| Summary: | Can't configure UidPwdPinDirAuth with removePin | ||
|---|---|---|---|
| Product: | [Retired] Dogtag Certificate System | Reporter: | bbonok |
| Component: | Console | Assignee: | Dmitri Pal <dpal> |
| Status: | CLOSED EOL | QA Contact: | Ben Levenson <benl> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | unspecified | CC: | alee, cfu, nkinder |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-03-27 18:38:13 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | |||
| Bug Blocks: | 530474 | ||
|
Description
bbonok
2012-01-22 14:07:08 UTC
Seen on RHCS 8.0 After above steps you have to set and pinmanager password from
auths.instance.PinDirEnrollment.ldap.ldapauth.bindPWPrompt
The error is gone.
If you generate certificate with this plugin you get:
----
The Certificate System has encountered an unrecoverable error.
Error Message:
java.lang.NullPointerException
Please contact your local administrator for assistance.
----
in the web page and
----
May 1, 2012 7:37:26 PM org.apache.catalina.core.ApplicationContext log
INFO: caProfileSubmit: java.lang.NullPointerException
at com.netscape.cms.authentication.UidPwdPinDirAuthentication.checkpin(UidPwdPinDirAuthentication.java:327)
at com.netscape.cms.authentication.UidPwdPinDirAuthentication.authenticate(UidPwdPinDirAuthentication.java:247)
at com.netscape.cms.authentication.DirBasedAuthentication.authenticate(DirBasedAuthentication.java:344)
at com.netscape.cms.servlet.profile.ProfileSubmitServlet.authenticate(ProfileSubmitServlet.java:285)
at com.netscape.cms.servlet.profile.ProfileSubmitServlet.process(ProfileSubmitServlet.java:930)
at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:501)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:124)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:210)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:542)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:875)
at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:685)
at java.lang.Thread.run(Thread.java:679)
----
in catalina.out log file
If you uncheck removepin option the certificate is generated.
Once unchecked in can't be checked again. You get ldaperror(49) - invalid credentials.
P.S After i change CS.cfg, i restart the CA subsystem
I had the following added (via Console) and it added ok: auths.instance.PinDirEnrollment.dnpattern=ou=People,dc=dddd,dc=sjc,dc=redhat,dc=com auths.instance.PinDirEnrollment.ldapByteAttributes= auths.instance.PinDirEnrollment.ldapStringAttributes= auths.instance.PinDirEnrollment.pinAttr=pin auths.instance.PinDirEnrollment.pluginName=UidPwdPinDirAuth auths.instance.PinDirEnrollment.removePin=true auths.instance.PinDirEnrollment.ldap.basedn=ou=People,dc=dddd,dc=sjc,dc=redhat,dc=com auths.instance.PinDirEnrollment.ldap.maxConns= auths.instance.PinDirEnrollment.ldap.minConns= auths.instance.PinDirEnrollment.ldap.ldapauth.authtype=BasicAuth auths.instance.PinDirEnrollment.ldap.ldapauth.bindDN=uid=pinmanager,ou=People,dc=dddd,dc=sjc,dc=redhat,dc=com auths.instance.PinDirEnrollment.ldap.ldapauth.bindPWPrompt=Rule PinDirEnrollment auths.instance.PinDirEnrollment.ldap.ldapauth.clientCertNickname= auths.instance.PinDirEnrollment.ldap.ldapconn.host=xxxx.dddd.sjc.redhat.com auths.instance.PinDirEnrollment.ldap.ldapconn.port=38933 auths.instance.PinDirEnrollment.ldap.ldapconn.secureConn=false auths.instance.PinDirEnrollment.ldap.ldapconn.version=3 I want to add that although auth instance for UidPwdPinDirAuthentication was added successfully, the enrollment itself was not. It could be my configuration though. I added some debugging and it shows that the pin digest encoding is unknown. setpin uses SHA1. Anyway, this is a different issue than the bug subject though. After hours of investigation i saw what is the problem. The problem is that when you press OK on Setting uidpindir authenticator the form doesn't check the pin user with supplied password in the password field. This is the reason of LDAP error 49. After searching in Documentation i find that all passwords used in CA system are in password.conf file. In CS.cfg there is field auths.instance.PinDirEnrollment.ldap.ldapauth.bindPWPrompt=Rule PinDirEnrollment The value in this field should be in password.conf file to point auths.instance.PinDirEnrollment.ldap.ldapauth.bindDN password like Rule\ PinDirEnrollment=PinPass if pinuser password is PinPass The row shoud be created BEFORE configure UidPinDir authenticator. Then the remove pin setting will work. I think that the form should create this row in password.conf file but it didn't. I suppose the resent versions have this bug too. |