module+el8.2.0+6046+aaa49f96.x86_64


service-del deletes by DN. Although krbprincipalname has caseExactIA5Match matching rule, the DN is matched case insensitive.

Metadata Update from @cheimes:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/4642
- Issue assigned to cheimes
- Issue priority set to: normal
- Issue set to the milestone: FreeIPA 4.8.7
- Issue tagged with: bug

3 years ago

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1829787

3 years ago

master:

  • fefd115 Make check_required_principal() case-insensitive

ipa-4-8:

  • b590a67 Make check_required_principal() case-insensitive

ipa-4-6:

  • c78ac69 Make check_required_principal() case-insensitive

Metadata Update from @cheimes:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

3 years ago

Login to comment on this ticket.

Metadata