Hide Forgot
If you check removePin field in configuration window when press OK button, the console report error: Could not connect to LDAP server host localhost port 389 Error netscape.ldap.LDAPException: error result(49) Workaround for this: In CS.cfg there is option: auths.instance.PinDirEnrollment.removePin=false 1. Stop the system 2. Change the option to 'true' auths.instance.PinDirEnrollment.removePin=true 3. Start the system
Seen on RHCS 8.0
After above steps you have to set and pinmanager password from auths.instance.PinDirEnrollment.ldap.ldapauth.bindPWPrompt The error is gone. If you generate certificate with this plugin you get: ---- The Certificate System has encountered an unrecoverable error. Error Message: java.lang.NullPointerException Please contact your local administrator for assistance. ---- in the web page and ---- May 1, 2012 7:37:26 PM org.apache.catalina.core.ApplicationContext log INFO: caProfileSubmit: java.lang.NullPointerException at com.netscape.cms.authentication.UidPwdPinDirAuthentication.checkpin(UidPwdPinDirAuthentication.java:327) at com.netscape.cms.authentication.UidPwdPinDirAuthentication.authenticate(UidPwdPinDirAuthentication.java:247) at com.netscape.cms.authentication.DirBasedAuthentication.authenticate(DirBasedAuthentication.java:344) at com.netscape.cms.servlet.profile.ProfileSubmitServlet.authenticate(ProfileSubmitServlet.java:285) at com.netscape.cms.servlet.profile.ProfileSubmitServlet.process(ProfileSubmitServlet.java:930) at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:501) at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:124) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:210) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:542) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:875) at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665) at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:685) at java.lang.Thread.run(Thread.java:679) ---- in catalina.out log file If you uncheck removepin option the certificate is generated. Once unchecked in can't be checked again. You get ldaperror(49) - invalid credentials. P.S After i change CS.cfg, i restart the CA subsystem
I had the following added (via Console) and it added ok: auths.instance.PinDirEnrollment.dnpattern=ou=People,dc=dddd,dc=sjc,dc=redhat,dc=com auths.instance.PinDirEnrollment.ldapByteAttributes= auths.instance.PinDirEnrollment.ldapStringAttributes= auths.instance.PinDirEnrollment.pinAttr=pin auths.instance.PinDirEnrollment.pluginName=UidPwdPinDirAuth auths.instance.PinDirEnrollment.removePin=true auths.instance.PinDirEnrollment.ldap.basedn=ou=People,dc=dddd,dc=sjc,dc=redhat,dc=com auths.instance.PinDirEnrollment.ldap.maxConns= auths.instance.PinDirEnrollment.ldap.minConns= auths.instance.PinDirEnrollment.ldap.ldapauth.authtype=BasicAuth auths.instance.PinDirEnrollment.ldap.ldapauth.bindDN=uid=pinmanager,ou=People,dc=dddd,dc=sjc,dc=redhat,dc=com auths.instance.PinDirEnrollment.ldap.ldapauth.bindPWPrompt=Rule PinDirEnrollment auths.instance.PinDirEnrollment.ldap.ldapauth.clientCertNickname= auths.instance.PinDirEnrollment.ldap.ldapconn.host=xxxx.dddd.sjc.redhat.com auths.instance.PinDirEnrollment.ldap.ldapconn.port=38933 auths.instance.PinDirEnrollment.ldap.ldapconn.secureConn=false auths.instance.PinDirEnrollment.ldap.ldapconn.version=3
I want to add that although auth instance for UidPwdPinDirAuthentication was added successfully, the enrollment itself was not. It could be my configuration though. I added some debugging and it shows that the pin digest encoding is unknown. setpin uses SHA1. Anyway, this is a different issue than the bug subject though.
After hours of investigation i saw what is the problem. The problem is that when you press OK on Setting uidpindir authenticator the form doesn't check the pin user with supplied password in the password field. This is the reason of LDAP error 49. After searching in Documentation i find that all passwords used in CA system are in password.conf file. In CS.cfg there is field auths.instance.PinDirEnrollment.ldap.ldapauth.bindPWPrompt=Rule PinDirEnrollment The value in this field should be in password.conf file to point auths.instance.PinDirEnrollment.ldap.ldapauth.bindDN password like Rule\ PinDirEnrollment=PinPass if pinuser password is PinPass The row shoud be created BEFORE configure UidPinDir authenticator. Then the remove pin setting will work. I think that the form should create this row in password.conf file but it didn't. I suppose the resent versions have this bug too.