Trying to test the scenario where CA1 issues an user cert cert1 which is added to a user under CA2. Using cert1 for client authentication during a user-add operation to CA2.
The cert issued by CA1 is added successfully to the user under CA2. user-add operation under CA2 authenticating using cert1 fails with "PKIException: Unauthorized" message. I do not see any messages in the debug logs of either of the CAs.
The signing cert of CA1 is added and trusted in the certdb of CA2 and vice versa. cert1 has been added under the certdb of CA1 and CA2.
Are CA1 and CA2 completely independent root CAs or clones? It would be useful to see some more information, such as:
user ldif output ldapresult5
user cert prettyprint certpretty
CA1 is just issuing the user cert that is being added to the user under CA2. Not sure which user in CA1 you want the output of. The ldif output of the user under CA2 which has the cert issued by CA1 is attached. Also attached the pretty print of the user cert added to user under CA2.
Is the uid=new_adminV,ou=people,o=pki-new-CA user a member of a group that should be allowed to create new users? I'm assuming that this user needs to be added to a group that the ACIs identity as administrators who are capable of adding new users.
The DS logs should tell us more here. You should be able to see if the bind operation using client-cert auth succeeds, and you should also be able to see if the DS access control is what is rejecting the operation.
Yes the user has been added to the administrator group.
I do not see any messages on the DS access log when I try to add a user authenticating using the attached cert.
Replying to [comment:4 rpattath]:
Yes the user has been added to the administrator group. I do not see any messages on the DS access log when I try to add a user authenticating using the attached cert.
Are you waiting for the access log buffering that DS uses? This can cause writes to the log to be delayed. I would expect to see something in the access logs.
I was tailing on /var/log/dirsrv/slapd-<instance>/access log, did not see any messages on it when this operation was being tried.
So you waited up to 30 seconds to allow the buffered writes to the log to be flushed? If that's the case, then this is not ever hitting DS. If you didn't wait for the logs to flush, please do, as writes to the access log by ns-slapd are not immediate.
Metadata Update from @rpattath: - Issue set to the milestone: UNTRIAGED
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/1734
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Metadata Update from @dmoluguw: - Issue close_status updated to: migrated - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.