-
Bug
-
Resolution: Done
-
certsys-10.2
+++ This bug was initially created as a clone of Bug #1858867 +++
Description of problem:
TPS allows to perform PIN reset on a token with a PIN reset CRI that was created for a different user token. As a result, it changes user id in the registration record for the token.
TPS should compare the token cuid in the user registration record with the current token cuid on PIN reset when the following settings are in the CS.cfg file:
auths.instance.ldap1.externalReg.attributes=tokencuid (along with other attributes)
auths.instance.ldap1.externalReg.cuidAttributeName=tokencuid
This apparently was working in CS 8.x.
Version-Release number of selected component (if applicable):
[root]@[vm-tms-tps-5]: # rpm -qa | grep pki
pki-base-10.5.17-6.el7.noarch
pki-symkey-10.5.17-6.el7.x86_64
pki-tks-10.5.1-9.el7pki.noarch
tms-tks-5-dodpki-1.0-42.el7.x86_64
pki-tools-10.5.17-6.el7.x86_64
pki-server-10.5.17-6.el7.noarch
katello-ca-consumer-mgmt-1.c3pki.nit.disa.mil-1.0-1.noarch
tms-tps-5-dodpki-1.0-42.el7.x86_64
pki-base-java-10.5.17-6.el7.noarch
mod_security_rules-dodpki-1.0.3-2.x86_64
pki-tps-10.5.1-9.el7pki.x86_64
How reproducible:
Very
Steps to Reproduce:
TPS allows to perform PIN reset on a token with a PIN reset CRI that was created for a different user token. As a result, it changes user id in the registration record for the token.
Actual results:
TPS changes another users token.
Expected results:
Should compare token cuid from the registration record.
Additional info:
auths.instance.AgentCertAuth.agentGroup=Certificate Manager Agents
auths.instance.AgentCertAuth.pluginName=AgentCertAuth
auths.instance.ldap1.authCredName=uid
auths.instance.ldap1.dnpattern=
auths.instance.ldap1.externalReg._000=########################################
auths.instance.ldap1.externalReg._001=# Original Values. Before TMS Updtes to TPS
auths.instance.ldap1.externalReg._002=# certs.recoverAttributeName=certstoadd
auths.instance.ldap1.externalReg._003=# cuidAttributeName=tokencuid
auths.instance.ldap1.externalReg._004=# tokenTypeAttributeName=enrollmenttype
auths.instance.ldap1.externalReg._005=# Values below require GD updated code
auths.instance.ldap1.externalReg._006=# - AAM - 20180831
auths.instance.ldap1.externalReg._007=########################################
auths.instance.ldap1.externalReg.attributes=certstoadd,tokencuid,enrollmenttype,registrationtype
auths.instance.ldap1.externalReg.certs.recoverAttributeName=certstoadd
auths.instance.ldap1.externalReg.cuidAttributeName=tokencuid
auths.instance.ldap1.externalReg.registrationTypeAttributeName=registrationtype
auths.instance.ldap1.externalReg.tokenTypeAttributeName=enrollmenttype
auths.instance.ldap1.ldap.basedn=dc=tms-portal-5
auths.instance.ldap1.ldapByteAttributes=
auths.instance.ldap1.ldap.doCloning=false
auths.instance.ldap1.ldap.ldapauth.authtype=SslClientAuth
auths.instance.ldap1.ldap.ldapauth.bindDN=
auths.instance.ldap1.ldap.ldapauth.bindPWPrompt=ldap1
auths.instance.ldap1.ldap.ldapauth.clientCertNickname=NSS-OCS:LDAPS-TPS-user-5
auths.instance.ldap1.ldap.ldapBoundConn=true
auths.instance.ldap1.ldap.ldapconn.host=ds-tms-portal-5.c3pki.nit.disa.mil
auths.instance.ldap1.ldap.ldapconn.port=636
auths.instance.ldap1.ldap.ldapconn.secureConn=True
auths.instance.ldap1.ldap.ldapconn.version=3
auths.instance.ldap1.ldap.maxConns=45
auths.instance.ldap1.ldap.minConns=3
auths.instance.ldap1.ldapStringAttributes._000=#################################
auths.instance.ldap1.ldapStringAttributes._001=# For isExternalReg
auths.instance.ldap1.ldapStringAttributes._002=# attributes will be available as
auths.instance.ldap1.ldapStringAttributes._003=# $<attribute>$
auths.instance.ldap1.ldapStringAttributes._004=# attributes example:
auths.instance.ldap1.ldapStringAttributes._005=#mail,cn,uid,edipi,pcc,firstname,lastname,exec-edipi,exec-pcc,exec-mail,certsToAdd,tokenCUID,tokenType
auths.instance.ldap1.ldapStringAttributes._006=#################################
auths.instance.ldap1.ldapStringAttributes=mail,cn,uid,enrollmenttype,certstoadd,tokencuid,registrationtype
auths.instance.ldap1.pluginName=UidPwdDirAuth
auths.instance.ldap1.ui.description.en=This authenticates user against the LDAP directory.
auths.instance.ldap1.ui.id.PASSWORD.credMap.authCred=pwd
auths.instance.ldap1.ui.id.PASSWORD.credMap.msgCred.extlogin=PASSWORD
auths.instance.ldap1.ui.id.PASSWORD.credMap.msgCred.login=password
auths.instance.ldap1.ui.id.PASSWORD.description.en=LDAP Password
auths.instance.ldap1.ui.id.PASSWORD.name.en=LDAP Password
auths.instance.ldap1.ui.id.UID.credMap.authCred=uid
auths.instance.ldap1.ui.id.UID.credMap.msgCred.extlogin=UID
auths.instance.ldap1.ui.id.UID.credMap.msgCred.login=screen_name
auths.instance.ldap1.ui.id.UID.description.en=LDAP User ID
auths.instance.ldap1.ui.id.UID.name.en=LDAP User ID
auths.instance.ldap1.ui.retries=3
auths.instance.ldap1.ui.title.en=LDAP Authentication
auths.instance.SSLclientCertAuth.pluginName=SSLclientCertAuth
auths.instance.TokenAuth.pluginName=TokenAuth
— Additional comment from RHEL Program Management on 2020-07-20 16:01:18 UTC —
Since this bug report was entered in Red Hat Bugzilla, the release flag has been set to ? to ensure that it is properly evaluated for this release.
— Additional comment from Chris Zinda on 2020-08-03 18:28:45 UTC —
