Re: [OpenXPKI-users] X509 user database

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi Thomas,

looks like there is a migration bug when no default role is set...

Option 1: keep the "role" parameter to set a default role

Option 2: in OpenXPKI/Server/Authentication/X509.pm, Line 145, replace 
"$self->default_role();" with by "$self->role()" - that should then 
assign any user without a role the empty role which is cause a login error.

Oli

On 21.08.23 08:38, Thomas Gusset wrote:
>
> Hi Oliver
>
> Thanks for the hint
>
> I changed /home/pkiadm/userdbX509.yaml to
>
> Thomas Gusset:
>
> username: Thomas Gusset
>
> role: RA Operator
>
> But still no success. I see the following log in openxpki.log:
>
> 2023/08/21 08:33:57 ERROR 
> I18N_OPENXPKI_SERVICE_DEFAULT_HANDLE_MESSAGE_FAILED; __EVAL_ERROR__ => 
> Attribute (default_role) does not pass the type constraint because: 
> Validation failed for 'Str' with value undef at accessor 
> OpenXPKI::Server::Authentication::X509::default_role (defined at 
> /usr/share/perl5/OpenXPKI/Server/Authentication/X509.pm line 44) line 11
>
> OpenXPKI::Server::Authentication::X509::default_role('OpenXPKI::Server::Authentication::ClientX509=HASH(0x561529879fe0)') 
> called at /usr/share/perl5/OpenXPKI/Server/Authentication/X509.pm line 145
>
> OpenXPKI::Server::Authentication::X509::_validation_result('OpenXPKI::Server::Authentication::ClientX509=HASH(0x561529879fe0)', 
> 'HASH(0x561529b95458)') called at 
> /usr/share/perl5/OpenXPKI/Server/Authentication/ClientX509.pm line 46
>
> OpenXPKI::Server::Authentication::ClientX509::handleInput('OpenXPKI::Server::Authentication::ClientX509=HASH(0x561529879fe0)', 
> 'HASH(0x561529ac7bb8)') called at 
> /usr/share/perl5/OpenXPKI/Server/Authentication.pm line 467
>
> OpenXPKI::Server::Authentication::login_step('OpenXPKI::Server::Authentication=HASH(0x561525e186a0)', 
> 'HASH(0x561529ad93d8)') called at 
> /usr/share/perl5/OpenXPKI/Service/Default.pm line 802
>
> OpenXPKI::Service::Default::__handle_login('OpenXPKI::Service::Default=SCALAR(0x561525f7d5f0)', 
> 'HASH(0x561529ad9570)') called at 
> /usr/share/perl5/OpenXPKI/Service/Default.pm line 495
>
> OpenXPKI::Service::Default::__handle_GET_X509_LOGIN('OpenXPKI::Service::Default=SCALAR(0x561525f7d5f0)', 
> 'HASH(0x561529ad9570)') called at 
> /usr/share/perl5/OpenXPKI/Service/Default.pm line 196
>
> eval {...} at /usr/share/perl5/OpenXPKI/Service/Default.pm line 193
>
> OpenXPKI::Service::Default::__handle_message('OpenXPKI::Service::Default=SCALAR(0x561525f7d5f0)', 
> 'HASH(0x5615259e2e18)') called at 
> /usr/share/perl5/OpenXPKI/Service/Default.pm line 72
>
> eval {...} at /usr/share/perl5/OpenXPKI/Service/Default.pm line 71
>
> OpenXPKI::Service::Default::init('OpenXPKI::Service::Default=SCALAR(0x561525f7d5f0)') 
> called at /usr/share/perl5/OpenXPKI/Server.pm line 531
>
> OpenXPKI::Server::do_process_request('OpenXPKI::Server=HASH(0x56152204ba48)', 
> 'Net::Server::Proto::UNIX=GLOB(0x5615253041c0)') called at 
> /usr/share/perl5/OpenXPKI/Server.pm line 391
>
> eval {...} at /usr/share/perl5/OpenXPKI/Server.pm line 390
>
> OpenXPKI::Server::process_request('OpenXPKI::Server=HASH(0x56152204ba48)', 
> 'Net::Server::Proto::UNIX=GLOB(0x5615253041c0)') called at 
> /usr/share/perl5/Net/Server.pm line 72
>
> Net::Server::run_client_connection('OpenXPKI::Server=HASH(0x56152204ba48)') 
> called at /usr/share/perl5/Net/Server/Fork.pm line 196
>
> Net::Server::Fork::run_client_connection('OpenXPKI::Server=HASH(0x56152204ba48)') 
> called at /usr/share/perl5/Net/Server/Fork.pm line 140
>
> Net::Server::Fork::loop('OpenXPKI::Server=HASH(0x56152204ba48)') 
> called at /usr/share/perl5/Net/Server.pm line 58
>
> Net::Server::run('OpenXPKI::Server=HASH(0x56152204ba48)', 
> 'server_type', 'Fork', 'port', '/var/openxpki/openxpki.socket|unix', 
> 'alias', 'main', 'background', 1, 'socketfile', 
> '/var/openxpki/openxpki.socket', 'process_owner', 106, 'pid_file', 
> '/run/openxpkid.pid', 'socket_owner', 33, 'process_group', 112, 
> 'proto', 'unix', 'no_client_stdout', 1) called at 
> /usr/share/perl5/Net/Server/MultiType.pm line 78
>
> Net::Server::MultiType::run('OpenXPKI::Server=HASH(0x56152204ba48)', 
> 'server_type', 'Fork', 'port', '/var/openxpki/openxpki.socket|unix', 
> 'alias', 'main', 'background', 1, 'socketfile', 
> '/var/openxpki/openxpki.socket', 'process_owner', 106, 'pid_file', 
> '/run/openxpkid.pid', 'socket_owner', 33, 'process_group', 112, 
> 'proto', 'unix', 'no_client_stdout', 1) called at 
> /usr/share/perl5/OpenXPKI/Server.pm line 123
>
> OpenXPKI::Server::start('OpenXPKI::Server=HASH(0x56152204ba48)') 
> called at /usr/share/perl5/OpenXPKI/Control.pm line 273
>
> eval {...} at /usr/share/perl5/OpenXPKI/Control.pm line 268
>
> OpenXPKI::Control::start('HASH(0x56151fff74b8)') called at 
> /usr/bin/openxpkictl line 137
>
> , __MESSAGE_NAME__ => GET_X509_LOGIN [pid=37137|sid=/ZBC]
>
> Best Regards
>
> Thomas
>
> *From:*Oliver Welter <ma...@ol...>
> *Sent:* Samstag, 19. August 2023 13:24
> *To:* ope...@li...
> *Subject:* Re: [OpenXPKI-users] X509 user database
>
> Hi Thomas,
>
> I had a quick look at the code and it looks like the docs are 
> incomplete :)
>
> The user database must return a value for the "username" attribute so 
> can you please try to add the key "username" into the yaml file and 
> try again.
>
> best regards
>
> Oliver
>
> On 18.08.23 15:09, Thomas Gusset wrote:
>
>     Hi
>
>     I try to setup GUI authentication with client certificates.
>
>     It works fine with this handler:
>
>     Certificate:
>
>     type: ClientX509
>
>         role: User
>
>         trust_anchor:
>
>     realm: <my-realm>
>
>     I can authenticate, the username is the CN, the role is User
>
>     Now I would like to have a user database to dynamic assign roles
>     to users.
>
>     Therefore I changed handler to
>
>     Certificate:
>
>         type: ClientX509
>
>         user@: connector:auth.connector.userdbX509
>
>         arg: CN
>
>         trust_anchor:
>
>             realm: <my-realm>
>
>     and added a connector
>
>     userdbX509:
>
>         class: Connector::Proxy::YAML
>
>         LOCATION: /home/pkiadm/userdbX509.yaml
>
>     The user database looks like
>
>     John Doe:
>
>       role: RA Operator
>
>     where ‘John Doe’ is the CN of the certificate
>
>     With this configuration I can no longer authenticate: Unknown
>     error (service default handle message failed)
>
>     What’s wrong with my configuration?
>
>     Thanks in advance
>
>     Thomas
>
>     *NetSec.co AG*
>
>     Thomas Gusset
>
>     CEO & CTO
>
>     Im alten Riet 125, 9494 Schaan, Liechtenstein
>
>     https://netsec.co <https://netsec.co>
>
>     +423 388 2777 / +423 388 2770 (direkt)
>
>     tho...@ne... <mailto:tho...@ne...>
>
>     https://threema.id/NK3MJMNP <https://threema.id/NK3MJMNP>
>
>     Chat on MS Teams
>     <https://teams.microsoft.com/l/chat/0/0?use...@ne...>
>
>
>
>
>     _______________________________________________
>
>     OpenXPKI-users mailing list
>
>     Ope...@li...
>
>     https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
> -- 
> Protect your environment -  close windows and adopt a penguin!
>
>
> _______________________________________________
> OpenXPKI-users mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openxpki-users

-- 
Protect your environment -  close windows and adopt a penguin!