diff options
author | Matthew Harmsen <mharmsen@redhat.com> | 2015-03-13 16:53:52 -0600 |
---|---|---|
committer | Matthew Harmsen <mharmsen@redhat.com> | 2015-03-13 16:56:22 -0600 |
commit | a44ccf872262b1289cd2577a6ba55071066a5209 (patch) | |
tree | fa8bb3b39ca028c1693c69ab397424c90c8890b2 /base/server/python/pki/server/deployment | |
parent | a54e29d5be1b38158cc44a8bdeda5dcb96fd4096 (diff) | |
download | pki-a44ccf872262b1289cd2577a6ba55071066a5209.tar.gz pki-a44ccf872262b1289cd2577a6ba55071066a5209.tar.xz pki-a44ccf872262b1289cd2577a6ba55071066a5209.zip |
Allow use of secure LDAPS connection
- PKI TRAC Ticket #1144 - pkispawn needs option to specify ca cert for ldap
Diffstat (limited to 'base/server/python/pki/server/deployment')
4 files changed, 52 insertions, 7 deletions
diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py index ec0f0a2d4..665922c64 100644 --- a/base/server/python/pki/server/deployment/pkihelper.py +++ b/base/server/python/pki/server/deployment/pkihelper.py @@ -817,6 +817,18 @@ class ConfigurationFile: (port, context)) return + def verify_ds_secure_connection_data(self): + # Check to see if a secure connection is being used for the DS + if config.str2bool(self.mdict['pki_ds_secure_connection']): + # Verify existence of a local PEM file containing a + # directory server CA certificate + self.confirm_file_exists("pki_ds_secure_connection_ca_pem_file") + # Verify existence of a nickname for this + # directory server CA certificate + self.confirm_data_exists("pki_ds_secure_connection_ca_nickname") + # Set trustargs for this directory server CA certificate + self.mdict['pki_ds_secure_connection_ca_trustargs'] = "CT,CT,CT" + def verify_command_matches_configuration_file(self): # Silently verify that the command-line parameters match the values # that are present in the corresponding configuration file @@ -3957,7 +3969,12 @@ class ConfigClient: def set_database_parameters(self, data): data.dsHost = self.mdict['pki_ds_hostname'] - data.dsPort = self.mdict['pki_ds_ldap_port'] + if config.str2bool(self.mdict['pki_ds_secure_connection']): + data.secureConn = "true" + data.dsPort = self.mdict['pki_ds_ldaps_port'] + else: + data.secureConn = "false" + data.dsPort = self.mdict['pki_ds_ldap_port'] data.baseDN = self.mdict['pki_ds_base_dn'] data.bindDN = self.mdict['pki_ds_bind_dn'] data.database = self.mdict['pki_ds_database'] @@ -3970,10 +3987,6 @@ class ConfigClient: data.removeData = "true" else: data.removeData = "false" - if config.str2bool(self.mdict['pki_ds_secure_connection']): - data.secureConn = "true" - else: - data.secureConn = "false" if config.str2bool(self.mdict['pki_share_db']): data.sharedDB = "true" data.sharedDBUserDN = self.mdict['pki_share_dbuser_dn'] diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py index 1e3912084..6fb9e987d 100644 --- a/base/server/python/pki/server/deployment/pkiparser.py +++ b/base/server/python/pki/server/deployment/pkiparser.py @@ -400,6 +400,12 @@ class PKIConfigParser: if config.str2bool(self.mdict['pki_ds_secure_connection']): protocol = 'ldaps' port = self.mdict['pki_ds_ldaps_port'] + # ldap.set_option(ldap.OPT_DEBUG_LEVEL, 255) + ldap.set_option(ldap.OPT_X_TLS_DEMAND, True) + ldap.set_option(ldap.OPT_X_TLS, ldap.OPT_X_TLS_DEMAND) + ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, + self.mdict['pki_ds_secure_connection_ca_pem_file']) + ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_DEMAND) else: protocol = 'ldap' port = self.mdict['pki_ds_ldap_port'] @@ -774,6 +780,8 @@ class PKIConfigParser: "-->" self.mdict['PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT_SLOT'] = \ "-->" + self.mdict['PKI_DS_SECURE_CONNECTION_SLOT'] = \ + self.mdict['pki_ds_secure_connection'].lower() self.mdict['PKI_EE_SECURE_CLIENT_AUTH_PORT_SLOT'] = \ self.mdict['pki_https_port'] self.mdict\ diff --git a/base/server/python/pki/server/deployment/scriptlets/initialization.py b/base/server/python/pki/server/deployment/scriptlets/initialization.py index 48b120c46..0aa4e1c4a 100644 --- a/base/server/python/pki/server/deployment/scriptlets/initialization.py +++ b/base/server/python/pki/server/deployment/scriptlets/initialization.py @@ -71,6 +71,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # verify selinux context of selected ports deployer.configuration_file.populate_non_default_ports() deployer.configuration_file.verify_selinux_ports() + # If secure DS connection is required, verify parameters + deployer.configuration_file.verify_ds_secure_connection_data() return self.rv def destroy(self, deployer): diff --git a/base/server/python/pki/server/deployment/scriptlets/security_databases.py b/base/server/python/pki/server/deployment/scriptlets/security_databases.py index 8adb3c4e3..546050725 100644 --- a/base/server/python/pki/server/deployment/scriptlets/security_databases.py +++ b/base/server/python/pki/server/deployment/scriptlets/security_databases.py @@ -95,8 +95,30 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # Delete the temporary 'noise' file deployer.file.delete( deployer.mdict['pki_self_signed_noise_file']) - # Delete the temporary 'pfile' - deployer.file.delete(deployer.mdict['pki_shared_pfile']) + + # Check to see if a secure connection is being used for the DS + if config.str2bool(deployer.mdict['pki_ds_secure_connection']): + # Check to see if a directory server CA certificate + # using the same nickname already exists + rv = deployer.certutil.verify_certificate_exists( + deployer.mdict['pki_database_path'], + deployer.mdict['pki_cert_database'], + deployer.mdict['pki_key_database'], + deployer.mdict['pki_secmod_database'], + deployer.mdict['pki_self_signed_token'], + deployer.mdict['pki_ds_secure_connection_ca_nickname'], + password_file=deployer.mdict['pki_shared_pfile']) + if not rv: + # Import the directory server CA certificate + rv = deployer.certutil.import_cert( + deployer.mdict['pki_ds_secure_connection_ca_nickname'], + deployer.mdict['pki_ds_secure_connection_ca_trustargs'], + deployer.mdict['pki_ds_secure_connection_ca_pem_file'], + password_file=deployer.mdict['pki_shared_pfile'], + path=deployer.mdict['pki_database_path']) + + # Always delete the temporary 'pfile' + deployer.file.delete(deployer.mdict['pki_shared_pfile']) return self.rv def destroy(self, deployer): |