dogtagpki

Clone
Source Code
GIT

#1546 Setpin utility doesn't set the pin for users.
Closed: Fixed None Opened 9 years ago by aakkiang.

Closed: Fixed
Reopen Issue

Unable to perform bin based enrollment due to setpin utility not creating the
pin.

Steps to Reproduce:

1. Create this user in ldap database
    uid=testuser3,ou=people,dc=pki-tps1

2. Goto the ca's admin console, configuration tab, authentication and enable
the authentication plugin

    UidPwdPinDirAuth and set the following attrs
        removepin - don't select
        pinAttr - pin
        dnpattern - UID=$attr.uid, OU=$dn.ou
        ldapStringAttributes : mail
        ldapconnhost: localhost
        ldapconnport: 1604
        binddn: cn=directory manager
        password: netscape
        clientcertnickname: basicauth
        authtype : basicAuth
        basedn: ou=people,dc=pki-tps1

authentication plugin pinDirEnrollment is created.

3. Run setpin utility and set the pin for user
# setpin host=`hostname`  port=1604 output=outfile  binddn="cn=Directory
Manager" bindpw=Secret123 filter="(uid=testuser3)"
basedn="uid=testuser3,ou=people,dc=pki-tps1"  write clobber debug
attribute=userPassword objectclass=top length=8 hash=none

about to validateOptions
about to doLDAPBind
# connecting to xxxxxx:1604
# ldap_init completed
# ldap_simple_bind_s completed
about to doLDAPSearch
# ldap_search_s completed
about to processSearchResults
filter (uid=testuser3) found 1 matching results.
Processing: uid=testuser3,ou=People,dc=pki-tps1
 examining attribute: objectClass
   val[0]: top
   val[1]: person
   val[2]: organizationalPerson
   val[3]: inetOrgPerson
   val[4]: cmsuser
 checking vals[0]=top == objectclass=top  -> 0
 objectClass: top found
 checking vals[1]=person == objectclass=top  -> -4
 checking vals[2]=organizationalPerson == objectclass=top  -> -5
 checking vals[3]=inetOrgPerson == objectclass=top  -> -11
 checking vals[4]=cmsuser == objectclass=top  -> -17
 examining attribute: uid
   val[0]: testuser3
 examining attribute: sn
   val[0]: TestUser3
 examining attribute: cn
   val[0]: testuser3
 examining attribute: mail
   val[0]:
 examining attribute: usertype
   val[0]: undefined
 examining attribute: userPassword
   val[0]: {SSHA}GW8sWT9did9KNfZ+YM1HEltoxCQnF9TlLj3lnQ==
 examining attribute: creatorsName
   val[0]: cn=directory manager
 examining attribute: modifiersName
   val[0]: cn=directory manager
 examining attribute: createTimestamp
   val[0]: 20150804203546Z
 examining attribute: modifyTimestamp
   val[0]: 20150804212119Z
 Did the objectclass exist? 1
Character pool: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
 Adding new userPassword
 userPassword exists, replacing
o_write = 4071c4

[root@vm-]# cat outfile
dn:uid=testuser3,ou=People,dc=pki-tps1
userPassword:Kn4PSceF
status:replaced

Actual results:

Setpin utility does not create/show pin for the user.

Expected results:

Setpin utility should create pin.

Go to CA's Agent page and enable profile 'caDirPinUserCert' that use the
created authentication 'pinDireEnrollment'.

Goto the eeSSL page and and select enrollment with the profile
caDirPinUserCert.

Fill in the ldap user id, password and the pin.

CA should authenticate the user's credentials and generate a certificate.

Additional info:

Directory Server access log has this:
[06/Aug/2015:21:51:46 +051800] conn=200 op=0 RESULT err=0 tag=97 nentries=0
etime=0 dn="cn=directory manager"
[06/Aug/2015:21:51:46 +051800] conn=200 op=1 SRCH
base="uid=testuser3,ou=people,dc=pki-tps1" scope=2 filter="(uid=testuser3)"
attrs=ALL
[06/Aug/2015:21:51:46 +051800] conn=200 op=1 RESULT err=0 tag=101 nentries=1
etime=0
[06/Aug/2015:21:51:46 +051800] conn=200 op=2 MOD
dn="uid=testuser3,ou=People,dc=pki-tps1"
[06/Aug/2015:21:51:46 +051800] conn=200 op=2 RESULT err=0 tag=103 nentries=0
etime=0
[06/Aug/2015:21:51:46 +051800] conn=200 op=-1 fd=163 closed - B1

Per CS/DS meeting of 08/10/2015 - 10.2.7

Patch submitted for review for the setpin utility that should take care of this problem.

commit f60846e025ff5492e8c05ccf525fe8df1b59bba6
Author: Jack Magne jmagne@localhost.localdomain
Date: Tue Aug 11 18:26:04 2015 -0700

setpin utility doesn't set the pin for users.

There were some things wrong with the setpin utility.

1. There were some syntax violations that had to be dealt with or a DS with syntax checking
would not be pleased.

2. The back end is expecting a byte of hash data at the beginning of the pin.
In our case we are sending NO hash so we want this code at the beginning '-'

3. We also need to prepend the dn in front of the pin so the back end can verify the set pin.

Tested to work during both steps of the setpin process: 1) Creating the schema, 2) creating the pin.
Tested to work with actual PinBased Enrollment.

4. Fix also now supports the SHA256 hashing method only, with the sha256 being the default hash.
The no hash option is supported but puts the pin in the clear.

Metadata Update from @aakkiang:
- Issue assigned to jmagne
- Issue set to the milestone: 10.2.6
8 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2105

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Log in to comment on this ticket.

Metadata
None
None
None
major
None
None
defect
None
None
None
None
None
QE
None
None
None
None
None
None
General
None
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.