Unable to publish cacert to LDAP server

[pki-bot]

This issue was migrated from Pagure Issue #1651. Originally filed by mrniranjan (@mrniranjan) on 2015-10-13 22:29:25:

• Assigned to jmagne (@jmagne)
• Associated bugzillas
  • https://bugzilla.redhat.com/show_bug.cgi?id=1265678
  • https://bugzilla.redhat.com/show_bug.cgi?id=1271175

---

Unable to publish CA certs to ldap server.

Steps to Reproduce:

1. Configure ldap publishing
2. Create publishing rule as below:

ca.publish.ldappublish.enable=true
ca.publish.ldappublish.ldap.ldapauth.authtype=BasicAuth
ca.publish.ldappublish.ldap.ldapauth.bindDN=cn=Directory Manager
ca.publish.ldappublish.ldap.ldapauth.bindPWPrompt=CA LDAP Publishing
ca.publish.ldappublish.ldap.ldapconn.host=pki2.example.org
ca.publish.ldappublish.ldap.ldapconn.port=389
ca.publish.ldappublish.ldap.ldapconn.secureConn=false
ca.publish.ldappublish.ldap.ldapconn.version=3
ca.publish.mapper.impl.LdapCaSimpleMap.class=com.netscape.cms.publish.mappers.L
dapCaSimpleMap
ca.publish.mapper.impl.LdapDNCompsMap.class=com.netscape.cms.publish.mappers.Ld
apCertCompsMap
ca.publish.mapper.impl.LdapDNExactMap.class=com.netscape.cms.publish.mappers.Ld
apCertExactMap
ca.publish.mapper.impl.LdapEnhancedMap.class=com.netscape.cms.publish.mappers.L
dapEnhancedMap
ca.publish.mapper.impl.LdapSimpleMap.class=com.netscape.cms.publish.mappers.Lda
pSimpleMap
ca.publish.mapper.impl.LdapSubjAttrMap.class=com.netscape.cms.publish.mappers.L
dapCertSubjMap
ca.publish.mapper.impl.NoMap.class=com.netscape.cms.publish.mappers.NoMap
ca.publish.mapper.instance.LdapCaCertMap.createCAEntry=true
ca.publish.mapper.instance.LdapCaCertMap.dnPattern=UID=$subj.cn,OU=people,O=$su
bj.o
ca.publish.mapper.instance.LdapCaCertMap.pluginName=LdapCaSimpleMap
ca.publish.mapper.instance.LdapCrlMap.createCAEntry=true
ca.publish.mapper.instance.LdapCrlMap.dnPattern=UID=$subj.cn,OU=people,O=$subj.
o
ca.publish.mapper.instance.LdapCrlMap.pluginName=LdapCaSimpleMap
ca.publish.mapper.instance.LdapUserCertMap.dnPattern=UID=$subj.UID,OU=people,O=
$subj.o
ca.publish.mapper.instance.LdapUserCertMap.pluginName=LdapSimpleMap
ca.publish.mapper.instance.NoMap.pluginName=NoMap
ca.publish.mapper.instance.map1.createCAEntry=true
ca.publish.mapper.instance.map1.dnPattern=cn=$subj.cn,dc=example,dc=org
ca.publish.mapper.instance.map1.pluginName=LdapCaSimpleMap
ca.publish.publisher.impl.FileBasedPublisher.class=com.netscape.cms.publish.pub
lishers.FileBasedPublisher
ca.publish.publisher.impl.LdapCaCertPublisher.class=com.netscape.cms.publish.pu
blishers.LdapCaCertPublisher
ca.publish.publisher.impl.LdapCertificatePairPublisher.class=com.netscape.cms.p
ublish.publishers.LdapCertificatePairPublisher
ca.publish.publisher.impl.LdapCrlPublisher.class=com.netscape.cms.publish.publi
shers.LdapCrlPublisher
ca.publish.publisher.impl.LdapDeltaCrlPublisher.class=com.netscape.cms.publish.
publishers.LdapCrlPublisher
ca.publish.publisher.impl.LdapUserCertPublisher.class=com.netscape.cms.publish.
publishers.LdapUserCertPublisher
ca.publish.publisher.impl.OCSPPublisher.class=com.netscape.cms.publish.publishe
rs.OCSPPublisher
ca.publish.publisher.instance.LdapCaCertPublisher.caCertAttr=caCertificate;bina
ry
ca.publish.publisher.instance.LdapCaCertPublisher.caObjectClass=pkiCA
ca.publish.publisher.instance.LdapCaCertPublisher.pluginName=LdapCaCertPublishe
r
ca.publish.publisher.instance.LdapCrlPublisher.crlAttr=certificateRevocationLis
t;binary
ca.publish.publisher.instance.LdapCrlPublisher.crlObjectClass=pkiCA
ca.publish.publisher.instance.LdapCrlPublisher.pluginName=LdapCrlPublisher
ca.publish.publisher.instance.LdapCrossCertPairPublisher.caObjectClass=pkiCA
ca.publish.publisher.instance.LdapCrossCertPairPublisher.crossCertPairAttr=cros
sCertificatePair;binary
ca.publish.publisher.instance.LdapCrossCertPairPublisher.pluginName=LdapCertifi
catePairPublisher
ca.publish.publisher.instance.LdapDeltaCrlPublisher.crlAttr=deltaRevocationList
;binary
ca.publish.publisher.instance.LdapDeltaCrlPublisher.crlObjectClass=pkiCA,deltaC
RL
ca.publish.publisher.instance.LdapDeltaCrlPublisher.pluginName=LdapDeltaCrlPubl
isher
ca.publish.publisher.instance.LdapUserCertPublisher.certAttr=userCertificate;bi
nary
ca.publish.publisher.instance.LdapUserCertPublisher.pluginName=LdapUserCertPubl
isher
ca.publish.publisher.instance.file1.Filename.b64=true
ca.publish.publisher.instance.file1.Filename.der=true
ca.publish.publisher.instance.file1.crlLinkExt=
ca.publish.publisher.instance.file1.directory=/tmp
ca.publish.publisher.instance.file1.latestCrlLink=false
ca.publish.publisher.instance.file1.pluginName=FileBasedPublisher
ca.publish.publisher.instance.file1.timeStamp=LocalTime
ca.publish.publisher.instance.file1.zipCRLs=false
ca.publish.publisher.instance.file1.zipLevel=9
ca.publish.publisher.instance.ldap1.caCertAttr=caCertificate;binary
ca.publish.publisher.instance.ldap1.caObjectClass=pkiCA
ca.publish.publisher.instance.ldap1.pluginName=LdapCaCertPublisher
ca.publish.queue.enable=true

3. Create cert request
certutil -R -d /etc/pki/nssdb -s "CN=CA2,O=Example Domain" -a -o ca1.req -v 12

4. submit the certificate request using EE certificate manager profile.

5. Approve the request from agent.

certutil -R -d /etc/pki/nssdb -s "CN=CA2,dc=example,dc=org" -a -o /tmp/ca1.req
-v 12

Actual results:

CA cert is not published

Additional info:

[13/Oct/2015:15:52:08][http-bio-30042-exec-10]: Setting
AUTH_TOKEN-authMgrInstName=certUserDBAuthMgr
[13/Oct/2015:15:52:08][http-bio-30042-exec-10]: RequestProcessor:
profileId=caCACert
[13/Oct/2015:15:52:08][http-bio-30042-exec-10]: SubjectNameDefault: setValue
name=CN=CA2,DC=example,DC=org
[13/Oct/2015:15:52:08][http-bio-30042-exec-10]: CAValidityDefault: setValue
name= notBefore
[13/Oct/2015:15:52:08][http-bio-30042-exec-10]: CAValidityDefault: setValue
name= notAfter
[13/Oct/2015:15:52:08][http-bio-30042-exec-10]: CAValidityDefault: setValue
name= bypassCAnotafter
[13/Oct/2015:15:52:08][http-bio-30042-exec-10]: CAValidityDefault: setValue:
bypassCAvalidity=false
[13/Oct/2015:15:52:08][http-bio-30042-exec-10]: CAValidityDefault: setValue:
bypassCAvalidity off. reset notAfter to caNotAfter. reset
[13/Oct/2015:15:52:08][http-bio-30042-exec-10]: parseRecords: Record0
[13/Oct/2015:15:52:08][http-bio-30042-exec-10]: SubjectNameConstraint: validate
start
[13/Oct/2015:15:52:08][http-bio-30042-exec-10]: SubjectNameConstraint: validate
start
[13/Oct/2015:15:52:08][http-bio-30042-exec-10]: SubjectNameConstraint: validate
cert subject =CN=CA2,DC=example,DC=org
[13/Oct/2015:15:52:08][http-bio-30042-exec-10]: SubjectNameConstraint:
validate() - sn500 dname = CN=CA2,DC=example,DC=org
[13/Oct/2015:15:52:08][http-bio-30042-exec-10]: SubjectNameConstraint: validate
end
[13/Oct/2015:15:52:08][http-bio-30042-exec-10]: ValidityConstraint: validate
start
[13/Oct/2015:15:52:08][http-bio-30042-exec-10]: ValidityConstraint: not before:
Tue Oct 13 15:51:56 IST 2015
[13/Oct/2015:15:52:08][http-bio-30042-exec-10]: ValidityConstraint: not after:
Tue Oct 09 11:13:07 IST 2035
[13/Oct/2015:15:52:08][http-bio-30042-exec-10]: ValidityConstraint: range: 7305
[13/Oct/2015:15:52:08][http-bio-30042-exec-10]: ValidityConstraint: range unit:
day
[13/Oct/2015:15:52:08][http-bio-30042-exec-10]: ValidityConstraint: limit: Sat
Oct 13 15:51:56 IST 2035
[13/Oct/2015:15:52:08][http-bio-30042-exec-10]: ValidityConstraint: validate
end
[13/Oct/2015:15:52:08][http-bio-30042-exec-10]: KeyConstraint: validate start
[13/Oct/2015:15:52:08][http-bio-30042-exec-10]: KeyConstraint.validate: RSA key
contraints passed.
[13/Oct/2015:15:52:08][http-bio-30042-exec-10]: KeyConstraint: validate end
[13/Oct/2015:15:52:08][http-bio-30042-exec-10]: BasicConstraintsExtConstraint:
validate start
[13/Oct/2015:15:52:08][http-bio-30042-exec-10]: BasicConstraintsExtConstraint:
validate end
[13/Oct/2015:15:52:08][http-bio-30042-exec-10]: KeyUsageExtConstraint: validate
start
[13/Oct/2015:15:52:08][http-bio-30042-exec-10]: KeyUsageExtConstraint: validate
end
[13/Oct/2015:15:52:08][http-bio-30042-exec-10]: SigningAlgConstraint: validate
start
[13/Oct/2015:15:52:08][http-bio-30042-exec-10]: SigningAlgConstraint: validate
end
[13/Oct/2015:15:52:08][http-bio-30042-exec-10]: CMSServlet: in auditSubjectID
[13/Oct/2015:15:52:08][http-bio-30042-exec-10]: CMSServlet: auditSubjectID
auditContext {locale=en_US,EN;Q=0.5, userid=caadmin, ipAddress=192.168.122.133,
authManagerId=certUserDBAuthMgr}
[13/Oct/2015:15:52:08][http-bio-30042-exec-10]: CMSServlet auditSubjectID:
subjectID: caadmin
[13/Oct/2015:15:52:08][http-bio-30042-exec-10]: CAEnrollProfile: execute
reqId=25
[13/Oct/2015:15:52:08][http-bio-30042-exec-10]: issueX509Cert
[13/Oct/2015:15:52:08][http-bio-30042-exec-10]: dnUTF8Encoding false
[13/Oct/2015:15:52:08][http-bio-30042-exec-10]: CertificateRepository:
getNextSerialNumber  mEnableRandomSerialNumbers=false
[13/Oct/2015:15:52:08][http-bio-30042-exec-10]: Repository: in
getNextSerialNumber.
[13/Oct/2015:15:52:08][http-bio-30042-exec-10]: Repository: checkRange
mLastSerialNo=23
[13/Oct/2015:15:52:08][http-bio-30042-exec-10]: Repository:
getNextSerialNumber: returning retSerial 23
[13/Oct/2015:15:52:08][http-bio-30042-exec-10]: CAService: issueX509Cert:
setting issuerDN using exact CA signing cert subjectDN encoding
[13/Oct/2015:15:52:08][http-bio-30042-exec-10]: About to mCA.sign cert.
[13/Oct/2015:15:52:08][http-bio-30042-exec-10]: sign cert get algorithm
[13/Oct/2015:15:52:08][http-bio-30042-exec-10]: sign cert encoding cert
[13/Oct/2015:15:52:08][http-bio-30042-exec-10]: sign cert encoding algorithm
[13/Oct/2015:15:52:08][http-bio-30042-exec-10]: CA cert signing: signing cert
[13/Oct/2015:15:52:08][http-bio-30042-exec-10]: Getting algorithm context for
SHA256withRSA RSASignatureWithSHA256Digest
[13/Oct/2015:15:52:08][http-bio-30042-exec-10]: Signing Certificate
[13/Oct/2015:15:52:08][http-bio-30042-exec-10]: storeX509Cert 23
[13/Oct/2015:15:52:08][http-bio-30042-exec-10]: In storeX509Cert
[13/Oct/2015:15:52:08][http-bio-30042-exec-10]: In
LdapBoundConnFactory::getConn()
[13/Oct/2015:15:52:08][http-bio-30042-exec-10]: masterConn is connected: true
[13/Oct/2015:15:52:08][http-bio-30042-exec-10]: getConn: conn is connected true
[13/Oct/2015:15:52:08][http-bio-30042-exec-10]: getConn: mNumConns now 5
[13/Oct/2015:15:52:09][http-bio-30042-exec-10]: returnConn: mNumConns now 6
[13/Oct/2015:15:52:09][http-bio-30042-exec-10]: done storeX509Cert
[13/Oct/2015:15:52:09][http-bio-30042-exec-10]: SignedAuditEventFactory:
create() message=[AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome
=Success][ReqID=25][InfoName=certificate][InfoValue=MIIDljCCAn6gAwIBAgIBFzANBgk
qhkiG9w0BAQsFADA3MRQwEgYDVQQKDAtFeGFtcGxlIE9yZzEfMB0GA1UEAwwWQ0EgU2lnbmluZyBDZX
J0aWZpY2F0ZTAeFw0xNTEwMTMxMDIxNTZaFw0zNTEwMDkwNTQzMDdaMDwxEzARBgoJkiaJk/IsZAEZF
gNvcmcxFzAVBgoJkiaJk/IsZAEZFgdleGFtcGxlMQwwCgYDVQQDDANDQTIwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQC8COtmvYH5m8YmQKVjsd4JFpWiCcrxayTQwLmwikloVMvU5hilhOehJ4k
YSan45MXTPOduTuETcx8pN54HcH6Qsbcf9AKhb21JanelgBQIq6DxuRbgltb9zfgoT3FQ0SWjcO7a3+
bUhqWiJQK05oI3SP7TR+tyVGypTvGbrKUdt5gNRfJaZ1UsHZSFSnTXlGCEWR+CaVsBha2exKsdOvvXj
pzpE8QydN9moI0GmR+8yec2HLWZ6ZT40mKqL342V0HyALqRGglXn30bNYBI3XPMNneaSaC09B5F3w4a
5Dix8bGH7IooVnjv6ddSTmFjoYzxEHw4M8A3clbNuI+nwU3RAgMBAAGjgacwgaQwHwYDVR0jBBgwFoA
Uw7uxHPz6vzw/k8ic6lIg2omwMD0wHQYDVR0OBBYEFLTiUaL5xrY5Lrdu1Rcs151HQn6OMA8GA1UdEw
EB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgHGMEEGCCsGAQUFBwEBBDUwMzAxBggrBgEFBQcwAYYlaHR0c
DovL3BraTIuZXhhbXBsZS5vcmc6MzAwNDQvY2Evb2NzcDANBgkqhkiG9w0BAQsFAAOCAQEAXIwJQ340
rfMI+1gBlZCp2I9ioTFpFjjc8Hv/dwrcOkNvKPhHTvNGWR8zxYY78mtd2fCNepx5qVRkDD8OmSPnFOF
qd03SjLiyvYvKDDvYANSy87K/cagdV1oGG5Hfn2LTyZp1ngrKrZ5UTU1XlBVwvDyq5Oaa3/W5BwBGQ9
s5yBtLFLwX+Oc6f4/ntQzDFkztjiKgllAAKZYnECKx7wdLsSrVTuiGlCec7saoZMtbLXcIM9Sv3SkRH
W5yRnAd5/KdpKUVcqCONbU54Sz1gihBmEOZdwRStP8Us3jlLFc7TvUR+N9fIN3fOoIVl5Ci4Ng7kCUz
yLyYeat2nVW+ESXEWg==] certificate request processed

[13/Oct/2015:15:52:09][http-bio-30042-exec-10]: In
LdapBoundConnFactory::getConn()
[13/Oct/2015:15:52:09][http-bio-30042-exec-10]: masterConn is connected: true
[13/Oct/2015:15:52:09][http-bio-30042-exec-10]: getConn: conn is connected true
[13/Oct/2015:15:52:09][http-bio-30042-exec-10]: getConn: mNumConns now 5
[13/Oct/2015:15:52:09][http-bio-30042-exec-10]: returnConn: mNumConns now 6
[13/Oct/2015:15:52:09][http-bio-30042-exec-10]: ARequestNotifier  notify
mIsPublishingQueueEnabled=true mMaxThreads=3
[13/Oct/2015:15:52:09][http-bio-30042-exec-10]: addToNotify  extended buffer to
1(40) requests by adding request 25
[13/Oct/2015:15:52:09][http-bio-30042-exec-10]: morePublishingThreads
moreThreads: true
[13/Oct/2015:15:52:09][http-bio-30042-exec-10]: Number of publishing threads: 1
[13/Oct/2015:15:52:09][Thread-14]: RunListeners:: Queue: 1  noSingleRequest
[13/Oct/2015:15:52:09][Thread-14]: getRequest  mRequests=1
mSearchForRequests=false
[13/Oct/2015:15:52:09][Thread-14]: getRequest  getting request: 25
[13/Oct/2015:15:52:09][http-bio-30042-exec-10]: CMSServlet: curDate=Tue Oct 13
15:52:09 IST 2015 id=caProfileProcess time=2238
[13/Oct/2015:15:52:09][Thread-14]: In LdapBoundConnFactory::getConn()
[13/Oct/2015:15:52:09][Thread-14]: masterConn is connected: true
[13/Oct/2015:15:52:09][Thread-14]: getConn: conn is connected true
[13/Oct/2015:15:52:09][Thread-14]: getConn: mNumConns now 5
[13/Oct/2015:15:52:09][Thread-14]: returnConn: mNumConns now 6
[13/Oct/2015:15:52:09][Thread-14]: getRequest  request 25 found
[13/Oct/2015:15:52:09][Thread-14]: getRequest  mRequests=0
mSearchForRequests=false done
[13/Oct/2015:15:52:09][Thread-14]: RunListeners: IRequestListener =
com.netscape.cms.listeners.CertificateIssuedListener
[13/Oct/2015:15:52:09][Thread-14]: CertificateIssuedListener: accept 25
[13/Oct/2015:15:52:09][Thread-14]: RunListeners: IRequestListener =
com.netscape.ca.CRLIssuingPoint$RevocationRequestListener
[13/Oct/2015:15:52:09][Thread-14]: RunListeners: IRequestListener =
com.netscape.cmscore.ldap.LdapRequestListener
[13/Oct/2015:15:52:09][Thread-14]: LdapRequestListener handling publishing for
enrollment request id 25
[13/Oct/2015:15:52:09][Thread-14]: Checking publishing for request 25
[13/Oct/2015:15:52:09][Thread-14]: In  PublisherProcessor::publishCert
[13/Oct/2015:15:52:09][Thread-14]: Publishing: can't find publishing
rule,exiting routine.
[13/Oct/2015:15:52:09][Thread-14]: PublishProcessor::publishCert : Failed to
publish using rule: No rules enabled
[13/Oct/2015:15:52:09][Thread-14]: RunListeners: IRequestListener =
com.netscape.cms.listeners.CertificateRevokedListener
[13/Oct/2015:15:52:09][Thread-14]: RunListeners: mRequest = 25
[13/Oct/2015:15:52:09][Thread-14]: updatePublishingStatus  requestId: 25
[13/Oct/2015:15:52:09][Thread-14]: RequestRepository:  setPublishingStatus
mBaseDN: ou=ca,ou=requests,o=Example1-RootCA-CA  status: 25
[13/Oct/2015:15:52:09][Thread-14]: In LdapBoundConnFactory::getConn()
[13/Oct/2015:15:52:09][Thread-14]: masterConn is connected: true
[13/Oct/2015:15:52:09][Thread-14]: getConn: conn is connected true
[13/Oct/2015:15:52:09][Thread-14]: getConn: mNumConns now 5
[13/Oct/2015:15:52:10][Thread-14]: returnConn: mNumConns now 6
[13/Oct/2015:15:52:10][Thread-14]: updatePublishingStatus
mSavePublishingCounter: 1 mSavePublishingStatus: 200
[13/Oct/2015:15:52:10][Thread-14]: RunListeners:  noQueue  SingleRequest
[13/Oct/2015:15:52:10][Thread-14]: RequestRepository:  setPublishingStatus
mBaseDN: ou=ca,ou=requests,o=Example1-RootCA-CA  status: -1
[13/Oct/2015:15:52:10][Thread-14]: In LdapBoundConnFactory::getConn()
[13/Oct/2015:15:52:10][Thread-14]: masterConn is connected: true
[13/Oct/2015:15:52:10][Thread-14]: getConn: conn is connected true
[13/Oct/2015:15:52:10][Thread-14]: getConn: mNumConns now 5
[13/Oct/2015:15:52:10][Thread-14]: returnConn: mNumConns now 6

[pki-bot]

Comment from mharmsen (@mharmsen) at 2015-10-19 20:37:27

Per CS/DS meeting of 10/19/2015: 10.3 - major

[pki-bot]

Comment from jmagne (@jmagne) at 2015-10-20 23:29:50

OK:

Here is what is going on.

We are trying to publish a CA cert.

To do this we need the rule "LdapCACertRule"

The type of this rule in the console is defaulted to "cacert".

When the publish happens this stack trace occurs:

PublisherProcessor.publishCert(X509Certificate, IRequest) line: 1029
LdapEnrollmentListener.acceptX509(IRequest, Certificate[]) line: 230
LdapEnrollmentListener.accept(IRequest) line: 217
LdapRequestListener.accept(IRequest) line: 161

The crucial piece of code:

public void publishCert(X509Certificate cert, IRequest req) throws ELdapException { boolean error = false; StringBuffer errorRule = new StringBuffer();

    CMS.debug("In  PublisherProcessor::publishCert");
    if (!enabled())
        return;

    // get mapper and publisher for cert type.
    Enumeration<ILdapRule> rules = getRules("certs", req);

Note how this routine is looking for rules of type "certs", where ours is "cacert".

There is another routine called publishCACert, which is not called here. The reason for this I don not know why.

The workaround is to change the type of that publish rule to "certs" and it works.

The fix is not known as of yet.

[pki-bot]

Comment from mharmsen (@mharmsen) at 2015-10-21 02:07:37

Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1265678 (Red Hat Certificate System)

[pki-bot]

Comment from jmagne (@jmagne) at 2016-04-22 00:23:21

Should be simple bug fix, despite workaround, moving to 10.3.2

[pki-bot]

Comment from mharmsen (@mharmsen) at 2016-05-06 23:38:26

Per Bug Triage of 05/05/2016: 10.3.2

[pki-bot]

Comment from mharmsen (@mharmsen) at 2016-06-24 00:20:28

Per PKI Bug Council of 06/23/2016: 10.4

[pki-bot]

Comment from mrniranjan (@mrniranjan) at 2017-02-27 13:57:54

Metadata Update from @mrniranjan:

• Issue assigned to jmagne
• Issue set to the milestone: UNTRIAGED

[pki-bot]

Comment from mharmsen (@mharmsen) at 2017-08-30 23:50:59

Metadata Update from @mharmsen:

• Custom field feature adjusted to None
• Custom field proposedmilestone adjusted to None
• Custom field proposedpriority adjusted to None
• Custom field reviewer adjusted to None
• Custom field version adjusted to None
• Issue close_status updated to: None
• Issue priority set to: minor (was: major)
• Issue set to the milestone: FUTURE (was: UNTRIAGED)

[pki-bot]

Comment from mharmsen (@mharmsen) at 2018-04-10 21:42:45

Per 10.5.x/10.6 Triage: FUTURE

jmagne says that this is a corner-case