cloned from https://bugzilla.redhat.com/show_bug.cgi?id=2164348
When a user is doing ipa cert-find, the operation triggers a search in PKI (through an HTTP POST ca/rest/certs/search?size=2147483647). PKI performs a LDAP search with VLV that can return err=4 (sizelimit exceeded) but does not properly handle this case.
When LDAP returns err=4, PKI tries to decode the result as a LDAPEntry even though it received a netscape.ldap.LDAPException. This triggers the following error in ca/debug logs: 2023-02-02 11:34:30 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] SEVERE: Operation Error - netscape.ldap.LDAPException cannot be cast to netscape.ldap.LDAPEntry java.lang.ClassCastException: netscape.ldap.LDAPException cannot be cast to netscape.ldap.LDAPEntry at com.netscape.cmscore.dbs.DBVirtualList.getEntries(DBVirtualList.java:482) at com.netscape.cmscore.dbs.DBVirtualList.getPage(DBVirtualList.java:617) at com.netscape.cmscore.dbs.DBVirtualList.getPage(DBVirtualList.java:609) at com.netscape.cmscore.dbs.DBVirtualList.getElementAt(DBVirtualList.java:763) at com.netscape.cmscore.dbs.CertRecordList.getCertRecord(CertRecordList.java:142) at org.dogtagpki.server.ca.rest.CertService.searchCerts(CertService.java:503)
The data returned to the POST operation (=received by IPA) is then the following: status, _, data = dogtag.https_request(...)
status = 500 data = b'<?xml version="1.0" encoding="UTF-8" standalone="yes"?><PKIException><Attributes/><ClassName>com.netscape.certsrv.base.PKIException</ClassName>500<Message>Unable to search for certificates: java.lang.ClassCastException: netscape.ldap.LDAPException cannot be cast to netscape.ldap.LDAPEntry</Message></PKIException>'
500
IPA checks the status and if != 200 raises an Exception with the information from the status only: if status != 200: self.raise_certificate_operation_error('find', detail=status)
IPA could parse the output from the data field and include this information in the exception, and call instead self.raise_certificate_operation_error('find',err_msg=<to be filled>, detail=status). The err_msg would then be logged instead of "Unable to communicate with CMS" which is not specific enough.
But IMO PKI should fix the Exception on its side and return a clean error message, that could be easily understood by the user.
Metadata Update from @rcritten: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=2164348
It isn't practical to write an integration test for this because we'd have to create 90-ish certificates just for this one test.
The nssizelimit value is used for all searches in PKI. Startup will fail if it is set below 100 because it needs to load all the certificate profiles (for one).
We certainly could automate this using certmonger to just re-create the same cert over and over it just seems like overkill to validate a message.
Metadata Update from @rcritten: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=2164348 https://bugzilla.redhat.com/show_bug.cgi?id=2192625 (was: https://bugzilla.redhat.com/show_bug.cgi?id=2164348)
https://github.com/freeipa/freeipa/pull/6821
master:
ipa-4-9:
ipa-4-10:
Metadata Update from @rcritten: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.