Bug 547527 - dogtag does not work with latest 389 DS
Summary: dogtag does not work with latest 389 DS
Status: CLOSED ERRATA
Alias: None
Product: Dogtag Certificate System
Classification: Retired
Component: Internal Database (LDAP)
Version: unspecified
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Ade Lee
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Keywords:
: 818211 818321 (view as bug list)
Depends On:
Blocks: dogtagIPAv2
TreeView+ depends on / blocked
 
Reported: 2009-12-14 21:12 UTC by Ade Lee
Modified: 2018-11-27 19:31 UTC (History)
7 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2012-07-19 15:53:35 UTC


Attachments (Terms of Use)
patch to fix (9.47 KB, patch)
2009-12-16 15:24 UTC, Ade Lee
no flags Details | Diff
patch to fix (version 2) (10.09 KB, patch)
2009-12-17 02:52 UTC, Ade Lee
no flags Details | Diff
patch to fix (v3) (14.19 KB, patch)
2009-12-17 06:46 UTC, Ade Lee
no flags Details | Diff
patch to fix small bug (2.59 KB, patch)
2009-12-22 21:57 UTC, Ade Lee
no flags Details | Diff
patch for clone syntax issue (2.67 KB, patch)
2010-01-25 21:29 UTC, Ade Lee
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2012:1103 normal SHIPPED_LIVE Moderate: pki security and enhancement update 2012-07-19 19:53:12 UTC

Description Ade Lee 2009-12-14 21:12:25 UTC
Description of problem:

Several problems:
1. The certificateRecord object has an attribute "subject" which used to be defined in the 28pilot.ldif schema.  Due to changes to update this schema, the subject attribute has been removed.  We need to either 
a) find a replacement attribute outside the CS schema
b) define a custom attribute within CS schema
c) remove the attribute

An exhaustive search through the code and existing databases indicates that this attribute is not used.  Therefore, we propose to remove this attribute from the schema's.

2. If Syntax checking is enabled on the DS, all kinds of problems arise when we attempt to save the empty string "" for certain attributes.  In particular, this arises in two cases (that we know of):

a) when making a request (with some fields missing). The attributes ext-* adorn the request object which has extensibleObject as an auxiliary class.  These classes use Directory String (which is 1*UTF) in the syntax checker.  This will be changed in DS to use OctetString instead (which is *UTF).  Until this is available, disable syntax checking on the DS.

b) When doing the installation, we try to save "" for the telephone Number of the admin user .. We need to put in a dummy variable here.

c) there may be more of this kind of issue ..




Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 2 Ade Lee 2009-12-16 15:24:01 UTC
Created attachment 378777 [details]
patch to fix

patch removes subject field.
and adds checks in places where DS syntax is required (mostly for user creation).

awnuk, please review.

Comment 3 Ade Lee 2009-12-17 02:52:38 UTC
Created attachment 378882 [details]
patch to fix (version 2)

On discussion with awnuk, correct practice is to not store a value when the value is an empty string (rather than store a space).  The updated patch does that.

In particular:

In DonePanel.java, we throw an exception because the parameter "name" is a MUST parameter.

In UGSubsystem.java, for telephoneNumber and userState, we do not store the values at all if the values are "".  This is OK because when the values are read from the db, we set these parameters to "" in the User object if the attribute is not defined.

For userType (which is a MUST parameter), we store the value "undefined" if the value is "".  When the value is read, we set the value to "" in the User object if the value read is not defined or is "undefined".  Thus, the change here is transparent to any level above the db layer.

In UpdateDomainXML .. we simply error out if any required parameters are missing and create an error accordingly.

Migration steps for users with old data will be posted in a separate comment to this bug.

Comment 4 Ade Lee 2009-12-17 06:46:56 UTC
Created attachment 378910 [details]
patch to fix (v3)

Fixed a couple of issues that occur on modifying the user.

Also fixed a console issue - the user state was not modifiable.  Now it is.
Incidentally, users created by console do not have option to select user type - nor can they be modified.  Not going to fix this here .. sigh ..

Comment 5 Ade Lee 2009-12-17 06:48:46 UTC
Oops - ignore the selinux changes .. They are coming - just not in this bug :)

Comment 6 Andrew Wnuk 2009-12-17 23:03:45 UTC
attachment (id=378910) +awnuk

Comment 7 Ade Lee 2009-12-18 02:07:36 UTC
ommit for this bug and for 547571 (to tip)

[builder@dhcp231-70 base]$ svn ci -m "Bugzilla BZ 547571: Apply PKI SELinux
changes to PKI registry model" 
Sending        base/ca/shared/conf/schema.ldif
Sending       
base/common/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java
Sending        base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java
Sending       
base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java
Sending        base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java
Sending        base/kra/shared/conf/schema.ldif
Sending        base/ocsp/shared/conf/schema.ldif
Sending        base/selinux/src/pki.fc
Sending        base/selinux/src/pki.if
Sending        base/selinux/src/pki.te
Sending        base/tks/shared/conf/schema.ldif
Transmitting file data ...........
Committed revision 894.

Commit to 8.1 tip:

[builder@oliver base]$ svn ci -m "BZ 547527: dogtag does not work with latest
389 DS" 
Sending        base/ca/shared/conf/schema.ldif
Sending       
base/common/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java
Sending        base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java
Sending       
base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java
Sending        base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java
Sending        base/kra/shared/conf/schema.ldif
Sending        base/ocsp/shared/conf/schema.ldif
Sending        base/tks/shared/conf/schema.ldif
Transmitting file data ........
Committed revision 895.

Comment 8 Ade Lee 2009-12-22 21:57:43 UTC
Created attachment 379921 [details]
patch to fix small bug

awnuk, please review

Comment 9 Andrew Wnuk 2009-12-22 22:07:17 UTC
attachment (id=379921) +awnuk

Comment 10 Ade Lee 2009-12-22 22:20:11 UTC
Commit to 8.1:

[builder@goofy-vm4 base]$ svn ci -m "BZ547527 -  dogtag does not work with latest 389 DS - fix small bug" 
Sending        base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java
Transmitting file data .
Committed revision 902.

Commit to tip:
[builder@dhcp231-70 pki]$ svn ci -m "BZ547527 -  dogtag does not work with latest 389 DS - fix small bug" base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java
Sending        base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java
Transmitting file data .
Committed revision 903.

Comment 12 Ade Lee 2010-01-25 21:29:47 UTC
Created attachment 386708 [details]
patch for clone syntax issue

mharmsen, please review

Comment 13 Matthew Harmsen 2010-01-25 22:15:44 UTC
attachment (id=386708) +mharmsen

Comment 14 Ade Lee 2010-01-25 22:17:28 UTC
[builder@dhcp231-70 pki]$ svn ci -m "BZ 547527: not working with latest 389" base
Sending        base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java
Sending        base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java
Transmitting file data ..
Committed revision 940.

Comment 15 Fedora Update System 2010-01-26 03:04:36 UTC
pki-common-1.3.1-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/pki-common-1.3.1-1.fc11

Comment 16 Fedora Update System 2010-01-26 03:17:25 UTC
pki-common-1.3.1-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/pki-common-1.3.1-1.fc12

Comment 17 Fedora Update System 2010-01-26 03:38:46 UTC
pki-common-1.3.1-1.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/pki-common-1.3.1-1.el5

Comment 18 Kashyap Chamarthy 2010-01-29 16:21:35 UTC
verified on F-12 with 389-ds-1.1.3-5.fc12.noarch, and dogtag pki-ca-1.3.0-7.fc12.noarch.

The below config. confirms that  syntax checking is ON and default syntax checking for undefined attributes is 'octet' string
======================================================
[root@f12-alpha slapd-f12-alpha]# cat dse.ldif | grep -i syntaxcheck
nsslapd-syntaxcheck: on
[root@f12-alpha slapd-f12-alpha]# cat dse.ldif | grep -i octet
dn: cn=Octet String Syntax,cn=plugins,cn=config
cn: Octet String Syntax
nsslapd-pluginInitfunc: octetstring_init
nsslapd-pluginId: octetstring-syntax
nsslapd-pluginDescription: octet string attribute syntax plugin
======================================================

-- CA configures/cert enrollment works fine.

Comment 19 Fedora Update System 2010-02-03 08:09:28 UTC
pki-common-1.3.1-2.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/pki-common-1.3.1-2.fc12

Comment 20 Fedora Update System 2010-02-03 08:16:28 UTC
pki-common-1.3.1-2.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/pki-common-1.3.1-2.fc11

Comment 21 Fedora Update System 2010-02-16 13:21:53 UTC
pki-common-1.3.1-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 22 Fedora Update System 2010-02-16 13:24:32 UTC
pki-common-1.3.1-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 23 Fedora Update System 2010-02-22 22:37:02 UTC
pki-common-1.3.1-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 27 Nathan Kinder 2012-06-21 15:31:26 UTC
The entries being added during TPS enrollment look like this:

====================================================
dn: cn=10000000000000000006,ou=Tokens,dc=cspki.lab.eng.pnq.redhat.com-pki-tps
cn: 10000000000000000006
objectClass: top
objectClass: tokenRecord
dateOfCreate: 20120621193746Z
dateOfModify: 20120621193748Z
modified: 0
tokenUserID: tuser2
tokenStatus: active
tokenAppletID: 1.4.4d40a449
numberOfResets: 0
numberOfEnrollments: 0
numberOfRenewals: 0
numberOfRecoveries: 0
keyInfo: 0101
tokenPolicy: RE_ENROLL=YES
tokenReason:
tokenType: userKey
====================================================

The ADD of this entry is rejected by Directory Server with err=21 (invalid syntax).

The problem is that the "tokenReason" attribute is defined to use the "Directory String" syntax.  RFC 4517 defines this syntax as so:

    DirectoryString = 1*UTF8

This means that an empty attribute value will be rejected as a syntax violation when syntax checking is enabled.

Comment 28 Nathan Kinder 2012-06-21 21:06:02 UTC
I have also found that the "tokenUserID" attribute is added with an empty value during token enrollment, which violates the "Directory String" syntax.

Comment 29 Nathan Kinder 2012-06-21 21:12:10 UTC
I think that the TPS related syntax validation issues (mentioned in comment 27 and comment 28) should be handled in a new separate bug.

Comment 30 Nathan Kinder 2012-06-26 14:29:21 UTC
*** Bug 818211 has been marked as a duplicate of this bug. ***

Comment 31 Nathan Kinder 2012-06-26 14:31:39 UTC
*** Bug 818321 has been marked as a duplicate of this bug. ***

Comment 32 Kashyap Chamarthy 2012-06-27 04:46:03 UTC
VERIFIED.

Env. Info:
----------
- CS 8.1 on RHEL 5.8 w/ latest errata bits
- nss/nspr versions:
nss-3.13.5-1.el6_3.x86_64
nspr-4.9.1-1.el6_3.x86_64

- 389-ds-base version
[root@panther slapd-cs81ldap]# rpm -q 389-ds-base
389-ds-base-1.2.10.2-15.el6.x86_64

Test Info: non-TMS(CA,KRA,OCSP) env is successfully configured w/ DS9.0
#-----------------------------------------------------------------------------#
[root@cspki pki-ca]# egrep -i 'securitydomain.|internaldb.ldapconn' /etc/pki-ca/CS.cfg 
internaldb.ldapconn.cloneStartTLS=false
internaldb.ldapconn.host=panther.lab.eng.pnq.redhat.com
internaldb.ldapconn.port=389
internaldb.ldapconn.secureConn=false
securitydomain.checkinterval=300000
securitydomain.flushinterval=86400000
securitydomain.host=cspki.lab.eng.pnq.redhat.com
securitydomain.httpport=9180
securitydomain.httpsadminport=9445
securitydomain.httpsagentport=9443
securitydomain.httpseeport=9444
securitydomain.name=silentdom
securitydomain.select=new
securitydomain.source=ldap
securitydomain.store=ldap
service.securityDomainPort=9443
[root@cspki pki-ca]# 
#-----------------------------------------------------------------------------#
[root@cspki pki-ca]# egrep -i 'securitydomain.|internaldb.ldapconn' /etc/pki-kra/CS.cfg 
internaldb.ldapconn.cloneStartTLS=false
internaldb.ldapconn.host=panther.lab.eng.pnq.redhat.com
internaldb.ldapconn.port=389
internaldb.ldapconn.secureConn=false
securitydomain.host=cspki.lab.eng.pnq.redhat.com
securitydomain.httpport=9180
securitydomain.httpsadminport=9445
securitydomain.httpsagentport=9443
securitydomain.httpseeport=9444
securitydomain.name=silentdom
securitydomain.select=existing
securitydomain.store=ldap
service.securityDomainPort=10443
[root@cspki pki-ca]# 
#-----------------------------------------------------------------------------#
[root@cspki ~]# service pki-ca status
pki-ca (pid 29406) is running ...

    Unsecure Port       = http://cspki.lab.eng.pnq.redhat.com:9180/ca/ee/ca
    Secure Agent Port   = https://cspki.lab.eng.pnq.redhat.com:9443/ca/agent/ca
    Secure EE Port      = https://cspki.lab.eng.pnq.redhat.com:9444/ca/ee/ca
    Secure Admin Port   = https://cspki.lab.eng.pnq.redhat.com:9445/ca/services
    EE Client Auth Port = https://cspki.lab.eng.pnq.redhat.com:9446/ca/eeca/ca
    PKI Console Port    = pkiconsole https://cspki.lab.eng.pnq.redhat.com:9445/ca
    Tomcat Port         = 9701 (for shutdown)

    PKI Instance Name:   pki-ca

    PKI Subsystem Type:  Root CA (Security Domain)

    Registered PKI Security Domain Information:
    ==========================================================================
    Name:  silentdom
    URL:   https://cspki.lab.eng.pnq.redhat.com:9445
    ==========================================================================

[root@cspki ~]# service pki-kra status
pki-kra (pid 21855) is running ...

    Unsecure Port     = http://cspki.lab.eng.pnq.redhat.com:10180/kra/ee/kra
    Secure Agent Port = https://cspki.lab.eng.pnq.redhat.com:10443/kra/agent/kra
    Secure EE Port    = https://cspki.lab.eng.pnq.redhat.com:10444/kra/ee/kra
    Secure Admin Port = https://cspki.lab.eng.pnq.redhat.com:10445/kra/services
    PKI Console Port  = pkiconsole https://cspki.lab.eng.pnq.redhat.com:10445/kra
    Tomcat Port       = 10701 (for shutdown)

    PKI Instance Name:   pki-kra

    PKI Subsystem Type:  DRM

    Registered PKI Security Domain Information:
    ==========================================================================
    Name:  silentdom
    URL:   https://cspki.lab.eng.pnq.redhat.com:9445
    ==========================================================================

[root@cspki ~]# service pki-ocsp status
pki-ocsp (pid 22851) is running ...

    Unsecure Port     = http://cspki.lab.eng.pnq.redhat.com:11180/ocsp/ee/ocsp
    Secure Agent Port = https://cspki.lab.eng.pnq.redhat.com:11443/ocsp/agent/ocsp
    Secure EE Port    = https://cspki.lab.eng.pnq.redhat.com:11444/ocsp/ee/ocsp
    Secure Admin Port = https://cspki.lab.eng.pnq.redhat.com:11445/ocsp/services
    PKI Console Port  = pkiconsole https://cspki.lab.eng.pnq.redhat.com:11445/ocsp
    Tomcat Port       = 11701 (for shutdown)

    PKI Instance Name:   pki-ocsp

    PKI Subsystem Type:  OCSP

    Registered PKI Security Domain Information:
    ==========================================================================
    Name:  silentdom
    URL:   https://cspki.lab.eng.pnq.redhat.com:9445
    ==========================================================================

[root@cspki ~]#

Comment 33 Kashyap Chamarthy 2012-06-27 04:46:38 UTC
NOTE: As mentioned in comment #29, a separate bug was logged for syntax validation issues for 'tokenReason' and 'tokenUserId' attributes -- https://bugzilla.redhat.com/show_bug.cgi?id=835765

Comment 35 errata-xmlrpc 2012-07-19 15:53:35 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-1103.html


Note You need to log in before you can comment on or make changes to this bug.