pki-bot
commented
4 years ago Comment from nkinder (@nkinder) at 2017-02-27 13:59:45
Metadata Update from @nkinder:
- Issue assigned to vakwetu
- Issue set to the milestone: UNTRIAGED
Open pki-bot opened 4 years ago
pki-bot
commented
4 years ago Comment from nkinder (@nkinder) at 2017-02-27 13:59:45
Metadata Update from @nkinder:
This issue was migrated from Pagure Issue #462. Originally filed by nkinder (@nkinder) on 2012-12-18 21:01:28:
Although we seem to support this feature as per the administration guide and code, directory based enrollment fails for a user directory and a CA instance configured with "non standard" components in the DN, other than CN,OU,O,C,L,TITLE,ST,STREET,UID,MAIL,E,DC
with a Java exception [31/Jan/2011:20:16:03]http-9444-Processor24: AuthTokenSubjectNameDefault: java.io.IOException: Unknown AVA keyword 'CARLICENSE'.
and the CMSServlet exits immediately
In the EE service page: Sorry, your request is not submitted. The reason is "Subject Name Not Found".
Steps to Reproduce:
have versions like described in "Version-Release number of selected component"
install 389, install Dogtag, run pkicreate to have a functional CA test instance
have a user directory so that the dn is like below:
One "standard" entry, for example: ldapsearch -xLLL -h 10.14.7.221 -p 389 -b dc=testme uid=guest1 dn uid dn: uid=guest1,ou=People,dc=testme uid: guest1
and for the purpose of this test, another entry with a DN composed with the attribute carLicense, not a uid attribute: ldapsearch -xLLL -h 10.14.7.221 -p 389 -b dc=testme uid=newguest1 dn uid dn: carlicense=8abc123,ou=People,dc=testme uid: newguest1
/etc/init.d/pki-ca stop
follow the administration guide at http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.0/html/Admin_Gui de/Managing_Subject_Names_and_Subject_Alternative_Names.html#DNs_in_the_Certifi cate_System-Allowed_Characters_for_Value_Types
to allow for the purpose of this test, the DN or X500Name composed with the attribute carLicense
vi /etc/pki-ca/CS.cfg ... X500Name.carLicense.oid=1.3.6.1.4.1.1466.115.121.1.15 X500Name.carLicense.class=netscape.security.x509.DirStrConverter
auths.impl.UidPwdDirAuth.class=com.netscape.cms.authentication.UidPwdDirAuthent ication ... auths.instance.UserDirEnrollment.dnpattern=uid=$attr.uid,ou=people,dc=testme auths.instance.UserDirEnrollment.ldapByteAttributes= auths.instance.UserDirEnrollment.ldapStringAttributes=carlicense auths.instance.UserDirEnrollment.pluginName=UidPwdDirAuth auths.instance.UserDirEnrollment.ldap.basedn=ou=people,dc=testme auths.instance.UserDirEnrollment.ldap.maxConns= auths.instance.UserDirEnrollment.ldap.minConns= auths.instance.UserDirEnrollment.ldap.ldapconn.host=10.14.7.221 auths.instance.UserDirEnrollment.ldap.ldapconn.port=389 auths.instance.UserDirEnrollment.ldap.ldapconn.secureConn=false auths.instance.UserDirEnrollment.ldap.ldapconn.version=3
/etc/init.d/pki-ca start
browse to the EE service for Directory-Authenticated User Dual-Use Certificate Enrollment for example https://dirsec2-seg.lab.sjc.redhat.com:9444/ca/ee/ca/profileSelect?profileId=c aDirUserCert
provide with uid=guest1 and password, expect success
provide with uid=newguest1 and password, expect failure
Actual results:
https://dirsec2-seg.lab.sjc.redhat.com:9444/ca/ee/ca/profileSelect?profileId=ca DirUserCert NOT ok
Sorry, your request is not submitted. The reason is "Subject Name Not Found".
/var/log/pki-ca/debug ... [01/Feb/2011:16:44:07]http-9444-Processor25: CMSServlet:service() uri = /ca/ee/ca/profileSubmit [01/Feb/2011:16:44:07]http-9444-Processor25: CMSServlet::service() param name='cert_request_type' value='crmf' [01/Feb/2011:16:44:07]http-9444-Processor25: CMSServlet::service() param name='cert_request' value='MIIBHDCCARgwgcECBB9QmSEwgYOAAQKlDjAMMQowCAYDVQQDEwF4plwwDQYJKoZI hvcNAQEBBQADSwAwSAJBAMk7AmksCJNQl2fswnBnUWojXN5UFmiEVVzuFfYKU/Ym U2cw4rb855NRiCm0PIt4U28PvCkKFNNgpcWB15DndL0CAwEAAakQMA4GA1UdDwEB /wQEAwIF4DAzMBUGCSsGAQUFBwUBAQwIcmVnVG9rZW4wGgYJKwYBBQUHBQECDA1h dXRoZW50aWNhdG9yoVIwDQYJKoZIhvcNAQEFBQADQQBH7zYSHBDBONMYJH07R5Q5 gOHziTZ+6D89iRb31slyhqXlZ1GToyg2cgl3Qhk8Jli5S+Ln+VFlYDlG6v41IsVE' [01/Feb/2011:16:44:07]http-9444-Processor25: CMSServlet::service() param name='renewal' value='false' [01/Feb/2011:16:44:07]http-9444-Processor25: CMSServlet::service() param name='keyLength' value='512' [01/Feb/2011:16:44:07]http-9444-Processor25: CMSServlet::service() param name='uid' value='newguest1' [01/Feb/2011:16:44:07]http-9444-Processor25: CMSServlet::service() param name='xmlOutput' value='false' [01/Feb/2011:16:44:07]http-9444-Processor25: CMSServlet::service() param name='profileId' value='caDirUserCert' [01/Feb/2011:16:44:07]http-9444-Processor25: CMSServlet::service() param name='pwd' value='(sensitive)' [01/Feb/2011:16:44:07]http-9444-Processor25: CMSServlet: caProfileSubmit start to service. [01/Feb/2011:16:44:07]http-9444-Processor25: xmlOutput false [01/Feb/2011:16:44:07]http-9444-Processor25: Start of ProfileSubmitServlet Input Parameters ... [01/Feb/2011:16:44:07]http-9444-Processor25: Repository: in getNextSerialNumber. [01/Feb/2011:16:44:07]http-9444-Processor25: Repository: getNextSerialNumber: returning retSerial 346 [01/Feb/2011:16:44:07]http-9444-Processor25: EnrollProfile: createRequest 346 [01/Feb/2011:16:44:07]http-9444-Processor25: ProfileSubmitServlet profileSetid=userCertSet [01/Feb/2011:16:44:07]http-9444-Processor25: ProfileSubmitServlet: request 346 [01/Feb/2011:16:44:07]http-9444-Processor25: ProfileSubmitServlet: populating request inputs [01/Feb/2011:16:44:07]http-9444-Processor25: Start parseCRMF MIIBHDCCARgwgcECBB9QmSEwgYOAAQKlDjAMMQowCAYDVQQDEwF4plwwDQYJKoZI hvcNAQEBBQADSwAwSAJBAMk7AmksCJNQl2fswnBnUWojXN5UFmiEVVzuFfYKU/Ym U2cw4rb855NRiCm0PIt4U28PvCkKFNNgpcWB15DndL0CAwEAAakQMA4GA1UdDwEB /wQEAwIF4DAzMBUGCSsGAQUFBwUBAQwIcmVnVG9rZW4wGgYJKwYBBQUHBQECDA1h dXRoZW50aWNhdG9yoVIwDQYJKoZIhvcNAQEFBQADQQBH7zYSHBDBONMYJH07R5Q5 gOHziTZ+6D89iRb31slyhqXlZ1GToyg2cgl3Qhk8Jli5S+Ln+VFlYDlG6v41IsVE [01/Feb/2011:16:44:07]http-9444-Processor25: EnrollInput ::in verifyPOP [01/Feb/2011:16:44:07]http-9444-Processor25: POP verification begins: [01/Feb/2011:16:44:07]http-9444-Processor25: POP verification using internal token [01/Feb/2011:16:44:07]http-9444-Processor25: SignedAuditEventFactory: create() message=[AuditEvent=PROOF_OF_POSSESSION][SubjectID=$NonRoleUser$][Outc ome=Success] checking proof of possession
[01/Feb/2011:16:44:07]http-9444-Processor25: Start parseCertReqMsg [01/Feb/2011:16:44:07]http-9444-Processor25: EnrollProfile: validity not supplied [01/Feb/2011:16:44:07]http-9444-Processor25: SignedAuditEventFactory: create() message=[AuditEvent=PROFILE_CERT_REQUEST][SubjectID=$NonRoleUser$][Out come=Success][ReqID=346][ProfileID=caDirUserCert][CertSubject=CN=Certificate Authority,O=dirsec2caroot20100830] certificate request made with certificate profiles
[01/Feb/2011:16:44:07]http-9444-Processor25: BasicProfile: populate() policy setid =userCertSet [01/Feb/2011:16:44:07]http-9444-Processor25: AuthTokenSubjectNameDefault: populate start [01/Feb/2011:16:44:07]http-9444-Processor25: AuthTokenSubjectNameDefault: java.io.IOException: Unknown AVA keyword 'CARLICENSE'. [01/Feb/2011:16:44:07]http-9444-Processor25: ProfileSubmitServlet: populate Subject Name Not Found [01/Feb/2011:16:44:07]http-9444-Processor25: CMSServlet: curDate=Tue Feb 01 16:44:07 PST 2011 id=caProfileSubmit time=11
sample with a CMS.debugStackTrace() in another test instance with pki-ca-8.1.0-3 pki-common-8.1.0-2
[01/Feb/2011:18:54:12]http-9444-Processor25: BasicProfile: populate() policy setid =userCertSet [01/Feb/2011:18:54:12]http-9444-Processor25: AuthTokenSubjectNameDefault: populate start java.lang.Exception: Debug at com.netscape.cmscore.util.Debug.printStackTrace(Debug.java:227) at com.netscape.cmscore.apps.CMSEngine.debugStackTrace(CMSEngine.java:1361) at com.netscape.certsrv.apps.CMS.debugStackTrace(CMS.java:394) at com.netscape.cms.profile.def.AuthTokenSubjectNameDefault.populate(Au thTokenSubjectNameDefault.java:146) at com.netscape.cms.profile.def.EnrollDefault.populate(EnrollDefault.java:180) at com.netscape.cms.profile.common.BasicProfile.populate(BasicProfile.java:1074) at com.netscape.cms.profile.common.EnrollProfile.populate(EnrollProfile.java:1194) at com.netscape.cms.servlet.profile.ProfileSubmitServlet.process(Profil eSubmitServlet.java:1127) at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:501) at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcce ssorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:616) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:244) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:537) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:276) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:162) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(App licationFilterChain.java:262) at org.apache.catalina.core.ApplicationFilterChain.access$0(Application FilterChain.java:192) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFil terChain.java:171) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(Application FilterChain.java:167) at com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFi lter.java:139) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcce ssorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:616) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:244) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:537) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:276) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:218) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(App licationFilterChain.java:210) at org.apache.catalina.core.ApplicationFilterChain.access$0(Application FilterChain.java:192) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFil terChain.java:171) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(Application FilterChain.java:167) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapper Valve.java:210) at org.apache.catalina.core.StandardContextValve.invoke(StandardContext Valve.java:172) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:542) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVa lve.java:108) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:875) at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler. processConnection(Http11BaseProtocol.java:665) at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndp oint.java:528) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFo llowerWorkerThread.java:81) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(Thread Pool.java:685) at java.lang.Thread.run(Thread.java:636) [01/Feb/2011:18:54:12]http-9444-Processor25: AuthTokenSubjectNameDefault: java.io.IOException: Unknown AVA keyword 'CARLICENSE'. [01/Feb/2011:18:54:12]http-9444-Processor25: ProfileSubmitServlet: populate Subject Name Not Found [01/Feb/2011:18:54:12]http-9444-Processor25: CMSServlet: curDate=Tue Feb 01 18:54:12 PST 2011 id=caProfileSubmit time=370