It has been reported that with the following directory-based authorization in the renewal profile caDirUserRenewal.cfg, The user_origreq authz evaluator failed to authorized with the debug message:
evaluated expression: user_origreq="auth_token.uid" to be false [SignedAuditEventFactory: create() message=[AuditEvent=AUTHZ_FAIL][SubjectID=$NonRoleUser$][Outcome=Failure][aclResource=caDirUserCert.authz.acl]Op=enroll authorization failure
My investigation reveals that the "uid" placed in the AuthToken in UidPwdDirAuthentication.java had been re-purposed at some point and "userid" has replaced it's place. The UserOrigReqAccessEvaluator.java needs the fix as well.
pushed to master: commit 6c0b6628e51bec01884174001f34dfce5e28c75d Author: Christina Fu cfu@redhat.com Date: Tue Dec 16 15:39:41 2014 -0800
Ticket 1173 Directory-based renewal evaluator fails authorization
pushed to DOGTAG_10_2_0_BRANCH commit f154ad15e233331da1d4311e3496e8d82f59b4a8 Author: Christina Fu cfu@redhat.com Date: Tue Dec 16 15:39:41 2014 -0800
Ticket 1173 Directory-based renewal evaluator fails authorization (cherry picked from commit 6c0b6628e51bec01884174001f34dfce5e28c75d)
pushed to DOGTAG_10_2_RHEL_BRANCH commit 96d17f46f2fa5fc2fb619c9f148c72db6778ffad Author: Christina Fu cfu@redhat.com Date: Tue Dec 16 15:39:41 2014 -0800
Metadata Update from @cfu: - Issue assigned to cfu - Issue set to the milestone: 10.2.1
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/1736
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.