Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 547527
| Summary: | dogtag does not work with latest 389 DS | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Retired] Dogtag Certificate System | Reporter: | Ade Lee <alee> | ||||||||||||
| Component: | Internal Database (LDAP) | Assignee: | Ade Lee <alee> | ||||||||||||
| Status: | CLOSED ERRATA | QA Contact: | Chandrasekar Kannan <ckannan> | ||||||||||||
| Severity: | medium | Docs Contact: | |||||||||||||
| Priority: | low | ||||||||||||||
| Version: | unspecified | CC: | awnuk, benl, cfu, jdennis, jgalipea, mharmsen, nkinder | ||||||||||||
| Target Milestone: | --- | ||||||||||||||
| Target Release: | --- | ||||||||||||||
| Hardware: | All | ||||||||||||||
| OS: | Linux | ||||||||||||||
| Whiteboard: | |||||||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||||||
| Doc Text: | Story Points: | --- | |||||||||||||
| Clone Of: | Environment: | ||||||||||||||
| Last Closed: | 2012-07-19 15:53:35 UTC | Type: | --- | ||||||||||||
| Regression: | --- | Mount Type: | --- | ||||||||||||
| Documentation: | --- | CRM: | |||||||||||||
| Verified Versions: | Category: | --- | |||||||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||
| Embargoed: | |||||||||||||||
| Bug Depends On: | |||||||||||||||
| Bug Blocks: | 541012 | ||||||||||||||
| Attachments: |
|
||||||||||||||
|
Description
Ade Lee
2009-12-14 21:12:25 UTC
Created attachment 378777 [details]
patch to fix
patch removes subject field.
and adds checks in places where DS syntax is required (mostly for user creation).
awnuk, please review.
Created attachment 378882 [details]
patch to fix (version 2)
On discussion with awnuk, correct practice is to not store a value when the value is an empty string (rather than store a space). The updated patch does that.
In particular:
In DonePanel.java, we throw an exception because the parameter "name" is a MUST parameter.
In UGSubsystem.java, for telephoneNumber and userState, we do not store the values at all if the values are "". This is OK because when the values are read from the db, we set these parameters to "" in the User object if the attribute is not defined.
For userType (which is a MUST parameter), we store the value "undefined" if the value is "". When the value is read, we set the value to "" in the User object if the value read is not defined or is "undefined". Thus, the change here is transparent to any level above the db layer.
In UpdateDomainXML .. we simply error out if any required parameters are missing and create an error accordingly.
Migration steps for users with old data will be posted in a separate comment to this bug.
Created attachment 378910 [details]
patch to fix (v3)
Fixed a couple of issues that occur on modifying the user.
Also fixed a console issue - the user state was not modifiable. Now it is.
Incidentally, users created by console do not have option to select user type - nor can they be modified. Not going to fix this here .. sigh ..
Oops - ignore the selinux changes .. They are coming - just not in this bug :) attachment (id=378910) +awnuk ommit for this bug and for 547571 (to tip) [builder@dhcp231-70 base]$ svn ci -m "Bugzilla BZ 547571: Apply PKI SELinux changes to PKI registry model" Sending base/ca/shared/conf/schema.ldif Sending base/common/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java Sending base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java Sending base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java Sending base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java Sending base/kra/shared/conf/schema.ldif Sending base/ocsp/shared/conf/schema.ldif Sending base/selinux/src/pki.fc Sending base/selinux/src/pki.if Sending base/selinux/src/pki.te Sending base/tks/shared/conf/schema.ldif Transmitting file data ........... Committed revision 894. Commit to 8.1 tip: [builder@oliver base]$ svn ci -m "BZ 547527: dogtag does not work with latest 389 DS" Sending base/ca/shared/conf/schema.ldif Sending base/common/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java Sending base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java Sending base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java Sending base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java Sending base/kra/shared/conf/schema.ldif Sending base/ocsp/shared/conf/schema.ldif Sending base/tks/shared/conf/schema.ldif Transmitting file data ........ Committed revision 895. Created attachment 379921 [details]
patch to fix small bug
awnuk, please review
attachment (id=379921) +awnuk Commit to 8.1: [builder@goofy-vm4 base]$ svn ci -m "BZ547527 - dogtag does not work with latest 389 DS - fix small bug" Sending base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java Transmitting file data . Committed revision 902. Commit to tip: [builder@dhcp231-70 pki]$ svn ci -m "BZ547527 - dogtag does not work with latest 389 DS - fix small bug" base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java Sending base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java Transmitting file data . Committed revision 903. Created attachment 386708 [details]
patch for clone syntax issue
mharmsen, please review
attachment (id=386708) +mharmsen [builder@dhcp231-70 pki]$ svn ci -m "BZ 547527: not working with latest 389" base Sending base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java Sending base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java Transmitting file data .. Committed revision 940. pki-common-1.3.1-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/pki-common-1.3.1-1.fc11 pki-common-1.3.1-1.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/pki-common-1.3.1-1.fc12 pki-common-1.3.1-1.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/pki-common-1.3.1-1.el5 verified on F-12 with 389-ds-1.1.3-5.fc12.noarch, and dogtag pki-ca-1.3.0-7.fc12.noarch. The below config. confirms that syntax checking is ON and default syntax checking for undefined attributes is 'octet' string ====================================================== [root@f12-alpha slapd-f12-alpha]# cat dse.ldif | grep -i syntaxcheck nsslapd-syntaxcheck: on [root@f12-alpha slapd-f12-alpha]# cat dse.ldif | grep -i octet dn: cn=Octet String Syntax,cn=plugins,cn=config cn: Octet String Syntax nsslapd-pluginInitfunc: octetstring_init nsslapd-pluginId: octetstring-syntax nsslapd-pluginDescription: octet string attribute syntax plugin ====================================================== -- CA configures/cert enrollment works fine. pki-common-1.3.1-2.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/pki-common-1.3.1-2.fc12 pki-common-1.3.1-2.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/pki-common-1.3.1-2.fc11 pki-common-1.3.1-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. pki-common-1.3.1-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. pki-common-1.3.1-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report. The entries being added during TPS enrollment look like this:
====================================================
dn: cn=10000000000000000006,ou=Tokens,dc=cspki.lab.eng.pnq.redhat.com-pki-tps
cn: 10000000000000000006
objectClass: top
objectClass: tokenRecord
dateOfCreate: 20120621193746Z
dateOfModify: 20120621193748Z
modified: 0
tokenUserID: tuser2
tokenStatus: active
tokenAppletID: 1.4.4d40a449
numberOfResets: 0
numberOfEnrollments: 0
numberOfRenewals: 0
numberOfRecoveries: 0
keyInfo: 0101
tokenPolicy: RE_ENROLL=YES
tokenReason:
tokenType: userKey
====================================================
The ADD of this entry is rejected by Directory Server with err=21 (invalid syntax).
The problem is that the "tokenReason" attribute is defined to use the "Directory String" syntax. RFC 4517 defines this syntax as so:
DirectoryString = 1*UTF8
This means that an empty attribute value will be rejected as a syntax violation when syntax checking is enabled.
I have also found that the "tokenUserID" attribute is added with an empty value during token enrollment, which violates the "Directory String" syntax. I think that the TPS related syntax validation issues (mentioned in comment 27 and comment 28) should be handled in a new separate bug. *** Bug 818211 has been marked as a duplicate of this bug. *** *** Bug 818321 has been marked as a duplicate of this bug. *** VERIFIED.
Env. Info:
----------
- CS 8.1 on RHEL 5.8 w/ latest errata bits
- nss/nspr versions:
nss-3.13.5-1.el6_3.x86_64
nspr-4.9.1-1.el6_3.x86_64
- 389-ds-base version
[root@panther slapd-cs81ldap]# rpm -q 389-ds-base
389-ds-base-1.2.10.2-15.el6.x86_64
Test Info: non-TMS(CA,KRA,OCSP) env is successfully configured w/ DS9.0
#-----------------------------------------------------------------------------#
[root@cspki pki-ca]# egrep -i 'securitydomain.|internaldb.ldapconn' /etc/pki-ca/CS.cfg
internaldb.ldapconn.cloneStartTLS=false
internaldb.ldapconn.host=panther.lab.eng.pnq.redhat.com
internaldb.ldapconn.port=389
internaldb.ldapconn.secureConn=false
securitydomain.checkinterval=300000
securitydomain.flushinterval=86400000
securitydomain.host=cspki.lab.eng.pnq.redhat.com
securitydomain.httpport=9180
securitydomain.httpsadminport=9445
securitydomain.httpsagentport=9443
securitydomain.httpseeport=9444
securitydomain.name=silentdom
securitydomain.select=new
securitydomain.source=ldap
securitydomain.store=ldap
service.securityDomainPort=9443
[root@cspki pki-ca]#
#-----------------------------------------------------------------------------#
[root@cspki pki-ca]# egrep -i 'securitydomain.|internaldb.ldapconn' /etc/pki-kra/CS.cfg
internaldb.ldapconn.cloneStartTLS=false
internaldb.ldapconn.host=panther.lab.eng.pnq.redhat.com
internaldb.ldapconn.port=389
internaldb.ldapconn.secureConn=false
securitydomain.host=cspki.lab.eng.pnq.redhat.com
securitydomain.httpport=9180
securitydomain.httpsadminport=9445
securitydomain.httpsagentport=9443
securitydomain.httpseeport=9444
securitydomain.name=silentdom
securitydomain.select=existing
securitydomain.store=ldap
service.securityDomainPort=10443
[root@cspki pki-ca]#
#-----------------------------------------------------------------------------#
[root@cspki ~]# service pki-ca status
pki-ca (pid 29406) is running ...
Unsecure Port = http://cspki.lab.eng.pnq.redhat.com:9180/ca/ee/ca
Secure Agent Port = https://cspki.lab.eng.pnq.redhat.com:9443/ca/agent/ca
Secure EE Port = https://cspki.lab.eng.pnq.redhat.com:9444/ca/ee/ca
Secure Admin Port = https://cspki.lab.eng.pnq.redhat.com:9445/ca/services
EE Client Auth Port = https://cspki.lab.eng.pnq.redhat.com:9446/ca/eeca/ca
PKI Console Port = pkiconsole https://cspki.lab.eng.pnq.redhat.com:9445/ca
Tomcat Port = 9701 (for shutdown)
PKI Instance Name: pki-ca
PKI Subsystem Type: Root CA (Security Domain)
Registered PKI Security Domain Information:
==========================================================================
Name: silentdom
URL: https://cspki.lab.eng.pnq.redhat.com:9445
==========================================================================
[root@cspki ~]# service pki-kra status
pki-kra (pid 21855) is running ...
Unsecure Port = http://cspki.lab.eng.pnq.redhat.com:10180/kra/ee/kra
Secure Agent Port = https://cspki.lab.eng.pnq.redhat.com:10443/kra/agent/kra
Secure EE Port = https://cspki.lab.eng.pnq.redhat.com:10444/kra/ee/kra
Secure Admin Port = https://cspki.lab.eng.pnq.redhat.com:10445/kra/services
PKI Console Port = pkiconsole https://cspki.lab.eng.pnq.redhat.com:10445/kra
Tomcat Port = 10701 (for shutdown)
PKI Instance Name: pki-kra
PKI Subsystem Type: DRM
Registered PKI Security Domain Information:
==========================================================================
Name: silentdom
URL: https://cspki.lab.eng.pnq.redhat.com:9445
==========================================================================
[root@cspki ~]# service pki-ocsp status
pki-ocsp (pid 22851) is running ...
Unsecure Port = http://cspki.lab.eng.pnq.redhat.com:11180/ocsp/ee/ocsp
Secure Agent Port = https://cspki.lab.eng.pnq.redhat.com:11443/ocsp/agent/ocsp
Secure EE Port = https://cspki.lab.eng.pnq.redhat.com:11444/ocsp/ee/ocsp
Secure Admin Port = https://cspki.lab.eng.pnq.redhat.com:11445/ocsp/services
PKI Console Port = pkiconsole https://cspki.lab.eng.pnq.redhat.com:11445/ocsp
Tomcat Port = 11701 (for shutdown)
PKI Instance Name: pki-ocsp
PKI Subsystem Type: OCSP
Registered PKI Security Domain Information:
==========================================================================
Name: silentdom
URL: https://cspki.lab.eng.pnq.redhat.com:9445
==========================================================================
[root@cspki ~]#
NOTE: As mentioned in comment #29, a separate bug was logged for syntax validation issues for 'tokenReason' and 'tokenUserId' attributes -- https://bugzilla.redhat.com/show_bug.cgi?id=835765 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2012-1103.html |