Bug 761610

Summary: The system can't authenticate user with none hashed pin
Product: [Retired] Dogtag Certificate System Reporter: bbonok
Component: AuthenticationAssignee: Christina Fu <cfu>
Status: CLOSED EOL QA Contact: Ben Levenson <benl>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 1.2CC: dpal, nkinder
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-27 18:39:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 530474    

Description bbonok 2011-12-08 17:40:54 UTC 
Description of problem:
The user can't be authenticated when is generated non hashed pin.

How reproducible:
Genenerate none hashed pin wit setpin tool.

Reason:
Have a look in com.netscape.cms.authentication.UidPwdPinDirAuthentication class 

What actualy system does?

1. Look in LDAP
2. Fetch pin attribute
3. ALWAYS concatenate userdn with value in ldap pin attribute
4. Look in first byte - to hash or not to hash
5. If value is '-' there is no hashing.
6. The validation is comparison between what user is typed in PIN field in web form and "userdn + pin" string. (Expected that system compare entered pin with ldap pin value)


Additional info:
When setpin generate hashed pin it also concatenate userdn with pin. That string (userdn + pin) then is hashed with sha1 hash.(see setpin.c file) 
This is the reason that user can be authenticated when setpin generate pins.

See also bug: #761603