Bug 446685 - LDAP publisher doesn't store the bind password properly
LDAP publisher doesn't store the bind password properly
Status: CLOSED ERRATA
Product: Dogtag Certificate System
Classification: Community
Component: Certificate Manager (Show other bugs)
1.0
All Linux
low Severity low
: ---
: ---
Assigned To: Christina Fu
Chandrasekar Kannan
:
Depends On:
Blocks: 443788
  Show dependency treegraph
 
Reported: 2008-05-15 13:04 EDT by Aleksander Adamowski
Modified: 2015-01-04 18:32 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-07-22 19:28:52 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
fix for dogtag. (13.08 KB, text/plain)
2008-06-25 18:08 EDT, Christina Fu
no flags Details
this fix will allow publishing to different ldap server other than internaldb (15.16 KB, text/plain)
2008-07-08 18:18 EDT, Christina Fu
no flags Details
spec file diff (970 bytes, text/x-patch)
2008-07-09 14:19 EDT, Christina Fu
no flags Details

  None (edit)
Description Aleksander Adamowski 2008-05-15 13:04:22 EDT
Description of problem:

When configuring the LDAP publisher's LDAP connection (pkiconsole -> Certificate
Manager -> Publishing), one can set a dedicated LDAP account's DN and password
for publishing. Then one can assign proper ACLs in the LDAP directory so that
account can only modify publishing-related attributes.

However, the bind password isn't properly stored in password.conf.

Instead, after pki-ca restart, the LDAP publisher tries to bind to the LDAP
directory with the same password, as internaldb (according to LDAP protocol
dumps from the network).

If a different bind DN was configured for LDAP publishing, it will result in
LDAP error 49 - invalid credentials, and the following errors are logged in
/var/log/pki-ca/system:

12716.main - [15/May/2008:18:30:55 CEST] [8] [3] In Ldap (bound) connection pool
to host localhost port 389, Cannot connect to LDAP server. Error:
netscape.ldap.LDAPException: error result (49)
12716.main - [15/May/2008:18:30:55 CEST] [8] [3] Publishing: Ldap Publishing
Module failed with Could not connect to LDAP server host localhost port 389
Error netscape.ldap.LDAPException: error result (49)
12716.main - [15/May/2008:18:30:55 CEST] [3] [3] CAs Publishing Module failed
with {0}

Various attempts to supply the LDAP password in password.conf didn't help:

internaldb=INTERNALDB_PASSWORD
ca.publish.ldappublish.ldap=PUBLISHER_PASSWORD
ca.publish.ldappublish=PUBLISHER_PASSWORD
ca.publish=PUBLISHER_PASSWORD
ca=PUBLISHER_PASSWORD
ldappublish=PUBLISHER_PASSWORD
publish=PUBLISHER_PASSWORD
CA LDAP Publishing=PUBLISHER_PASSWORD

LDAP publisher tries to bind with internaldb's password (but ldappublish's
bindDN) regardless.

Eventually, using the directory manager's DN for LDAP publisher binding worked,
but it gives LDAP publisher unnecessary level of access to the directory, and is
a security risk.
Comment 1 Christina Fu 2008-06-25 18:08:32 EDT
Created attachment 310301 [details]
fix for dogtag.

The fix contains the following:
* password set at pkiconsole will be saved to password file
* restart of the server is not necessary, in most cases.
* if the password of ldap and password.conf are out of sync to start with,
setting the password at pkiconsole will require restart of server.

Jack, please review.
Comment 2 Jack Magne 2008-06-26 13:24:19 EDT
jmagne+ attachment (id=310301)
Comment 3 Christina Fu 2008-06-26 13:48:36 EDT
$ svn commit
Sending        src/com/netscape/certsrv/ldap/ILdapConnModule.java
Sending        src/com/netscape/cms/servlet/admin/PublisherAdminServlet.java
Sending        src/com/netscape/cmscore/ldap/LdapConnModule.java
Sending        src/com/netscape/cmscore/ldap/PublisherProcessor.java
Sending        src/com/netscape/cmscore/ldapconn/LdapAuthInfo.java
Transmitting file data .....
Committed revision 63.
Comment 4 Christina Fu 2008-07-02 11:52:07 EDT
backing out fix because of bug#453485.

$ svn commit src
Sending        src/com/netscape/certsrv/ldap/ILdapConnModule.java
Sending        src/com/netscape/cms/servlet/admin/PublisherAdminServlet.java
Sending        src/com/netscape/cmscore/ldap/LdapConnModule.java
Sending        src/com/netscape/cmscore/ldap/PublisherProcessor.java
Sending        src/com/netscape/cmscore/ldapconn/LdapAuthInfo.java
Transmitting file data .....
Committed revision 64.
Comment 5 Christina Fu 2008-07-08 18:18:58 EDT
Created attachment 311321 [details]
this fix will allow publishing to different ldap server other than internaldb

fixed the installation issue from the earlier backed out fix.

jmagne, please review.
Comment 6 Christina Fu 2008-07-09 14:19:10 EDT
Created attachment 311398 [details]
spec file diff
Comment 7 Jack Magne 2008-07-09 14:20:44 EDT
jmagne+ attachment (id=311321), (id=311398)
Comment 8 Christina Fu 2008-07-09 14:33:37 EDT
$ svn commit linux/common/pki-common.spec base/common/src
Sending       
base/common/src/com/netscape/cms/servlet/admin/PublisherAdminServlet.java
Sending        base/common/src/com/netscape/cmscore/apps/CMSEngine.java
Sending        base/common/src/com/netscape/cmscore/ldap/LdapConnModule.java
Sending        base/common/src/com/netscape/cmscore/ldap/PublisherProcessor.java
Sending        base/common/src/com/netscape/cmscore/ldapconn/LdapAuthInfo.java
Sending        linux/common/pki-common.spec
Transmitting file data ......
Committed revision 67.
$ pwd
/home/cfu/dogtag/src4/pki

Note: changing the password from the console for ldap publishing will always
result in the password being written to the password.conf.  Although the admin
will be warned if the password happends to be invalid. When this happens, the
admin is expected to re-enter the password until it is right.
Comment 9 Chandrasekar Kannan 2008-08-26 20:28:58 EDT
Bug already MODIFIED. setting target CS8.0 and marking screened+
Comment 13 Jenny Galipeau 2009-06-25 15:17:12 EDT
Verified:

1. add user to Directory server uid=pkiuser,ou=people,o=redhat
2. set aci on ou=people allowing pkiuser to manage only userCertificate,
caCertificate and certificateRevocationList
3. enabled publishing binding as pkiuser.
4. Updated Directory Server
5. Newly issued certificate, caCertificate and CRL published successfully.
6. Changed DS user's password, updated the CS connection information.
7. Verified change in password.conf
8. Updated Directory Server

Note You need to log in before you can comment on or make changes to this bug.