diff options
author | Ade Lee <alee@redhat.com> | 2012-09-19 12:37:41 -0400 |
---|---|---|
committer | Ade Lee <alee@redhat.com> | 2012-09-19 22:20:34 -0400 |
commit | e1666df57fb49b4c2c20563559cd2a7450a6f9f4 (patch) | |
tree | 8b372320ca55260d777c815dae104ef05ad7f240 /base/common/src/com/netscape/certsrv/usrgrp/IUGSubsystem.java | |
parent | 9173b431751486018957428e67392a4a94a86baf (diff) | |
download | pki-e1666df57fb49b4c2c20563559cd2a7450a6f9f4.tar.gz pki-e1666df57fb49b4c2c20563559cd2a7450a6f9f4.tar.xz pki-e1666df57fb49b4c2c20563559cd2a7450a6f9f4.zip |
Changes to use standard dbuser
We create a user that can be used to connect to the database using the
subsystem cert for client auth. We identified this user, using the seeAlso
attribute and provided certmap rules to this effect.
For this user, we used to reuse the uid = user CA-hostname-port, which is already
created for inter-system communication. But this is problematic if more than one
dbuser exists, as the directory server may bind as the incorrect user. In any
replication topology, there must be only one dbuser using the subsystem cert.
To simplify things, we create a new user specifically for this purpose
(pkidbuser), and we remove the seeAlso attribute from the older dbusers.
A script is needed to convert existing dogtag 9 istances to use the new user,
and set the relevant acls. This will be done in a separate commit.
Diffstat (limited to 'base/common/src/com/netscape/certsrv/usrgrp/IUGSubsystem.java')
-rw-r--r-- | base/common/src/com/netscape/certsrv/usrgrp/IUGSubsystem.java | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/base/common/src/com/netscape/certsrv/usrgrp/IUGSubsystem.java b/base/common/src/com/netscape/certsrv/usrgrp/IUGSubsystem.java index eb7f84ebf..543b33c26 100644 --- a/base/common/src/com/netscape/certsrv/usrgrp/IUGSubsystem.java +++ b/base/common/src/com/netscape/certsrv/usrgrp/IUGSubsystem.java @@ -88,6 +88,14 @@ public interface IUGSubsystem extends ISubsystem, IUsrGrp { public void addCertSubjectDN(IUser identity) throws EUsrGrpException, LDAPException; /** + * Remove a certSubjectDN field from the user + * @param identity + * @throws EUsrGrpException + * @throws LDAPException + */ + public void removeCertSubjectDN(IUser identity) throws EUsrGrpException, LDAPException; + + /** * Removes a user certificate for a user entry * given a user certificate DN (actually, a combination of version, * serialNumber, issuerDN, and SubjectDN), and it gets removed |