Description of problem: When configuring the LDAP publisher's LDAP connection (pkiconsole -> Certificate Manager -> Publishing), one can set a dedicated LDAP account's DN and password for publishing. Then one can assign proper ACLs in the LDAP directory so that account can only modify publishing-related attributes. However, the bind password isn't properly stored in password.conf. Instead, after pki-ca restart, the LDAP publisher tries to bind to the LDAP directory with the same password, as internaldb (according to LDAP protocol dumps from the network). If a different bind DN was configured for LDAP publishing, it will result in LDAP error 49 - invalid credentials, and the following errors are logged in /var/log/pki-ca/system: 12716.main - [15/May/2008:18:30:55 CEST] [8] [3] In Ldap (bound) connection pool to host localhost port 389, Cannot connect to LDAP server. Error: netscape.ldap.LDAPException: error result (49) 12716.main - [15/May/2008:18:30:55 CEST] [8] [3] Publishing: Ldap Publishing Module failed with Could not connect to LDAP server host localhost port 389 Error netscape.ldap.LDAPException: error result (49) 12716.main - [15/May/2008:18:30:55 CEST] [3] [3] CAs Publishing Module failed with {0} Various attempts to supply the LDAP password in password.conf didn't help: internaldb=INTERNALDB_PASSWORD ca.publish.ldappublish.ldap=PUBLISHER_PASSWORD ca.publish.ldappublish=PUBLISHER_PASSWORD ca.publish=PUBLISHER_PASSWORD ca=PUBLISHER_PASSWORD ldappublish=PUBLISHER_PASSWORD publish=PUBLISHER_PASSWORD CA LDAP Publishing=PUBLISHER_PASSWORD LDAP publisher tries to bind with internaldb's password (but ldappublish's bindDN) regardless. Eventually, using the directory manager's DN for LDAP publisher binding worked, but it gives LDAP publisher unnecessary level of access to the directory, and is a security risk.
Created attachment 310301 [details] fix for dogtag. The fix contains the following: * password set at pkiconsole will be saved to password file * restart of the server is not necessary, in most cases. * if the password of ldap and password.conf are out of sync to start with, setting the password at pkiconsole will require restart of server. Jack, please review.
jmagne+ attachment (id=310301)
$ svn commit Sending src/com/netscape/certsrv/ldap/ILdapConnModule.java Sending src/com/netscape/cms/servlet/admin/PublisherAdminServlet.java Sending src/com/netscape/cmscore/ldap/LdapConnModule.java Sending src/com/netscape/cmscore/ldap/PublisherProcessor.java Sending src/com/netscape/cmscore/ldapconn/LdapAuthInfo.java Transmitting file data ..... Committed revision 63.
backing out fix because of bug#453485. $ svn commit src Sending src/com/netscape/certsrv/ldap/ILdapConnModule.java Sending src/com/netscape/cms/servlet/admin/PublisherAdminServlet.java Sending src/com/netscape/cmscore/ldap/LdapConnModule.java Sending src/com/netscape/cmscore/ldap/PublisherProcessor.java Sending src/com/netscape/cmscore/ldapconn/LdapAuthInfo.java Transmitting file data ..... Committed revision 64.
Created attachment 311321 [details] this fix will allow publishing to different ldap server other than internaldb fixed the installation issue from the earlier backed out fix. jmagne, please review.
Created attachment 311398 [details] spec file diff
jmagne+ attachment (id=311321), (id=311398)
$ svn commit linux/common/pki-common.spec base/common/src Sending base/common/src/com/netscape/cms/servlet/admin/PublisherAdminServlet.java Sending base/common/src/com/netscape/cmscore/apps/CMSEngine.java Sending base/common/src/com/netscape/cmscore/ldap/LdapConnModule.java Sending base/common/src/com/netscape/cmscore/ldap/PublisherProcessor.java Sending base/common/src/com/netscape/cmscore/ldapconn/LdapAuthInfo.java Sending linux/common/pki-common.spec Transmitting file data ...... Committed revision 67. $ pwd /home/cfu/dogtag/src4/pki Note: changing the password from the console for ldap publishing will always result in the password being written to the password.conf. Although the admin will be warned if the password happends to be invalid. When this happens, the admin is expected to re-enter the password until it is right.
Bug already MODIFIED. setting target CS8.0 and marking screened+
Verified: 1. add user to Directory server uid=pkiuser,ou=people,o=redhat 2. set aci on ou=people allowing pkiuser to manage only userCertificate, caCertificate and certificateRevocationList 3. enabled publishing binding as pkiuser. 4. Updated Directory Server 5. Newly issued certificate, caCertificate and CRL published successfully. 6. Changed DS user's password, updated the CS connection information. 7. Verified change in password.conf 8. Updated Directory Server