Hi Aleksander,<br><br>Can you file a bug report and include that patch as an attachment? If you need help, please let me know.<br><br>Regards,<br>-Bob<br><br><br><div class="gmail_quote">On Thu, May 22, 2008 at 7:14 AM, Aleksander Adamowski <aleksander.adamowski.dogtag@altkom.pl> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Hi!<br>
<br>
I've noticed that with out LDAP directory, using the caDirUserCert profile, we get incorrect SubjectNames - they aren't populated with requesting users' commonName (cn) or e-mail (LDAP "mail" -> x.509 "E").<br>
<br>
After closer inspection and brief analysis of Dogtag Certificate System's source code I've identified that the authTokenSubjectNameDefaultImpl plugin is responsible for this task and its implementation is in the AuthTokenSubjectNameDefault class (<a href="https://pki.fedoraproject.org/svn/pki/trunk/pki/base/common/src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java" target="_blank">https://pki.fedoraproject.org/svn/pki/trunk/pki/base/common/src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java</a>).<br>
<br>
The problem seems to be in this code fragment (line 134):<br>
<br>
X500Name name = new X500Name(<br>
request.getExtDataInString(IProfileAuthenticator.AUTHENTICATED_NAME));<br>
<br>
The plug-in uses the $request.authenticatedname$ value from the request, which contains the authenticated user's DN. If the DN doesn't contain the cn and mail attribute, those attributed won't be propagated to resulting certificate's subject name.<br>
<br>
I think this plugin should use the $request.auth_token.tokencertsubject$ value.<br>
After all, the UidPwdDiraAuth plugin's documentation (<a href="http://www.redhat.com/docs/manuals/cert-system/pdf/cms601plugin.pdf" target="_blank">http://www.redhat.com/docs/manuals/cert-system/pdf/cms601plugin.pdf</a>) implies that this value will be used to formulate the certificate's subject name:<br>
<br>
"dnpattern: Specifies a string representing a subject name pattern to formulate from the<br>
directory attributes and entry DN."<br>
<br>
So the code should probably be change to something like this:<br>
<br>
Index: src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java<br>
===================================================================<br>
--- src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java (revision 47)<br>
+++ src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java (working copy)<br>
@@ -131,7 +131,7 @@<br>
// to the certinfo<br>
try {<br>
X500Name name = new X500Name(<br>
- request.getExtDataInString(IProfileAuthenticator.AUTHENTICATED_NAME));<br>
+ request.getExtDataInAuthToken(AuthToken.TOKEN_CERT_SUBJECT));<br>
<br>
info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(name));<br>
} catch (Exception e) {<br>
<br>
<br>
(note: I didn't test whether it works, I'd have to check out the whole >130MB SVN repository and set up the complex Dogtag build infrastructure for this...)<br>
<br>
What you think?<br>
<br>
-- <br>
Best Regards,<br>
Aleksander Adamowski<br>
GG#: 274614<br>
ICQ UIN: 19780575 <a href="http://olo.org.pl" target="_blank">http://olo.org.pl</a><br>
<br>
_______________________________________________<br>
Pki-users mailing list<br>
<a href="mailto:Pki-users@redhat.com" target="_blank">Pki-users@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/pki-users" target="_blank">https://www.redhat.com/mailman/listinfo/pki-users</a><br>
</blockquote></div><br>