Red Hat Bugzilla – Bug 446685
LDAP publisher doesn't store the bind password properly
Last modified: 2015-01-04 18:32:23 EST
Description of problem:
When configuring the LDAP publisher's LDAP connection (pkiconsole -> Certificate
Manager -> Publishing), one can set a dedicated LDAP account's DN and password
for publishing. Then one can assign proper ACLs in the LDAP directory so that
account can only modify publishing-related attributes.
However, the bind password isn't properly stored in password.conf.
Instead, after pki-ca restart, the LDAP publisher tries to bind to the LDAP
directory with the same password, as internaldb (according to LDAP protocol
dumps from the network).
If a different bind DN was configured for LDAP publishing, it will result in
LDAP error 49 - invalid credentials, and the following errors are logged in
12716.main - [15/May/2008:18:30:55 CEST]   In Ldap (bound) connection pool
to host localhost port 389, Cannot connect to LDAP server. Error:
netscape.ldap.LDAPException: error result (49)
12716.main - [15/May/2008:18:30:55 CEST]   Publishing: Ldap Publishing
Module failed with Could not connect to LDAP server host localhost port 389
Error netscape.ldap.LDAPException: error result (49)
12716.main - [15/May/2008:18:30:55 CEST]   CAs Publishing Module failed
Various attempts to supply the LDAP password in password.conf didn't help:
CA LDAP Publishing=PUBLISHER_PASSWORD
LDAP publisher tries to bind with internaldb's password (but ldappublish's
Eventually, using the directory manager's DN for LDAP publisher binding worked,
but it gives LDAP publisher unnecessary level of access to the directory, and is
a security risk.
Created attachment 310301 [details]
fix for dogtag.
The fix contains the following:
* password set at pkiconsole will be saved to password file
* restart of the server is not necessary, in most cases.
* if the password of ldap and password.conf are out of sync to start with,
setting the password at pkiconsole will require restart of server.
Jack, please review.
jmagne+ attachment (id=310301)
$ svn commit
Transmitting file data .....
Committed revision 63.
backing out fix because of bug#453485.
$ svn commit src
Transmitting file data .....
Committed revision 64.
Created attachment 311321 [details]
this fix will allow publishing to different ldap server other than internaldb
fixed the installation issue from the earlier backed out fix.
jmagne, please review.
Created attachment 311398 [details]
spec file diff
jmagne+ attachment (id=311321), (id=311398)
$ svn commit linux/common/pki-common.spec base/common/src
Transmitting file data ......
Committed revision 67.
Note: changing the password from the console for ldap publishing will always
result in the password being written to the password.conf. Although the admin
will be warned if the password happends to be invalid. When this happens, the
admin is expected to re-enter the password until it is right.
Bug already MODIFIED. setting target CS8.0 and marking screened+
1. add user to Directory server uid=pkiuser,ou=people,o=redhat
2. set aci on ou=people allowing pkiuser to manage only userCertificate,
caCertificate and certificateRevocationList
3. enabled publishing binding as pkiuser.
4. Updated Directory Server
5. Newly issued certificate, caCertificate and CRL published successfully.
6. Changed DS user's password, updated the CS connection information.
7. Verified change in password.conf
8. Updated Directory Server