diff options
| author | Ade Lee <alee@redhat.com> | 2012-02-29 23:31:15 -0500 |
|---|---|---|
| committer | Ade Lee <alee@redhat.com> | 2012-03-09 01:55:38 -0500 |
| commit | 87585b101172461d2ad175515154a3f4dbdcd089 (patch) | |
| tree | ffd2b86f8a5ee724a4957972850445ebfc00d017 | |
| parent | a4942509ef7bca864df619a94b90d05cf2204114 (diff) | |
| download | pki-87585b101172461d2ad175515154a3f4dbdcd089.tar.gz pki-87585b101172461d2ad175515154a3f4dbdcd089.tar.xz pki-87585b101172461d2ad175515154a3f4dbdcd089.zip | |
Fixes to cloning and security domain tables for client auth internaldb user
The mechanism for getting an ldap connection to the internaldb was incorrect,
both in the Security Domain Session Table and the DatabasePanel. As a result,
connections to the internaldb failed for accessing the security domain session
table and when trying to clone a master which connects to its database using
client auth.
The thread that handles reading the security domain session table is now only
instantiated when running on a configured security domain master.
Additionally, needed acls for the client auth certificate ldap user have been
moved to manager.ldif. This includes acls to allow creation and management of
replication agreements and replication users (now being created under
ou=csusers, cn=config)
Added logs to show when ldif import errors occur. Also made sure to write and
remove master ldap password for use in replication.
Ticket #5
16 files changed, 364 insertions, 204 deletions
diff --git a/pki/base/ca/shared/conf/CS.cfg.in b/pki/base/ca/shared/conf/CS.cfg.in index 1ba0d2f40..980ed5854 100644 --- a/pki/base/ca/shared/conf/CS.cfg.in +++ b/pki/base/ca/shared/conf/CS.cfg.in @@ -818,6 +818,7 @@ preop.internaldb.schema.ldif=/usr/share/[PKI_FLAVOR]/ca/conf/schema.ldif preop.internaldb.ldif=/usr/share/[PKI_FLAVOR]/ca/conf/database.ldif preop.internaldb.data_ldif=/usr/share/[PKI_FLAVOR]/ca/conf/db.ldif,/usr/share/[PKI_FLAVOR]/ca/conf/acl.ldif preop.internaldb.index_ldif= +preop.internaldb.manager_ldif=/usr/share/[PKI_FLAVOR]/ca/conf/manager.ldif preop.internaldb.post_ldif=/usr/share/[PKI_FLAVOR]/ca/conf/index.ldif,/usr/share/[PKI_FLAVOR]/ca/conf/vlv.ldif,/usr/share/[PKI_FLAVOR]/ca/conf/vlvtasks.ldif preop.internaldb.wait_dn=cn=index1160589769, cn=index, cn=tasks, cn=config internaldb.multipleSuffix.enable=false diff --git a/pki/base/ca/shared/conf/manager.ldif b/pki/base/ca/shared/conf/manager.ldif new file mode 100644 index 000000000..52e486987 --- /dev/null +++ b/pki/base/ca/shared/conf/manager.ldif @@ -0,0 +1,48 @@ +# acis for cert manager + +dn: ou=csusers,cn=config +objectClass: top +objectClass: organizationalUnit +ou: csusers + +dn: {rootSuffix} +changetype: modify +add: aci +aci: (targetattr=*)(version 3.0; acl "cert manager access"; allow (all) userdn = "ldap:///{dbuser}";) + +dn: cn=ldbm database,cn=plugins,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; allow (read) userdn="ldap:///{dbuser}";) + +dn: cn=config +changetype: modify +add: aci +aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (read, search, compare) userdn = "ldap:///{dbuser}";) + +dn: ou=csusers,cn=config +changetype: modify +add: aci +aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication users"; allow (all) userdn = "ldap:///{dbuser}";) + +dn: cn="{rootSuffix}",cn=mapping tree,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements";allow (add) userdn = "ldap:///{dbuser}";) + +dn: cn="{rootSuffix}",cn=mapping tree,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agreements"; allow (read, write, search) userdn = "ldap:///{dbuser}";) + +dn: cn="{rootSuffix}",cn=mapping tree,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager: Remove Replication Agreements";allow (delete) userdn = "ldap:///{dbuser}";) + +dn: cn=tasks,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re-initialization"; allow (add) userdn = "ldap:///{dbuser}";) + + diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/AdminAuthenticatePanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/AdminAuthenticatePanel.java index 7912486f5..b8cc8022e 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/AdminAuthenticatePanel.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/AdminAuthenticatePanel.java @@ -249,14 +249,13 @@ public class AdminAuthenticatePanel extends WizardPanelBase { if (!cstype.equals("ca")) { c1.append(",preop.ca.hostname,preop.ca.httpport,preop.ca.httpsport,preop.ca.list,preop.ca.pkcs7,preop.ca.type"); } - + s1.append(",internaldb,internaldb.ldapauth,internaldb.ldapconn"); String content = - "uid=" - + uid - + "&pwd=" - + pwd - + "&op=get&names=cloning.module.token,instanceId,internaldb.basedn,internaldb.ldapauth.password,internaldb.replication.password,internaldb.ldapconn.host,internaldb.ldapconn.port,internaldb.ldapauth.bindDN" - + c1.toString() + "&substores=" + s1.toString(); + "uid=" + uid + + "&pwd=" + pwd + + "&op=get&names=cloning.module.token,instanceId," + + "internaldb.ldapauth.password,internaldb.replication.password" + + c1.toString() + "&substores=" + s1.toString(); boolean success = updateConfigEntries(host, httpsport, true, "/" + cstype + "/admin/" + cstype + "/getConfigEntries", content, config, diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/DatabasePanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/DatabasePanel.java index 5615c6dfb..d3b0e380e 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/DatabasePanel.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/DatabasePanel.java @@ -23,6 +23,7 @@ import java.io.FileOutputStream; import java.io.FileReader; import java.io.IOException; import java.io.PrintStream; +import java.util.ArrayList; import java.util.Enumeration; import java.util.Random; import java.util.StringTokenizer; @@ -52,6 +53,7 @@ import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.ca.ICertificateAuthority; import com.netscape.certsrv.dbs.IDBSubsystem; +import com.netscape.certsrv.ldap.ILdapConnFactory; import com.netscape.certsrv.property.Descriptor; import com.netscape.certsrv.property.IDescriptor; import com.netscape.certsrv.property.PropertySet; @@ -318,8 +320,8 @@ public class DatabasePanel extends WizardPanelBase { String masterport = ""; String masterbasedn = ""; try { - masterhost = cs.getString("preop.internaldb.master.hostname", ""); - masterport = cs.getString("preop.internaldb.master.port", ""); + masterhost = cs.getString("preop.internaldb.master.ldapconn.host", ""); + masterport = cs.getString("preop.internaldb.master.ldapconn.port", ""); masterbasedn = cs.getString("preop.internaldb.master.basedn", ""); } catch (Exception e) { } @@ -518,13 +520,10 @@ public class DatabasePanel extends WizardPanelBase { String baseDN = ""; String database = ""; String dn = ""; - String dbuser = ""; try { baseDN = cs.getString("internaldb.basedn"); database = cs.getString("internaldb.database", ""); - dbuser = "uid=" + cs.getString("cs.type") + "-" + cs.getString("machineName") + "-" - + cs.getString("service.securePort") + ",ou=people," + baseDN; } catch (Exception e) { CMS.debug("DatabasePanel populateDB: " + e.toString()); throw new IOException( @@ -656,10 +655,6 @@ public class DatabasePanel extends WizardPanelBase { attrs.add(new LDAPAttribute("objectClass", oc3)); attrs.add(new LDAPAttribute(n, v)); - String dbuserACI = "(targetattr=\"*\")(version 3.0; acl \"Cert Manager access\"; allow (all) userdn=\"ldap:///" - + dbuser + "\";)"; - CMS.debug("ACI string is ["+ dbuserACI + "]"); - attrs.add(new LDAPAttribute("aci", dbuserACI)); LDAPEntry entry = new LDAPEntry(baseDN, attrs); conn.add(entry); } catch (Exception e) { @@ -727,23 +722,6 @@ public class DatabasePanel extends WizardPanelBase { throw new IOException("Failed to find base DN"); } - // add dbuser aci to cn=config - String dbuserACI = "(targetattr=\"*\")(version 3.0; acl \"Cert Manager access\"; allow (read) userdn=\"ldap:///" - + dbuser + "\";)"; - CMS.debug("ACI string is [" + dbuserACI + "]"); - String configDN = "cn=ldbm database,cn=plugins,cn=config"; - try { - - LDAPAttribute attr = new LDAPAttribute("aci", dbuserACI); - LDAPModification mod = new LDAPModification(LDAPModification.ADD, attr); - conn.modify(configDN, mod); - } catch (LDAPException e) { - if (e.getLDAPResultCode() != LDAPException.ATTRIBUTE_OR_VALUE_EXISTS) { - e.printStackTrace(); - throw new IOException("Failed to add aci to " + configDN); - } - } - String select = ""; try { select = cs.getString("preop.subsystem.select", ""); @@ -753,9 +731,9 @@ public class DatabasePanel extends WizardPanelBase { if (select.equals("clone")) { // if this is clone, add index before replication // don't put in the schema or bad things will happen - importLDIFS("preop.internaldb.ldif", conn); importLDIFS("preop.internaldb.index_ldif", conn); + importLDIFS("preop.internaldb.manager_ldif", conn); } else { // data will be replicated from the master to the clone // so clone does not need the data @@ -765,6 +743,7 @@ public class DatabasePanel extends WizardPanelBase { importLDIFS("preop.internaldb.ldif", conn); importLDIFS("preop.internaldb.data_ldif", conn); importLDIFS("preop.internaldb.index_ldif", conn); + importLDIFS("preop.internaldb.manager_ldif", conn); } try { @@ -821,6 +800,16 @@ public class DatabasePanel extends WizardPanelBase { throw new IOException("instanceId is missing"); } + String dbuser = null; + try { + dbuser = "uid=" + cs.getString("cs.type") + "-" + cs.getString("machineName") + "-" + + cs.getString("service.securePort") + ",ou=people," + baseDN; + } catch (EBaseException e) { + CMS.debug("Unable to construct dbuser" + e.toString()); + e.printStackTrace(); + throw new IOException("unable to construct dbuser"); + } + String configDir = instancePath + File.separator + "conf"; while (tokenizer.hasMoreTokens()) { @@ -862,6 +851,8 @@ public class DatabasePanel extends WizardPanelBase { ps.print(baseDN); } else if (tok.equals("database")) { ps.print(database); + } else if (tok.equals("dbuser")) { + ps.print(dbuser); } if ((s.length() + 1) == n1) { endOfline = true; @@ -883,8 +874,14 @@ public class DatabasePanel extends WizardPanelBase { throw new IOException( "Problem of copying ldif file: " + filename); } - - LDAPUtil.importLDIF(conn, filename); + ArrayList<String> errors = new ArrayList<String>(); + LDAPUtil.importLDIF(conn, filename, errors); + if (! errors.isEmpty()) { + CMS.debug("DatabasePanel: importLDIFS: LDAP Errors in importing " + filename); + for (String error: errors) { + CMS.debug(error); + } + } } } @@ -899,6 +896,7 @@ public class DatabasePanel extends WizardPanelBase { context.put("firsttime", "false"); try { + @SuppressWarnings("unused") String s = cs.getString("preop.database.removeData"); // check whether it's first time } catch (Exception e) { context.put("firsttime", "true"); @@ -1087,7 +1085,6 @@ public class DatabasePanel extends WizardPanelBase { private void setupReplication(HttpServletRequest request, Context context, String secure, String cloneStartTLS) throws IOException { - String bindpwd = HttpInput.getPassword(request, "__bindpwd"); IConfigStore cs = CMS.getConfigStore(); String cstype = ""; @@ -1112,46 +1109,49 @@ public class DatabasePanel extends WizardPanelBase { } catch (Exception e) { } - String master1_hostname = ""; - int master1_port = -1; - String master1_binddn = ""; - String master1_bindpwd = ""; - String master1_replicationpwd = ""; - + // get connection to master + LDAPConnection masterConn = null; + ILdapConnFactory masterFactory = null; try { - master1_hostname = cs.getString("preop.internaldb.master.hostname", ""); - master1_port = cs.getInteger("preop.internaldb.master.port", -1); - master1_binddn = cs.getString("preop.internaldb.master.binddn", ""); - master1_bindpwd = cs.getString("preop.internaldb.master.bindpwd", ""); - master1_replicationpwd = cs.getString("preop.internaldb.master.replicationpwd", ""); + IConfigStore masterCfg = cs.getSubStore("preop.internaldb.master"); + masterFactory = CMS.getLdapBoundConnFactory(); + masterFactory.init(masterCfg); + masterConn = masterFactory.getConn(); } catch (Exception e) { + CMS.debug("Failed to set up connection to master:" + e.toString()); + e.printStackTrace(); + throw new IOException("Failed to set up replication: No connection to master"); } - String master2_hostname = ""; - int master2_port = -1; - String master2_binddn = ""; - String master2_bindpwd = ""; - String master2_replicationpwd = ""; - + // get connection to replica + LDAPConnection replicaConn = null; + ILdapConnFactory replicaFactory = null; try { - master2_hostname = cs.getString("internaldb.ldapconn.host", ""); - master2_port = cs.getInteger("internaldb.ldapconn.port", -1); - master2_binddn = cs.getString("internaldb.ldapauth.bindDN", ""); - master2_bindpwd = bindpwd; - master2_replicationpwd = cs.getString("preop.internaldb.replicationpwd", ""); + IConfigStore replicaCfg = cs.getSubStore("internaldb"); + replicaFactory = CMS.getLdapBoundConnFactory(); + replicaFactory.init(replicaCfg); + replicaConn = replicaFactory.getConn(); } catch (Exception e) { + CMS.debug("Failed to set up connection to replica:" + e.toString()); + e.printStackTrace(); + throw new IOException("Failed to set up replication: No connection to replica"); } - LDAPConnection conn1 = null; - LDAPConnection conn2 = null; - if (secure.equals("true")) { - CMS.debug("DatabasePanel setupReplication: creating secure (SSL) connections for internal ldap"); - conn1 = new LDAPConnection(CMS.getLdapJssSSLSocketFactory()); - conn2 = new LDAPConnection(CMS.getLdapJssSSLSocketFactory()); - } else { - CMS.debug("DatabasePanel setupreplication: creating non-secure (non-SSL) connections for internal ldap"); - conn1 = new LDAPConnection(); - conn2 = new LDAPConnection(); + String master_hostname = ""; + int master_port = -1; + String master_replicationpwd = ""; + String replica_hostname = ""; + int replica_port = -1; + String replica_replicationpwd = ""; + + try { + master_hostname = cs.getString("preop.internaldb.master.ldapconn.host", ""); + master_port = cs.getInteger("preop.internaldb.master.ldapconn.port", -1); + master_replicationpwd = cs.getString("preop.internaldb.master.replication.password", ""); + replica_hostname = cs.getString("internaldb.ldapconn.host", ""); + replica_port = cs.getInteger("internaldb.ldapconn.port", -1); + replica_replicationpwd = cs.getString("preop.internaldb.replicationpwd", ""); + } catch (Exception e) { } String basedn = ""; @@ -1161,10 +1161,6 @@ public class DatabasePanel extends WizardPanelBase { } try { - conn1.connect(master1_hostname, master1_port, master1_binddn, - master1_bindpwd); - conn2.connect(master2_hostname, master2_port, master2_binddn, - master2_bindpwd); String suffix = cs.getString("internaldb.basedn", ""); String replicadn = "cn=replica,cn=\"" + suffix + "\",cn=mapping tree,cn=config"; @@ -1173,46 +1169,52 @@ public class DatabasePanel extends WizardPanelBase { String masterBindUser = "Replication Manager " + masterAgreementName; String cloneBindUser = "Replication Manager " + cloneAgreementName; - createReplicationManager(conn1, masterBindUser, master1_replicationpwd); - createReplicationManager(conn2, cloneBindUser, master2_replicationpwd); + createReplicationManager(masterConn, masterBindUser, master_replicationpwd); + createReplicationManager(replicaConn, cloneBindUser, replica_replicationpwd); - String dir1 = getInstanceDir(conn1); - createChangeLog(conn1, dir1 + "/changelogs"); + String dir1 = getInstanceDir(masterConn); + createChangeLog(masterConn, dir1 + "/changelogs"); - String dir2 = getInstanceDir(conn2); - createChangeLog(conn2, dir2 + "/changelogs"); + String dir2 = getInstanceDir(replicaConn); + createChangeLog(replicaConn, dir2 + "/changelogs"); int replicaId = cs.getInteger("dbs.beginReplicaNumber", 1); - replicaId = enableReplication(replicadn, conn1, masterBindUser, basedn, replicaId); - replicaId = enableReplication(replicadn, conn2, cloneBindUser, basedn, replicaId); + replicaId = enableReplication(replicadn, masterConn, masterBindUser, basedn, replicaId); + replicaId = enableReplication(replicadn, replicaConn, cloneBindUser, basedn, replicaId); cs.putString("dbs.beginReplicaNumber", Integer.toString(replicaId)); CMS.debug("DatabasePanel setupReplication: Finished enabling replication"); - createReplicationAgreement(replicadn, conn1, masterAgreementName, - master2_hostname, master2_port, master2_replicationpwd, basedn, cloneBindUser, secure, + createReplicationAgreement(replicadn, masterConn, masterAgreementName, + replica_hostname, replica_port, replica_replicationpwd, basedn, cloneBindUser, secure, cloneStartTLS); - createReplicationAgreement(replicadn, conn2, cloneAgreementName, - master1_hostname, master1_port, master1_replicationpwd, basedn, masterBindUser, secure, + createReplicationAgreement(replicadn, replicaConn, cloneAgreementName, + master_hostname, master_port, master_replicationpwd, basedn, masterBindUser, secure, cloneStartTLS); // initialize consumer - initializeConsumer(replicadn, conn1, masterAgreementName); + initializeConsumer(replicadn, masterConn, masterAgreementName); - while (!replicationDone(replicadn, conn1, masterAgreementName)) { + while (!replicationDone(replicadn, masterConn, masterAgreementName)) { CMS.debug("DatabasePanel setupReplication: Waiting for replication to complete"); Thread.sleep(1000); } - String status = replicationStatus(replicadn, conn1, masterAgreementName); + String status = replicationStatus(replicadn, masterConn, masterAgreementName); if (!status.startsWith("0 ")) { CMS.debug("DatabasePanel setupReplication: consumer initialization failed. " + status); throw new IOException("consumer initialization failed. " + status); } + // remove master ldap password from password.conf (if present) + String passwordFile = cs.getString("passwordFile"); + IConfigStore psStore = CMS.createFileConfigStore(passwordFile); + psStore.remove("master_internaldb"); + psStore.commit(false); + } catch (Exception e) { CMS.debug("DatabasePanel setupReplication: " + e.toString()); throw new IOException("Failed to setup the replication for cloning."); @@ -1238,7 +1240,7 @@ public class DatabasePanel extends WizardPanelBase { throws LDAPException { LDAPAttributeSet attrs = null; LDAPEntry entry = null; - String dn = "cn=" + bindUser + ",cn=config"; + String dn = "cn=" + bindUser + ",ou=csusers,cn=config"; try { attrs = new LDAPAttributeSet(); attrs.add(new LDAPAttribute("objectclass", "top")); @@ -1315,7 +1317,7 @@ public class DatabasePanel extends WizardPanelBase { attrs.add(new LDAPAttribute("nsDS5ReplicaRoot", basedn)); attrs.add(new LDAPAttribute("nsDS5ReplicaType", "3")); attrs.add(new LDAPAttribute("nsDS5ReplicaBindDN", - "cn=" + bindUser + ",cn=config")); + "cn=" + bindUser + ",ou=csusers,cn=config")); attrs.add(new LDAPAttribute("cn", "replica")); attrs.add(new LDAPAttribute("nsDS5ReplicaId", Integer.toString(id))); attrs.add(new LDAPAttribute("nsds5flags", "1")); @@ -1330,7 +1332,7 @@ public class DatabasePanel extends WizardPanelBase { try { entry = conn.read(replicadn); LDAPAttribute attr = entry.getAttribute("nsDS5ReplicaBindDN"); - attr.addValue("cn=" + bindUser + ",cn=config"); + attr.addValue("cn=" + bindUser + ",ou=csusers,cn=config"); LDAPModification mod = new LDAPModification(LDAPModification.REPLACE, attr); conn.modify(replicadn, mod); } catch (LDAPException ee) { @@ -1367,7 +1369,7 @@ public class DatabasePanel extends WizardPanelBase { attrs.add(new LDAPAttribute("nsDS5ReplicaHost", replicahost)); attrs.add(new LDAPAttribute("nsDS5ReplicaPort", "" + replicaport)); attrs.add(new LDAPAttribute("nsDS5ReplicaBindDN", - "cn=" + bindUser + ",cn=config")); + "cn=" + bindUser + ",ou=csusers,cn=config")); attrs.add(new LDAPAttribute("nsDS5ReplicaBindMethod", "Simple")); attrs.add(new LDAPAttribute("nsds5replicacredentials", replicapwd)); diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/LDAPSecurityDomainSessionTable.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/LDAPSecurityDomainSessionTable.java index 244b7df4c..b9932722e 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/LDAPSecurityDomainSessionTable.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/LDAPSecurityDomainSessionTable.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.servlet.csadmin; -import java.io.IOException; import java.util.Date; import java.util.Enumeration; import java.util.Vector; @@ -31,9 +30,11 @@ import netscape.ldap.LDAPSearchResults; import netscape.ldap.LDAPv2; import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.base.ISecurityDomainSessionTable; -import com.netscape.cmsutil.password.IPasswordStore; +import com.netscape.certsrv.ldap.ELdapException; +import com.netscape.certsrv.ldap.ILdapConnFactory; /** * This object stores the values for IP, uid and group based on the cookie id in LDAP. @@ -43,9 +44,14 @@ public class LDAPSecurityDomainSessionTable implements ISecurityDomainSessionTable { private long m_timeToLive; + private ILdapConnFactory mLdapConnFactory = null; - public LDAPSecurityDomainSessionTable(long timeToLive) { + public LDAPSecurityDomainSessionTable(long timeToLive) throws ELdapException, EBaseException { m_timeToLive = timeToLive; + IConfigStore cs = CMS.getConfigStore(); + IConfigStore internaldb = cs.getSubStore("internaldb"); + mLdapConnFactory = CMS.getLdapBoundConnFactory(); + mLdapConnFactory.init(internaldb); } public int addEntry(String sessionId, String ip, @@ -67,7 +73,7 @@ public class LDAPSecurityDomainSessionTable try { // create session entry (if it does not exist) - conn = getLDAPConn(); + conn = mLdapConnFactory.getConn(); LDAPEntry entry = null; LDAPAttributeSet attrs = null; @@ -112,7 +118,7 @@ public class LDAPSecurityDomainSessionTable } try { - conn.disconnect(); + mLdapConnFactory.returnConn(conn); } catch (Exception e) { CMS.debug("SecurityDomainSessionTable:addEntry: Error in disconnecting from database: " + e); } @@ -126,7 +132,7 @@ public class LDAPSecurityDomainSessionTable try { String basedn = cs.getString("internaldb.basedn"); String dn = "cn=" + sessionId + ",ou=sessions,ou=Security Domain," + basedn; - conn = getLDAPConn(); + conn = mLdapConnFactory.getConn(); conn.delete(dn); status = SUCCESS; } catch (Exception e) { @@ -138,7 +144,7 @@ public class LDAPSecurityDomainSessionTable } } try { - conn.disconnect(); + mLdapConnFactory.returnConn(conn); } catch (Exception e) { CMS.debug("SecurityDomainSessionTable: removeEntry: Error in disconnecting from database: " + e); } @@ -155,7 +161,7 @@ public class LDAPSecurityDomainSessionTable String filter = "(cn=" + sessionId + ")"; String[] attrs = { "cn" }; - conn = getLDAPConn(); + conn = mLdapConnFactory.getConn(); LDAPSearchResults res = conn.search(sessionsdn, LDAPv2.SCOPE_SUB, filter, attrs, false); if (res.getCount() > 0) ret = true; @@ -164,7 +170,7 @@ public class LDAPSecurityDomainSessionTable } try { - conn.disconnect(); + mLdapConnFactory.returnConn(conn); } catch (Exception e) { CMS.debug("SecurityDomainSessionTable: isSessionIdExist: Error in disconnecting from database: " + e); } @@ -182,7 +188,7 @@ public class LDAPSecurityDomainSessionTable String filter = "(objectclass=securityDomainSessionEntry)"; String[] attrs = { "cn" }; - conn = getLDAPConn(); + conn = mLdapConnFactory.getConn(); LDAPSearchResults res = conn.search(sessionsdn, LDAPv2.SCOPE_SUB, filter, attrs, false); while (res.hasMoreElements()) { LDAPEntry entry = res.next(); @@ -201,7 +207,7 @@ public class LDAPSecurityDomainSessionTable } try { - conn.disconnect(); + mLdapConnFactory.returnConn(conn); } catch (Exception e) { CMS.debug("SecurityDomainSessionTable: getSessionIds: Error in disconnecting from database: " + e); } @@ -218,7 +224,7 @@ public class LDAPSecurityDomainSessionTable String sessionsdn = "ou=sessions,ou=Security Domain," + basedn; String filter = "(cn=" + sessionId + ")"; String[] attrs = { attr }; - conn = getLDAPConn(); + conn = mLdapConnFactory.getConn(); LDAPSearchResults res = conn.search(sessionsdn, LDAPv2.SCOPE_SUB, filter, attrs, false); if (res.getCount() > 0) { LDAPEntry entry = res.next(); @@ -229,7 +235,7 @@ public class LDAPSecurityDomainSessionTable } try { - conn.disconnect(); + mLdapConnFactory.returnConn(conn); } catch (Exception e) { CMS.debug("SecurityDomainSessionTable: isSessionIdExist: Error in disconnecting from database: " + e); } @@ -271,7 +277,7 @@ public class LDAPSecurityDomainSessionTable String filter = "(objectclass=securityDomainSessionEntry)"; String[] attrs = { "cn" }; - conn = getLDAPConn(); + conn = mLdapConnFactory.getConn(); LDAPSearchResults res = conn.search(sessionsdn, LDAPv2.SCOPE_SUB, filter, attrs, false); ret = res.getCount(); } catch (Exception e) { @@ -279,78 +285,11 @@ public class LDAPSecurityDomainSessionTable } try { - conn.disconnect(); + mLdapConnFactory.returnConn(conn); } catch (Exception e) { CMS.debug("SecurityDomainSessionTable: getSessionIds: Error in disconnecting from database: " + e); } return ret; } - - private LDAPConnection getLDAPConn() - throws IOException { - IConfigStore cs = CMS.getConfigStore(); - - String host = ""; - String port = ""; - String pwd = null; - String binddn = ""; - String security = ""; - String clientNick = ""; - - IPasswordStore pwdStore = CMS.getPasswordStore(); - - if (pwdStore != null) { - //CMS.debug("SecurityDomainSessionTable: getLDAPConn: password store available"); - pwd = pwdStore.getPassword("internaldb"); - } - - if (pwd == null) { - throw new IOException("SecurityDomainSessionTable: Failed to obtain password from password store"); - } - - try { - host = cs.getString("internaldb.ldapconn.host"); - port = cs.getString("internaldb.ldapconn.port"); - binddn = cs.getString("internaldb.ldapauth.bindDN"); - security = cs.getString("internaldb.ldapconn.secureConn"); - clientNick = cs.getString("internaldb.ldapauth.clientCertNickname"); - } catch (Exception e) { - CMS.debug("SecurityDomainSessionTable: getLDAPConn" + e.toString()); - throw new IOException( - "Failed to retrieve LDAP information from CS.cfg."); - } - - int p = -1; - - try { - p = Integer.parseInt(port); - } catch (Exception e) { - CMS.debug("SecurityDomainSessionTable getLDAPConn: " + e.toString()); - throw new IOException("Port is not valid"); - } - - LDAPConnection conn = null; - if (!clientNick.equals("")) { - CMS.debug("SecurityDomainSessionTable getLDAPConn: creating secure (SSL) client auth connection for internal ldap"); - conn = new LDAPConnection(CMS.getLdapJssSSLSocketFactory(clientNick)); - } else if (security.equals("true")) { - //CMS.debug("SecurityDomainSessionTable getLDAPConn: creating secure (SSL) connection for internal ldap"); - conn = new LDAPConnection(CMS.getLdapJssSSLSocketFactory()); - } else { - //CMS.debug("SecurityDomainSessionTable getLDAPConn: creating non-secure (non-SSL) connection for internal ldap"); - conn = new LDAPConnection(); - } - - //CMS.debug("SecurityDomainSessionTable connecting to " + host + ":" + p); - try { - conn.connect(host, p, binddn, pwd); - } catch (LDAPException e) { - CMS.debug("SecurityDomainSessionTable getLDAPConn: " + e.toString()); - throw new IOException("Failed to connect to the internal database."); - } - - return conn; - } - } diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java index 80a887fd2..ea0e79787 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java @@ -456,14 +456,15 @@ public class RestoreKeyCertPanel extends WizardPanelBase { s1.append(","); s1.append("ca.connector.KRA"); } + + s1.append(",internaldb,internaldb.ldapauth,internaldb.ldapconn"); content = - "op=get&names=cloning.token,instanceId,internaldb.basedn,internaldb.ldapauth.password,internaldb.replication.password,internaldb.ldapconn.host,internaldb.ldapconn.port,internaldb.ldapauth.bindDN" - + c1.toString() - + "&substores=" - + s1.toString() - + "&xmlOutput=true&sessionID=" - + session_id; + "op=get&names=cloning.token,instanceId,internaldb.basedn,internaldb.ldapauth.password," + + "internaldb.replication.password" + c1.toString() + + "&substores=" + s1.toString() + + "&xmlOutput=true&sessionID=" + + session_id; boolean success = updateConfigEntries(master_hostname, master_port, true, "/" + cstype + "/admin/" + cstype + "/getConfigEntries", content, config, response); if (!success) { diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java index 40190c9a7..ea47e82ed 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java @@ -620,19 +620,11 @@ public class WizardPanelBase implements IWizardPanel { } } - if (name.equals("internaldb.ldapconn.host")) { - config.putString("preop.internaldb.master.hostname", v); - } else if (name.equals("internaldb.ldapconn.port")) { - config.putString("preop.internaldb.master.port", v); - } else if (name.equals("internaldb.ldapauth.bindDN")) { - config.putString("preop.internaldb.master.binddn", v); - } else if (name.equals("internaldb.basedn")) { + if (name.equals("internaldb.basedn")) { config.putString(name, v); config.putString("preop.internaldb.master.basedn", v); - } else if (name.equals("internaldb.ldapauth.password")) { - config.putString("preop.internaldb.master.bindpwd", v); - } else if (name.equals("internaldb.replication.password")) { - config.putString("preop.internaldb.master.replicationpwd", v); + } else if (name.startsWith("internaldb")) { + config.putString(name.replaceFirst("internaldb", "preop.internaldb.master"), v); } else if (name.equals("instanceId")) { config.putString("preop.master.instanceId", v); } else if (name.equals("cloning.cert.signing.nickname")) { @@ -681,6 +673,23 @@ public class WizardPanelBase implements IWizardPanel { } } + // set master ldap password (if it exists) temporarily in password store + // in case it is needed for replication. Not stored in password.conf. + try { + String master_pwd = config.getString("preop.internaldb.master.ldapauth.password", ""); + if (!master_pwd.equals("")) { + config.putString("preop.internaldb.master.ldapauth.bindPWPrompt", "master_internaldb"); + String passwordFile = config.getString("passwordFile"); + IConfigStore psStore = CMS.createFileConfigStore(passwordFile); + psStore.putString("master_internaldb", master_pwd); + psStore.commit(false); + } + } catch (Exception e) { + CMS.debug("updateConfigEntries: Failed to temporarily store master bindpwd: " + e.toString()); + e.printStackTrace(); + throw new IOException(e.toString()); + } + return true; } else if (status.equals(AUTH_FAILURE)) { reloginSecurityDomain(response); diff --git a/pki/base/common/src/com/netscape/cmscore/apps/CMSEngine.java b/pki/base/common/src/com/netscape/cmscore/apps/CMSEngine.java index 5fdcaece0..6ca1b6e7e 100644 --- a/pki/base/common/src/com/netscape/cmscore/apps/CMSEngine.java +++ b/pki/base/common/src/com/netscape/cmscore/apps/CMSEngine.java @@ -345,18 +345,19 @@ public class CMSEngine implements ICMSEngine { String secdomain_source = config.getString("securitydomain.source", "memory"); String secdomain_check_interval = config.getString("securitydomain.checkinterval", "5000"); - if (secdomain_source.equals("ldap")) { - mSecurityDomainSessionTable = new LDAPSecurityDomainSessionTable((new Long(flush_timeout)).longValue()); - } else { - mSecurityDomainSessionTable = new SecurityDomainSessionTable((new Long(flush_timeout)).longValue()); - } + if ((state == 1) && (!sd.equals("existing"))) { + // check session domain table only if this is a + // configured security domain host + + if (secdomain_source.equals("ldap")) { + mSecurityDomainSessionTable = new LDAPSecurityDomainSessionTable((new Long(flush_timeout)).longValue()); + } else { + mSecurityDomainSessionTable = new SecurityDomainSessionTable((new Long(flush_timeout)).longValue()); + } + + mSDTimer = new Timer(); + SessionTimer timertask = new SessionTimer(mSecurityDomainSessionTable); - mSDTimer = new Timer(); - SessionTimer timertask = new SessionTimer(mSecurityDomainSessionTable); - if ((state != 1) || (sd.equals("existing"))) { - // for non-security domain hosts or if not yet configured, - // do not check session domain table - } else { mSDTimer.schedule(timertask, 5, (new Long(secdomain_check_interval)).longValue()); } diff --git a/pki/base/kra/shared/conf/CS.cfg.in b/pki/base/kra/shared/conf/CS.cfg.in index 19570155c..a6d49ceb5 100644 --- a/pki/base/kra/shared/conf/CS.cfg.in +++ b/pki/base/kra/shared/conf/CS.cfg.in @@ -225,6 +225,7 @@ preop.internaldb.schema.ldif=/usr/share/[PKI_FLAVOR]/kra/conf/schema.ldif preop.internaldb.ldif=/usr/share/[PKI_FLAVOR]/kra/conf/database.ldif preop.internaldb.data_ldif=/usr/share/[PKI_FLAVOR]/kra/conf/db.ldif,/usr/share/[PKI_FLAVOR]/kra/conf/acl.ldif preop.internaldb.index_ldif= +preop.internaldb.manager_ldif=/usr/share/[PKI_FLAVOR]/ca/conf/manager.ldif preop.internaldb.post_ldif=/usr/share/[PKI_FLAVOR]/kra/conf/index.ldif,/usr/share/[PKI_FLAVOR]/kra/conf/vlv.ldif,/usr/share/[PKI_FLAVOR]/kra/conf/vlvtasks.ldif preop.internaldb.wait_dn=cn=index1160527115, cn=index, cn=tasks, cn=config internaldb.multipleSuffix.enable=false diff --git a/pki/base/kra/shared/conf/manager.ldif b/pki/base/kra/shared/conf/manager.ldif new file mode 100644 index 000000000..52e486987 --- /dev/null +++ b/pki/base/kra/shared/conf/manager.ldif @@ -0,0 +1,48 @@ +# acis for cert manager + +dn: ou=csusers,cn=config +objectClass: top +objectClass: organizationalUnit +ou: csusers + +dn: {rootSuffix} +changetype: modify +add: aci +aci: (targetattr=*)(version 3.0; acl "cert manager access"; allow (all) userdn = "ldap:///{dbuser}";) + +dn: cn=ldbm database,cn=plugins,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; allow (read) userdn="ldap:///{dbuser}";) + +dn: cn=config +changetype: modify +add: aci +aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (read, search, compare) userdn = "ldap:///{dbuser}";) + +dn: ou=csusers,cn=config +changetype: modify +add: aci +aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication users"; allow (all) userdn = "ldap:///{dbuser}";) + +dn: cn="{rootSuffix}",cn=mapping tree,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements";allow (add) userdn = "ldap:///{dbuser}";) + +dn: cn="{rootSuffix}",cn=mapping tree,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agreements"; allow (read, write, search) userdn = "ldap:///{dbuser}";) + +dn: cn="{rootSuffix}",cn=mapping tree,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager: Remove Replication Agreements";allow (delete) userdn = "ldap:///{dbuser}";) + +dn: cn=tasks,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re-initialization"; allow (add) userdn = "ldap:///{dbuser}";) + + diff --git a/pki/base/migrate/80/MigrateSecurityDomain.java b/pki/base/migrate/80/MigrateSecurityDomain.java index 67f6c4b33..420e17805 100644 --- a/pki/base/migrate/80/MigrateSecurityDomain.java +++ b/pki/base/migrate/80/MigrateSecurityDomain.java @@ -18,6 +18,7 @@ import java.io.FileInputStream; import java.io.IOException; +import java.util.ArrayList; import java.util.Vector; import netscape.ldap.LDAPAttribute; @@ -120,8 +121,15 @@ public class MigrateSecurityDomain { // add new schema elements String importFile = "./schema-add.ldif"; + ArrayList<String> errors = new ArrayList<String>(); try { - LDAPUtil.importLDIF(conn, importFile); + LDAPUtil.importLDIF(conn, importFile, errors); + if (! errors.isEmpty()) { + System.out.println("MigrateSecurityDomain: Errors in adding new schema elements:"); + for (String error: errors) { + System.out.println(error); + } + } } catch (Exception e) { System.out.println("MigrateSecurityDomain: Error in adding new schema elements"); System.exit(1); diff --git a/pki/base/ocsp/shared/conf/CS.cfg.in b/pki/base/ocsp/shared/conf/CS.cfg.in index 4dbda23cb..5be916e7c 100644 --- a/pki/base/ocsp/shared/conf/CS.cfg.in +++ b/pki/base/ocsp/shared/conf/CS.cfg.in @@ -187,6 +187,7 @@ preop.internaldb.schema.ldif=/usr/share/[PKI_FLAVOR]/ocsp/conf/schema.ldif preop.internaldb.ldif=/usr/share/[PKI_FLAVOR]/ocsp/conf/database.ldif preop.internaldb.data_ldif=/usr/share/[PKI_FLAVOR]/ocsp/conf/db.ldif,/usr/share/[PKI_FLAVOR]/ocsp/conf/acl.ldif preop.internaldb.index_ldif=/usr/share/[PKI_FLAVOR]/ocsp/conf/index.ldif +preop.internaldb.manager_ldif=/usr/share/[PKI_FLAVOR]/ca/conf/manager.ldif preop.internaldb.post_ldif= preop.internaldb.wait_dn= internaldb.multipleSuffix.enable=false diff --git a/pki/base/ocsp/shared/conf/manager.ldif b/pki/base/ocsp/shared/conf/manager.ldif new file mode 100644 index 000000000..52e486987 --- /dev/null +++ b/pki/base/ocsp/shared/conf/manager.ldif @@ -0,0 +1,48 @@ +# acis for cert manager + +dn: ou=csusers,cn=config +objectClass: top +objectClass: organizationalUnit +ou: csusers + +dn: {rootSuffix} +changetype: modify +add: aci +aci: (targetattr=*)(version 3.0; acl "cert manager access"; allow (all) userdn = "ldap:///{dbuser}";) + +dn: cn=ldbm database,cn=plugins,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; allow (read) userdn="ldap:///{dbuser}";) + +dn: cn=config +changetype: modify +add: aci +aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (read, search, compare) userdn = "ldap:///{dbuser}";) + +dn: ou=csusers,cn=config +changetype: modify +add: aci +aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication users"; allow (all) userdn = "ldap:///{dbuser}";) + +dn: cn="{rootSuffix}",cn=mapping tree,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements";allow (add) userdn = "ldap:///{dbuser}";) + +dn: cn="{rootSuffix}",cn=mapping tree,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agreements"; allow (read, write, search) userdn = "ldap:///{dbuser}";) + +dn: cn="{rootSuffix}",cn=mapping tree,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager: Remove Replication Agreements";allow (delete) userdn = "ldap:///{dbuser}";) + +dn: cn=tasks,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re-initialization"; allow (add) userdn = "ldap:///{dbuser}";) + + diff --git a/pki/base/tks/shared/conf/CS.cfg.in b/pki/base/tks/shared/conf/CS.cfg.in index bf195d234..195201e4d 100644 --- a/pki/base/tks/shared/conf/CS.cfg.in +++ b/pki/base/tks/shared/conf/CS.cfg.in @@ -180,6 +180,7 @@ preop.internaldb.schema.ldif=/usr/share/[PKI_FLAVOR]/tks/conf/schema.ldif preop.internaldb.ldif=/usr/share/[PKI_FLAVOR]/tks/conf/database.ldif preop.internaldb.data_ldif=/usr/share/[PKI_FLAVOR]/tks/conf/db.ldif,/usr/share/[PKI_FLAVOR]/tks/conf/acl.ldif preop.internaldb.index_ldif=/usr/share/[PKI_FLAVOR]/tks/conf/index.ldif +preop.internaldb.manager_ldif=/usr/share/[PKI_FLAVOR]/ca/conf/manager.ldif preop.internaldb.post_ldif= preop.internaldb.wait_dn= internaldb.multipleSuffix.enable=false diff --git a/pki/base/tks/shared/conf/manager.ldif b/pki/base/tks/shared/conf/manager.ldif new file mode 100644 index 000000000..52e486987 --- /dev/null +++ b/pki/base/tks/shared/conf/manager.ldif @@ -0,0 +1,48 @@ +# acis for cert manager + +dn: ou=csusers,cn=config +objectClass: top +objectClass: organizationalUnit +ou: csusers + +dn: {rootSuffix} +changetype: modify +add: aci +aci: (targetattr=*)(version 3.0; acl "cert manager access"; allow (all) userdn = "ldap:///{dbuser}";) + +dn: cn=ldbm database,cn=plugins,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; allow (read) userdn="ldap:///{dbuser}";) + +dn: cn=config +changetype: modify +add: aci +aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (read, search, compare) userdn = "ldap:///{dbuser}";) + +dn: ou=csusers,cn=config +changetype: modify +add: aci +aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication users"; allow (all) userdn = "ldap:///{dbuser}";) + +dn: cn="{rootSuffix}",cn=mapping tree,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements";allow (add) userdn = "ldap:///{dbuser}";) + +dn: cn="{rootSuffix}",cn=mapping tree,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agreements"; allow (read, write, search) userdn = "ldap:///{dbuser}";) + +dn: cn="{rootSuffix}",cn=mapping tree,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager: Remove Replication Agreements";allow (delete) userdn = "ldap:///{dbuser}";) + +dn: cn=tasks,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re-initialization"; allow (add) userdn = "ldap:///{dbuser}";) + + diff --git a/pki/base/util/src/com/netscape/cmsutil/ldap/LDAPUtil.java b/pki/base/util/src/com/netscape/cmsutil/ldap/LDAPUtil.java index 132e65e6c..a78f8ac55 100644 --- a/pki/base/util/src/com/netscape/cmsutil/ldap/LDAPUtil.java +++ b/pki/base/util/src/com/netscape/cmsutil/ldap/LDAPUtil.java @@ -18,6 +18,7 @@ package com.netscape.cmsutil.ldap; import java.io.IOException; +import java.util.ArrayList; import netscape.ldap.LDAPAttribute; import netscape.ldap.LDAPAttributeSet; @@ -32,7 +33,7 @@ import netscape.ldap.util.LDIFModifyContent; import netscape.ldap.util.LDIFRecord; public class LDAPUtil { - public static void importLDIF(LDAPConnection conn, String filename) throws IOException { + public static void importLDIF(LDAPConnection conn, String filename, ArrayList<String> errors) throws IOException { LDIF ldif = new LDIF(filename); while (true) { try { @@ -53,6 +54,8 @@ public class LDAPUtil { try { conn.add(entry); } catch (LDAPException ee) { + errors.add("LDAPUtil:importLDIF: exception in adding entry " + dn + + ":" + ee.toString() + "\n"); } } else if (type == LDIFContent.MODIFICATION_CONTENT) { LDIFModifyContent c = (LDIFModifyContent) content; @@ -60,6 +63,8 @@ public class LDAPUtil { try { conn.modify(dn, mods); } catch (LDAPException ee) { + errors.add("LDAPUtil:importLDIF: exception in modifying entry " + dn + + ":" + ee.toString()); } } } catch (Exception e) { |