diff options
author | Ade Lee <alee@redhat.com> | 2012-09-19 12:37:41 -0400 |
---|---|---|
committer | Ade Lee <alee@redhat.com> | 2012-09-19 22:20:34 -0400 |
commit | e1666df57fb49b4c2c20563559cd2a7450a6f9f4 (patch) | |
tree | 8b372320ca55260d777c815dae104ef05ad7f240 /base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java | |
parent | 9173b431751486018957428e67392a4a94a86baf (diff) | |
download | pki-e1666df57fb49b4c2c20563559cd2a7450a6f9f4.tar.gz pki-e1666df57fb49b4c2c20563559cd2a7450a6f9f4.tar.xz pki-e1666df57fb49b4c2c20563559cd2a7450a6f9f4.zip |
Changes to use standard dbuser
We create a user that can be used to connect to the database using the
subsystem cert for client auth. We identified this user, using the seeAlso
attribute and provided certmap rules to this effect.
For this user, we used to reuse the uid = user CA-hostname-port, which is already
created for inter-system communication. But this is problematic if more than one
dbuser exists, as the directory server may bind as the incorrect user. In any
replication topology, there must be only one dbuser using the subsystem cert.
To simplify things, we create a new user specifically for this purpose
(pkidbuser), and we remove the seeAlso attribute from the older dbusers.
A script is needed to convert existing dogtag 9 istances to use the new user,
and set the relevant acls. This will be done in a separate commit.
Diffstat (limited to 'base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java')
-rw-r--r-- | base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java b/base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java index 9e3dacb17..6b6157241 100644 --- a/base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java +++ b/base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java @@ -820,6 +820,54 @@ public final class UGSubsystem implements IUGSubsystem { return; } + public void removeCertSubjectDN(IUser identity) throws EUsrGrpException, LDAPException { + User user = (User) identity; + + if (user == null) { + CMS.debug("removeCertSubjectDN: null user passed in"); + return; + } + + X509Certificate cert[] = null; + LDAPModificationSet delAttr = new LDAPModificationSet(); + + if ((cert = user.getX509Certificates()) != null) { + LDAPAttribute attrCertDNStr = new LDAPAttribute(LDAP_ATTR_CERTDN); + attrCertDNStr.addValue(cert[0].getSubjectDN().toString()); + delAttr.add(LDAPModification.DELETE, attrCertDNStr); + + LDAPConnection ldapconn = null; + + try { + ldapconn = getConn(); + ldapconn.modify("uid=" + LDAPUtil.escapeDN(user.getUserID()) + + "," + getUserBaseDN(), delAttr); + // for audit log + SessionContext sessionContext = SessionContext.getContext(); + String adminId = (String) sessionContext.get(SessionContext.USER_ID); + + mLogger.log(ILogger.EV_AUDIT, ILogger.S_USRGRP, + AuditFormat.LEVEL, AuditFormat.REMOVECERTSUBJECTDNFORMAT, + new Object[] { adminId, user.getUserID(), + cert[0].getSubjectDN().toString() } + ); + + } catch (LDAPException e) { + if (Debug.ON) { + e.printStackTrace(); + } + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_USRGRP_ADD_USER", e.toString())); + throw e; + } catch (ELdapException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_USRGRP_ADD_USER", e.toString())); + } finally { + if (ldapconn != null) + returnConn(ldapconn); + } + } + return; + } + /** * Removes a user certificate for a user entry * given a user certificate DN (actually, a combination of version, |