diff options
| author | Fraser Tweedale <frase@frase.id.au> | 2016-08-23 14:50:03 +1000 |
|---|---|---|
| committer | Ade Lee <alee@redhat.com> | 2016-09-06 17:24:49 -0400 |
| commit | d1aa1ec049d7cb5beed9ba79b09930a90a3c51fe (patch) | |
| tree | 519bde30aad2c603d71a6712f174eec074c9e59d /base/ca/src | |
| parent | 68d98b63e18c5c952e0cdf3193b0ce1a5c55d5c1 (diff) | |
| download | pki-d1aa1ec049d7cb5beed9ba79b09930a90a3c51fe.tar.gz pki-d1aa1ec049d7cb5beed9ba79b09930a90a3c51fe.tar.xz pki-d1aa1ec049d7cb5beed9ba79b09930a90a3c51fe.zip | |
Accept LWCA entry with missing entryUSN if plugin enabled
Currently we abort adding a lightweight CA if its entry does not
have an 'entryUSN' attribute, and log a failure, even if the USN
plugin is enabled. But if the plugin is enabled, it's fine to
proceed.
Update the authority monitor to check if the USN plugin is enabled
and only log the failure if it is not. Clarify the log message
accordingly.
Part of: https://fedorahosted.org/pki/ticket/2444
Diffstat (limited to 'base/ca/src')
| -rw-r--r-- | base/ca/src/com/netscape/ca/CertificateAuthority.java | 46 |
1 files changed, 38 insertions, 8 deletions
diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java index bea129d07..aab965161 100644 --- a/base/ca/src/com/netscape/ca/CertificateAuthority.java +++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java @@ -679,6 +679,24 @@ public class CertificateAuthority } } + private boolean entryUSNPluginEnabled() { + try { + LDAPConnection conn = dbFactory.getConn(); + try { + LDAPSearchResults results = conn.search( + "cn=usn,cn=plugins,cn=config", LDAPConnection.SCOPE_BASE, + "(nsslapd-pluginEnabled=on)", null, false); + return results != null && results.hasMoreElements(); + } catch (LDAPException e) { + return false; + } finally { + dbFactory.returnConn(conn); + } + } catch (ELdapException e) { + return false; // oh well + } + } + private void initCRLPublisher() throws EBaseException { // instantiate CRL publisher if (!isHostAuthority()) { @@ -3221,17 +3239,29 @@ public class CertificateAuthority AuthorityID aid = new AuthorityID((String) aidAttr.getStringValues().nextElement()); - LDAPAttribute entryUSN = entry.getAttribute("entryUSN"); - if (entryUSN == null) { - log(ILogger.LL_FAILURE, "Authority entry has no entryUSN. " + - "This is likely because the USN plugin is not enabled in the database"); - return; + Integer newEntryUSN = null; + LDAPAttribute entryUSNAttr = entry.getAttribute("entryUSN"); + if (entryUSNAttr == null) { + CMS.debug("readAuthority: no entryUSN"); + if (!entryUSNPluginEnabled()) { + CMS.debug("readAuthority: dirsrv USN plugin is not enabled; skipping entry"); + log(ILogger.LL_FAILURE, "Lightweight authority entry has no" + + " entryUSN attribute and USN plugin not enabled;" + + " skipping. Enable dirsrv USN plugin."); + return; + } else { + CMS.debug("readAuthority: dirsrv USN plugin is enabled; continuing"); + // entryUSN plugin is enabled, but no entryUSN attribute. We + // can proceed because future modifications will result in the + // entryUSN attribute being added. + } + } else { + newEntryUSN = new Integer(entryUSNAttr.getStringValueArray()[0]); + CMS.debug("readAuthority: new entryUSN = " + newEntryUSN); } - Integer newEntryUSN = new Integer(entryUSN.getStringValueArray()[0]); - CMS.debug("readAuthority: new entryUSN = " + newEntryUSN); Integer knownEntryUSN = entryUSNs.get(aid); - if (knownEntryUSN != null) { + if (newEntryUSN != null && knownEntryUSN != null) { CMS.debug("readAuthority: known entryUSN = " + knownEntryUSN); if (newEntryUSN <= knownEntryUSN) { CMS.debug("readAuthority: data is current"); |