Recently, for another bug, we put in some code that performs proper LDAP authentication failover. Unfortunaly, it turns out this code breaks the case where a bind dn is specified in the TPS's CS.cfg. This type of LDAP authentication is used in Security Officer mode. It appears that the regular user bind with regular TPS authentication works just fine. To follow is a simple patch that fixes this.
The reason why the code is broken, is because Security Officer related Ldap auth requires simple binding. There is a call in the code to perform this simple binding, but unfortunatly, due to new failover code, this binding is not done in the proper place.
Created attachment 350710 [details] Patch to fix this issue. This should fix the issue. I've tested the regular auth case and the security officer auth case. CFU, please review and see if you can determine that this fix will not affect the fail over mechanism.
(In reply to comment #2) > Created an attachment (id=350710) [details] cfu+
Spec file: Index: pki-tps.spec =================================================================== --- pki-tps.spec (revision 683) +++ pki-tps.spec (working copy) @@ -34,7 +34,7 @@ ## Package Header Definitions %define base_name %{base_prefix}-%{base_component} %define base_version 1.1.0 -%define base_release 41 +%define base_release 42 %define base_group System Environment/Daemons %define base_vendor Red Hat, Inc. %define base_license LGPLv2 with exceptions @@ -314,6 +314,8 @@ ############################################################################### %changelog +* Tue Jul 7 2009 Jack Magne <jmagne> 1.1.0-42 +- Bugzilla Bug #309941 - TPS LDAP auth with bind dn broken. * Mon Jul 6 2009 Andrew Wnuk <awnuk> 1.1.0-41 - Bugzilla Bug #509833 - cleaning debug log * Mon Jul 6 2009 Matthew Harmsen <mharmsen> 1.1.0-40
svn commit -m "Bugzilla Bug #509941 TPS LDAP auth with bind dn broken" Sending base/tps/src/authentication/LDAP_Authentication.cpp Sending dogtag/tps/pki-tps.spec Transmitting file data .. Committed revision 684.
Fixed in next TPS build.
Verified. LDAP authentication works fine in the Security Officer mode. Able to enroll a security officer token, login to the so workstation and enroll/format user tokens.