Bug 446685 - LDAP publisher doesn't store the bind password properly
Summary: LDAP publisher doesn't store the bind password properly
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Dogtag Certificate System
Classification: Retired
Component: Certificate Manager
Version: 1.0
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Christina Fu
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On:
Blocks: 443788
TreeView+ depends on / blocked
 
Reported: 2008-05-15 17:04 UTC by Aleksander Adamowski
Modified: 2015-01-04 23:32 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2009-07-22 23:28:52 UTC
Embargoed:


Attachments (Terms of Use)
fix for dogtag. (13.08 KB, text/plain)
2008-06-25 22:08 UTC, Christina Fu
no flags Details
this fix will allow publishing to different ldap server other than internaldb (15.16 KB, text/plain)
2008-07-08 22:18 UTC, Christina Fu
no flags Details
spec file diff (970 bytes, text/x-patch)
2008-07-09 18:19 UTC, Christina Fu
no flags Details

Description Aleksander Adamowski 2008-05-15 17:04:22 UTC
Description of problem:

When configuring the LDAP publisher's LDAP connection (pkiconsole -> Certificate
Manager -> Publishing), one can set a dedicated LDAP account's DN and password
for publishing. Then one can assign proper ACLs in the LDAP directory so that
account can only modify publishing-related attributes.

However, the bind password isn't properly stored in password.conf.

Instead, after pki-ca restart, the LDAP publisher tries to bind to the LDAP
directory with the same password, as internaldb (according to LDAP protocol
dumps from the network).

If a different bind DN was configured for LDAP publishing, it will result in
LDAP error 49 - invalid credentials, and the following errors are logged in
/var/log/pki-ca/system:

12716.main - [15/May/2008:18:30:55 CEST] [8] [3] In Ldap (bound) connection pool
to host localhost port 389, Cannot connect to LDAP server. Error:
netscape.ldap.LDAPException: error result (49)
12716.main - [15/May/2008:18:30:55 CEST] [8] [3] Publishing: Ldap Publishing
Module failed with Could not connect to LDAP server host localhost port 389
Error netscape.ldap.LDAPException: error result (49)
12716.main - [15/May/2008:18:30:55 CEST] [3] [3] CAs Publishing Module failed
with {0}

Various attempts to supply the LDAP password in password.conf didn't help:

internaldb=INTERNALDB_PASSWORD
ca.publish.ldappublish.ldap=PUBLISHER_PASSWORD
ca.publish.ldappublish=PUBLISHER_PASSWORD
ca.publish=PUBLISHER_PASSWORD
ca=PUBLISHER_PASSWORD
ldappublish=PUBLISHER_PASSWORD
publish=PUBLISHER_PASSWORD
CA LDAP Publishing=PUBLISHER_PASSWORD

LDAP publisher tries to bind with internaldb's password (but ldappublish's
bindDN) regardless.

Eventually, using the directory manager's DN for LDAP publisher binding worked,
but it gives LDAP publisher unnecessary level of access to the directory, and is
a security risk.

Comment 1 Christina Fu 2008-06-25 22:08:32 UTC
Created attachment 310301 [details]
fix for dogtag.

The fix contains the following:
* password set at pkiconsole will be saved to password file
* restart of the server is not necessary, in most cases.
* if the password of ldap and password.conf are out of sync to start with,
setting the password at pkiconsole will require restart of server.

Jack, please review.

Comment 2 Jack Magne 2008-06-26 17:24:19 UTC
jmagne+ attachment (id=310301)

Comment 3 Christina Fu 2008-06-26 17:48:36 UTC
$ svn commit
Sending        src/com/netscape/certsrv/ldap/ILdapConnModule.java
Sending        src/com/netscape/cms/servlet/admin/PublisherAdminServlet.java
Sending        src/com/netscape/cmscore/ldap/LdapConnModule.java
Sending        src/com/netscape/cmscore/ldap/PublisherProcessor.java
Sending        src/com/netscape/cmscore/ldapconn/LdapAuthInfo.java
Transmitting file data .....
Committed revision 63.

Comment 4 Christina Fu 2008-07-02 15:52:07 UTC
backing out fix because of bug#453485.

$ svn commit src
Sending        src/com/netscape/certsrv/ldap/ILdapConnModule.java
Sending        src/com/netscape/cms/servlet/admin/PublisherAdminServlet.java
Sending        src/com/netscape/cmscore/ldap/LdapConnModule.java
Sending        src/com/netscape/cmscore/ldap/PublisherProcessor.java
Sending        src/com/netscape/cmscore/ldapconn/LdapAuthInfo.java
Transmitting file data .....
Committed revision 64.


Comment 5 Christina Fu 2008-07-08 22:18:58 UTC
Created attachment 311321 [details]
this fix will allow publishing to different ldap server other than internaldb

fixed the installation issue from the earlier backed out fix.

jmagne, please review.

Comment 6 Christina Fu 2008-07-09 18:19:10 UTC
Created attachment 311398 [details]
spec file diff

Comment 7 Jack Magne 2008-07-09 18:20:44 UTC
jmagne+ attachment (id=311321), (id=311398)

Comment 8 Christina Fu 2008-07-09 18:33:37 UTC
$ svn commit linux/common/pki-common.spec base/common/src
Sending       
base/common/src/com/netscape/cms/servlet/admin/PublisherAdminServlet.java
Sending        base/common/src/com/netscape/cmscore/apps/CMSEngine.java
Sending        base/common/src/com/netscape/cmscore/ldap/LdapConnModule.java
Sending        base/common/src/com/netscape/cmscore/ldap/PublisherProcessor.java
Sending        base/common/src/com/netscape/cmscore/ldapconn/LdapAuthInfo.java
Sending        linux/common/pki-common.spec
Transmitting file data ......
Committed revision 67.
$ pwd
/home/cfu/dogtag/src4/pki

Note: changing the password from the console for ldap publishing will always
result in the password being written to the password.conf.  Although the admin
will be warned if the password happends to be invalid. When this happens, the
admin is expected to re-enter the password until it is right.


Comment 9 Chandrasekar Kannan 2008-08-27 00:28:58 UTC
Bug already MODIFIED. setting target CS8.0 and marking screened+

Comment 13 Jenny Severance 2009-06-25 19:17:12 UTC
Verified:

1. add user to Directory server uid=pkiuser,ou=people,o=redhat
2. set aci on ou=people allowing pkiuser to manage only userCertificate,
caCertificate and certificateRevocationList
3. enabled publishing binding as pkiuser.
4. Updated Directory Server
5. Newly issued certificate, caCertificate and CRL published successfully.
6. Changed DS user's password, updated the CS connection information.
7. Verified change in password.conf
8. Updated Directory Server


Note You need to log in before you can comment on or make changes to this bug.