Description of problem: This issue is raised by jonesy on #fedora-ds admin's passwd in the clear in admin-serv/config/adm.conf Why is it there in clear text? There's already an encrypted passwd stored in admin-serv/config/admpw I tried changing the sieid: line in adm.conf to some bogus passwd, upon admin server restart, attempt to login to console fails with 500. In admin error log the error is saying "Unauthorized host". It returned to normal after I changed the sieid line back to the correct passwd and restarted admin server. Weired. Version-Release number of selected component (if applicable): 20050524.1 How reproducible: Consistently
Can we open this bug? There are a couple of people on the Fedora DS list who would like to track it. Alternately, I can dup this bug as an FDS bug.
Created attachment 128333 [details] cvs diffs Files: modified: include/libadminutil/admutil.h lib/libadminutil/Makefile lib/libadminutil/admutil.c lib/libadminutil/admutil_pvt.h lib/libadmsslutil/Makefile new: lib/libadminutil/admutil_enc.c Change description: 1) Introduced admutil_encryption and _decryption 2) In the function admldapBuildInfoCbk, which reads from adm.conf and set the info to the internal structure: admInfo. In the function, if the admin password siepid is encrypted, decript it and use it to authenticate with the config directory server. If siepid value is not encrypted, encrypt it and update adm.conf. Sample adm.conf: =================================== ldapHost: laputa.sfbay.redhat.com ldapPort: 55555 sie: cn=admin-serv-laputa, cn=Red Hat Administration Server, cn=Server Group, cn=laputa.sfbay.redhat.com, ou=sfbay.redhat.com, o=NetscapeRoot siepid: {crypt}xX1B0anmsDjPyL2MDnQvAw== isie: cn=Red Hat Administration Server, cn=Server Group, cn=laputa.sfbay.redhat.com, ou=sfbay.redhat.com, o=NetscapeRoot port: 55550 ldapStart: slapd-laputa/start-slapd =================================== As described above, if a user replace "siepid: ..." with the right clear text password, it still works. And it's encrypted in the next start-admin. admin-serv/config dir now has these db files. (I believe only key3.db is being used.) $ ls admin-serv/config/*db admin-serv/config/cert8.db admin-serv/config/secmod.db admin-serv/config/key3.db
Note: the previous changes are made to AdminUtil.
Created attachment 128334 [details] cvs diffs (adminserver) Files: nsconfig.mk admserv/pkgadmin.mk admserv/cgi-src40/download.c admserv/newinst/insadm/config.c admserv/newinst/src/Makefile admserv/newinst/src/ux-config.cc admserv/newinst/src/ux-config.h admserv/newinst/src/ux-remove.cc admserv/newinst/src/ux-update.cc Change description: 1) To run pre install program ns-config, set rpath "lib" to the program, and have dependent shared libraries in <date>/<platform>/admin/lib: libadminutil.so* libicui18n.so.34 libplc4.so* libsoftokn3.so* libadmsslutil.so* libicuuc.so.34 libplds4.so* libssl3.so* libfreebl3.chk libldap50.so* libprldap50.so* libssldap50.so* libfreebl3.so* libnspr4.so* libsmime3.so* libicudata.so.34 libnss3.so* libsoftokn3.chk 2) If pre install ns-config finds encrypted password in adm.conf, decrypts it before sending it to the config directory server. 3) Post install ns-update decrypts the admin password and stores it in adm.conf. misc) download.c had buffer size problem which was causing the cgi crash.
Created attachment 128335 [details] cvs diffs (ldapserver) Files: ldap/clients/dsgw/Makefile Change description: 1) Add a dependency on NSS to DSGW build. misc) Pick up new vewsion of WinSync.
Comment #2 - #5 were cancelled based upon the team discussion: New implementation: When the admin server needs the configuration info, instead of asking for the Directory Server, get it from the local cache file (local.conf). Only when the configuration needs to be updated, accessing DS happens. At that time, the admin password is provided by the user and it can be used to get authenticated on the Directory Server. This way, we eliminate the admin password (siepid) from adm.conf.
Created attachment 128637 [details] cvs diffs (adminutil) Files: include/libadminutil/admutil.h lib/libadminutil/Makefile lib/libadminutil/admutil.c lib/libadminutil/admutil_pvt.h lib/libadminutil/psetc.c lib/libadminutil/uginfo.c lib/libadmsslutil/Makefile lib/libadmsslutil/psetcssl.c Change description: 1) sie password is no longer stored in adm.conf. Instead, get it from client via PIPE. 2) added subordinate functions: admldapGetXXX to retrieve ldap handle, directory URL, and userDN. 3) updated Makefiles to clean up the old files from the previous make.
Created attachment 128638 [details] cvs diff (mod_admserv) File: mod_admserv.c Change description: Check if ldap handle is set in the admin ldap info structure (AdmldapInfo). If it is not set, the Admin Server does not have an admin user password / SIE password, and it has not connected to the Directory Server. In this case, gather neccessary info from the local cache.
Created attachment 128640 [details] cvs diffs (adminserver) Files: admserv/cgi-src40/config.c admserv/cgi-src40/download.c admserv/cgi-src40/htmladmin.c admserv/cgi-src40/sec-activate.c admserv/newinst/insadm/config.c admserv/newinst/src/Makefile admserv/newinst/src/ux-config.cc admserv/newinst/src/ux-remove.cc admserv/newinst/src/ux-update.cc Change description: 1) ns-update (ux-update.cc) stops storing admin password (siepid) in adm.conf. And by calling psetCreate, it generates the local cache file local.conf in the post install phase. 2) ns-update links with adminutil and its dependent components. ns-update has RPATH pointing the components' location. 3) got rid of the code retrieving the admin password from adm.conf from ns-config (ux-config.cc) and ns-remove (ux-remove.cc). Both has the info input by the user. 4) some CGI debugs (download.c and htmladmin.c. most of the htmladmin.c change is from Rich'es fix -- not checked in, yet. W/o the fix, cannot access to the admin server from the browser...)
Created attachment 128828 [details] cvs diffs (adminutil) Files: include/libadminutil/admutil.h lib/libadminutil/Makefile lib/libadminutil/admutil.c lib/libadminutil/admutil_pvt.h lib/libadminutil/psetc.c lib/libadminutil/uginfo.c lib/libadmsslutil/Makefile lib/libadmsslutil/psetcssl.c Change description: 1) sie password is no longer stored in adm.conf. Instead, get it from client via PIPE. 2) added subordinate functions: admldapGetXXX to retrieve ldap handle, directory URL, and userDN. 3) updated Makefiles to clean up the old files from the previous make. 4) increased the buffer size to read in the local cache files.
Created attachment 128829 [details] cvs diff mod_admserv.c File: mod_admserv.c Change description: Change description: 1) In the initialization (mod_admserv_post_config), check if ldap handle is set or not in the admin ldap info structure (AdmldapInfo). If it is not set, the Admin Server does not have an admin user password / SIE password, and it has not connected to the Directory Server. In this case, gather necessary info from the local cache. Also, set the task StartConfigDS in the HashTable for the admin server to start Config DS in case the server is down. 2) Where it expects sie password (from adm.conf), get it from PIPE that user provided (if possible).
Created attachment 128830 [details] cvs diffs (adminserver) Files: admserv/cgi-src40/download.c admserv/cgi-src40/htmladmin.c admserv/cgi-src40/sec-activate.c admserv/newinst/insadm/config.c admserv/newinst/src/Makefile admserv/newinst/src/ux-config.cc admserv/newinst/src/ux-remove.cc admserv/newinst/src/ux-update.cc Change description: 1) ns-update (ux-update.cc) stops storing admin password (siepid) in adm.conf. And by calling psetCreate, it generates the local cache file local.conf in the post install phase. 2) ns-update links with adminutil and its dependent components. ns-update has RPATH pointing the components' location. 3) got rid of the code retrieving the admin password from adm.conf from ns-config (ux-config.cc) and ns-remove (ux-remove.cc). Both has the info input by the user. 4) some CGI debugs (download.c and htmladmin.c. Most of the htmladmin.c change is from Rich'es fix -- not checked in, yet. W/o the fix, cannot access to the admin server from the browser...)
Created attachment 128921 [details] cvs commit message (adminutil) Reviewed by Nathan and Rich. (Thank you!)
Created attachment 128922 [details] cvs commit mod_admserv.c Reviewed by Nathan and Rich. (Thank you!!)
Created attachment 128926 [details] cvs commit message (adminserver) Reviewed by Nathan and Rich. (Thank you!!!)
How to verify the bug. 1) install the DS7.2 2) $ grep -i siepid <server_root>/admin-serv/config/adm.conf If the commandline returns nothing, the bug had been fixed.
DS7.2 is not a valid milestone anymore. Anything thats set to DS7.2 should be set to DS8.0. Will make further changes per bug council on 07/24/2007, after this.
Verified. PASS Test machine: neo.dsdev.sjc.redhat.com (RHEL 32bit) & VM machine with Fedora 7 installed Test steps: please follow Noriko's comments. Test result: pass