Red Hat Bugzilla – Bug 547527
dogtag does not work with latest 389 DS
Last modified: 2015-01-05 20:18:19 EST
Description of problem: Several problems: 1. The certificateRecord object has an attribute "subject" which used to be defined in the 28pilot.ldif schema. Due to changes to update this schema, the subject attribute has been removed. We need to either a) find a replacement attribute outside the CS schema b) define a custom attribute within CS schema c) remove the attribute An exhaustive search through the code and existing databases indicates that this attribute is not used. Therefore, we propose to remove this attribute from the schema's. 2. If Syntax checking is enabled on the DS, all kinds of problems arise when we attempt to save the empty string "" for certain attributes. In particular, this arises in two cases (that we know of): a) when making a request (with some fields missing). The attributes ext-* adorn the request object which has extensibleObject as an auxiliary class. These classes use Directory String (which is 1*UTF) in the syntax checker. This will be changed in DS to use OctetString instead (which is *UTF). Until this is available, disable syntax checking on the DS. b) When doing the installation, we try to save "" for the telephone Number of the admin user .. We need to put in a dummy variable here. c) there may be more of this kind of issue .. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Created attachment 378777 [details] patch to fix patch removes subject field. and adds checks in places where DS syntax is required (mostly for user creation). awnuk, please review.
Created attachment 378882 [details] patch to fix (version 2) On discussion with awnuk, correct practice is to not store a value when the value is an empty string (rather than store a space). The updated patch does that. In particular: In DonePanel.java, we throw an exception because the parameter "name" is a MUST parameter. In UGSubsystem.java, for telephoneNumber and userState, we do not store the values at all if the values are "". This is OK because when the values are read from the db, we set these parameters to "" in the User object if the attribute is not defined. For userType (which is a MUST parameter), we store the value "undefined" if the value is "". When the value is read, we set the value to "" in the User object if the value read is not defined or is "undefined". Thus, the change here is transparent to any level above the db layer. In UpdateDomainXML .. we simply error out if any required parameters are missing and create an error accordingly. Migration steps for users with old data will be posted in a separate comment to this bug.
Created attachment 378910 [details] patch to fix (v3) Fixed a couple of issues that occur on modifying the user. Also fixed a console issue - the user state was not modifiable. Now it is. Incidentally, users created by console do not have option to select user type - nor can they be modified. Not going to fix this here .. sigh ..
Oops - ignore the selinux changes .. They are coming - just not in this bug :)
attachment (id=378910) +awnuk
ommit for this bug and for 547571 (to tip) [builder@dhcp231-70 base]$ svn ci -m "Bugzilla BZ 547571: Apply PKI SELinux changes to PKI registry model" Sending base/ca/shared/conf/schema.ldif Sending base/common/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java Sending base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java Sending base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java Sending base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java Sending base/kra/shared/conf/schema.ldif Sending base/ocsp/shared/conf/schema.ldif Sending base/selinux/src/pki.fc Sending base/selinux/src/pki.if Sending base/selinux/src/pki.te Sending base/tks/shared/conf/schema.ldif Transmitting file data ........... Committed revision 894. Commit to 8.1 tip: [builder@oliver base]$ svn ci -m "BZ 547527: dogtag does not work with latest 389 DS" Sending base/ca/shared/conf/schema.ldif Sending base/common/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java Sending base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java Sending base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java Sending base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java Sending base/kra/shared/conf/schema.ldif Sending base/ocsp/shared/conf/schema.ldif Sending base/tks/shared/conf/schema.ldif Transmitting file data ........ Committed revision 895.
Created attachment 379921 [details] patch to fix small bug awnuk, please review
attachment (id=379921) +awnuk
Commit to 8.1: [builder@goofy-vm4 base]$ svn ci -m "BZ547527 - dogtag does not work with latest 389 DS - fix small bug" Sending base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java Transmitting file data . Committed revision 902. Commit to tip: [builder@dhcp231-70 pki]$ svn ci -m "BZ547527 - dogtag does not work with latest 389 DS - fix small bug" base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java Sending base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java Transmitting file data . Committed revision 903.
Created attachment 386708 [details] patch for clone syntax issue mharmsen, please review
attachment (id=386708) +mharmsen
[builder@dhcp231-70 pki]$ svn ci -m "BZ 547527: not working with latest 389" base Sending base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java Sending base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java Transmitting file data .. Committed revision 940.
pki-common-1.3.1-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/pki-common-1.3.1-1.fc11
pki-common-1.3.1-1.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/pki-common-1.3.1-1.fc12
pki-common-1.3.1-1.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/pki-common-1.3.1-1.el5
verified on F-12 with 389-ds-1.1.3-5.fc12.noarch, and dogtag pki-ca-1.3.0-7.fc12.noarch. The below config. confirms that syntax checking is ON and default syntax checking for undefined attributes is 'octet' string ====================================================== [root@f12-alpha slapd-f12-alpha]# cat dse.ldif | grep -i syntaxcheck nsslapd-syntaxcheck: on [root@f12-alpha slapd-f12-alpha]# cat dse.ldif | grep -i octet dn: cn=Octet String Syntax,cn=plugins,cn=config cn: Octet String Syntax nsslapd-pluginInitfunc: octetstring_init nsslapd-pluginId: octetstring-syntax nsslapd-pluginDescription: octet string attribute syntax plugin ====================================================== -- CA configures/cert enrollment works fine.
pki-common-1.3.1-2.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/pki-common-1.3.1-2.fc12
pki-common-1.3.1-2.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/pki-common-1.3.1-2.fc11
pki-common-1.3.1-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
pki-common-1.3.1-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
pki-common-1.3.1-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
The entries being added during TPS enrollment look like this: ==================================================== dn: cn=10000000000000000006,ou=Tokens,dc=cspki.lab.eng.pnq.redhat.com-pki-tps cn: 10000000000000000006 objectClass: top objectClass: tokenRecord dateOfCreate: 20120621193746Z dateOfModify: 20120621193748Z modified: 0 tokenUserID: tuser2 tokenStatus: active tokenAppletID: 1.4.4d40a449 numberOfResets: 0 numberOfEnrollments: 0 numberOfRenewals: 0 numberOfRecoveries: 0 keyInfo: 0101 tokenPolicy: RE_ENROLL=YES tokenReason: tokenType: userKey ==================================================== The ADD of this entry is rejected by Directory Server with err=21 (invalid syntax). The problem is that the "tokenReason" attribute is defined to use the "Directory String" syntax. RFC 4517 defines this syntax as so: DirectoryString = 1*UTF8 This means that an empty attribute value will be rejected as a syntax violation when syntax checking is enabled.
I have also found that the "tokenUserID" attribute is added with an empty value during token enrollment, which violates the "Directory String" syntax.
I think that the TPS related syntax validation issues (mentioned in comment 27 and comment 28) should be handled in a new separate bug.
*** Bug 818211 has been marked as a duplicate of this bug. ***
*** Bug 818321 has been marked as a duplicate of this bug. ***
VERIFIED. Env. Info: ---------- - CS 8.1 on RHEL 5.8 w/ latest errata bits - nss/nspr versions: nss-3.13.5-1.el6_3.x86_64 nspr-4.9.1-1.el6_3.x86_64 - 389-ds-base version [root@panther slapd-cs81ldap]# rpm -q 389-ds-base 389-ds-base-1.2.10.2-15.el6.x86_64 Test Info: non-TMS(CA,KRA,OCSP) env is successfully configured w/ DS9.0 #-----------------------------------------------------------------------------# [root@cspki pki-ca]# egrep -i 'securitydomain.|internaldb.ldapconn' /etc/pki-ca/CS.cfg internaldb.ldapconn.cloneStartTLS=false internaldb.ldapconn.host=panther.lab.eng.pnq.redhat.com internaldb.ldapconn.port=389 internaldb.ldapconn.secureConn=false securitydomain.checkinterval=300000 securitydomain.flushinterval=86400000 securitydomain.host=cspki.lab.eng.pnq.redhat.com securitydomain.httpport=9180 securitydomain.httpsadminport=9445 securitydomain.httpsagentport=9443 securitydomain.httpseeport=9444 securitydomain.name=silentdom securitydomain.select=new securitydomain.source=ldap securitydomain.store=ldap service.securityDomainPort=9443 [root@cspki pki-ca]# #-----------------------------------------------------------------------------# [root@cspki pki-ca]# egrep -i 'securitydomain.|internaldb.ldapconn' /etc/pki-kra/CS.cfg internaldb.ldapconn.cloneStartTLS=false internaldb.ldapconn.host=panther.lab.eng.pnq.redhat.com internaldb.ldapconn.port=389 internaldb.ldapconn.secureConn=false securitydomain.host=cspki.lab.eng.pnq.redhat.com securitydomain.httpport=9180 securitydomain.httpsadminport=9445 securitydomain.httpsagentport=9443 securitydomain.httpseeport=9444 securitydomain.name=silentdom securitydomain.select=existing securitydomain.store=ldap service.securityDomainPort=10443 [root@cspki pki-ca]# #-----------------------------------------------------------------------------# [root@cspki ~]# service pki-ca status pki-ca (pid 29406) is running ... Unsecure Port = http://cspki.lab.eng.pnq.redhat.com:9180/ca/ee/ca Secure Agent Port = https://cspki.lab.eng.pnq.redhat.com:9443/ca/agent/ca Secure EE Port = https://cspki.lab.eng.pnq.redhat.com:9444/ca/ee/ca Secure Admin Port = https://cspki.lab.eng.pnq.redhat.com:9445/ca/services EE Client Auth Port = https://cspki.lab.eng.pnq.redhat.com:9446/ca/eeca/ca PKI Console Port = pkiconsole https://cspki.lab.eng.pnq.redhat.com:9445/ca Tomcat Port = 9701 (for shutdown) PKI Instance Name: pki-ca PKI Subsystem Type: Root CA (Security Domain) Registered PKI Security Domain Information: ========================================================================== Name: silentdom URL: https://cspki.lab.eng.pnq.redhat.com:9445 ========================================================================== [root@cspki ~]# service pki-kra status pki-kra (pid 21855) is running ... Unsecure Port = http://cspki.lab.eng.pnq.redhat.com:10180/kra/ee/kra Secure Agent Port = https://cspki.lab.eng.pnq.redhat.com:10443/kra/agent/kra Secure EE Port = https://cspki.lab.eng.pnq.redhat.com:10444/kra/ee/kra Secure Admin Port = https://cspki.lab.eng.pnq.redhat.com:10445/kra/services PKI Console Port = pkiconsole https://cspki.lab.eng.pnq.redhat.com:10445/kra Tomcat Port = 10701 (for shutdown) PKI Instance Name: pki-kra PKI Subsystem Type: DRM Registered PKI Security Domain Information: ========================================================================== Name: silentdom URL: https://cspki.lab.eng.pnq.redhat.com:9445 ========================================================================== [root@cspki ~]# service pki-ocsp status pki-ocsp (pid 22851) is running ... Unsecure Port = http://cspki.lab.eng.pnq.redhat.com:11180/ocsp/ee/ocsp Secure Agent Port = https://cspki.lab.eng.pnq.redhat.com:11443/ocsp/agent/ocsp Secure EE Port = https://cspki.lab.eng.pnq.redhat.com:11444/ocsp/ee/ocsp Secure Admin Port = https://cspki.lab.eng.pnq.redhat.com:11445/ocsp/services PKI Console Port = pkiconsole https://cspki.lab.eng.pnq.redhat.com:11445/ocsp Tomcat Port = 11701 (for shutdown) PKI Instance Name: pki-ocsp PKI Subsystem Type: OCSP Registered PKI Security Domain Information: ========================================================================== Name: silentdom URL: https://cspki.lab.eng.pnq.redhat.com:9445 ========================================================================== [root@cspki ~]#
NOTE: As mentioned in comment #29, a separate bug was logged for syntax validation issues for 'tokenReason' and 'tokenUserId' attributes -- https://bugzilla.redhat.com/show_bug.cgi?id=835765
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2012-1103.html