Bug 448005
Summary: | AuthTokenSubjectNameDefault plugin derives SubjectName incorrectly | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Retired] Dogtag Certificate System | Reporter: | Aleksander Adamowski <bugs-redhat> | ||||||
Component: | Certificate Manager | Assignee: | Ade Lee <alee> | ||||||
Status: | CLOSED NOTABUG | QA Contact: | Chandrasekar Kannan <ckannan> | ||||||
Severity: | low | Docs Contact: | |||||||
Priority: | urgent | ||||||||
Version: | 1.0 | CC: | benl | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2009-05-01 20:39:53 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | |||||||||
Bug Blocks: | 443788 | ||||||||
Attachments: |
|
Description
Aleksander Adamowski
2008-05-22 20:36:41 UTC
Created attachment 306421 [details]
suggested fix (needs verifying)
Created attachment 306502 [details]
The proper patch
OK, so I've figured out how to build Dogtag sources and made some tests.
Obviously my patch was wrong (it was purely speculative guesswork anyway).
So I've made a patch that actually works, has been tested in a real
environment, and I'm attaching it.
Note that since the subjectName generation started working properly, now
you'll have to customise the LDAP-based certificate profiles to accomodate this
(they were assuming the old incorrect DNs) - notably the "Subject Name
Constraint".
Dogtag's default profile has the following subject name constraint pattern:
UID=.*
While the subjectName generated by UidPwdDirAuth plugin look more like this by
default: "E=$attr.mail, CN=$attr.cn, O=$dn.o, C=$dn.c" so they won't ever match
the constraint's pattern since they cannot possibly begin with "UID=".
In my configuration, I've changed the pattern to this and the new LDAP-based
subject names got accepted:
.*CN=.*
So in short, my caDirUserCert.cfg has the following now:
...
policyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl
policyset.userCertSet.1.constraint.name=Subject Name Constraint
policyset.userCertSet.1.constraint.params.pattern=.*CN=.*
policyset.userCertSet.1.constraint.params.accept=true
...
instead of:
...
policyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl
policyset.userCertSet.1.constraint.name=Subject Name Constraint
policyset.userCertSet.1.constraint.params.pattern=UID=.*
policyset.userCertSet.1.constraint.params.accept=true
...
BTW, I'm a member of the cla_done group (see https://bugzilla.redhat.com/show_bug.cgi?id=442228#c6 for confirmation by rmeggins). If you find this patch to be correct, please commit it. It has certainly fixed the problem for us. This is not a bug. Please refer to the following section in the CS 7.3 Admin Guide http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/index.html ****************** Section 13.7.20 (Subject Name Default) If you need to get a certificate subject name that uses the DNPATTERN value from the UidPwdDirAuth plugin, then configure the profile to use the Subject Name Default plugin and substitute the Name parameter with the "Subject Name" from the AuthToken as shown below. policyset.userCertSet.1.default.class_id=subjectNameDefaultImpl policyset.userCertSet.1.default.name=Subject Name Default policyset.userCertSet.1.default.params.name=$request.auth_token.tokenCertSubject$ ****************** |