Allow use of secure LDAPS connection

- PKI TRAC Ticket #1144 - pkispawn needs option to specify ca cert for ldap

4 files changed, 52 insertions, 7 deletions

diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
index ec0f0a2d4..665922c64 100644
--- a/base/server/python/pki/server/deployment/pkihelper.py
+++ b/base/server/python/pki/server/deployment/pkihelper.py
@@ -817,6 +817,18 @@ class ConfigurationFile:
                     (port, context))
         return
 
+    def verify_ds_secure_connection_data(self):
+        # Check to see if a secure connection is being used for the DS
+        if config.str2bool(self.mdict['pki_ds_secure_connection']):
+            # Verify existence of a local PEM file containing a
+            # directory server CA certificate
+            self.confirm_file_exists("pki_ds_secure_connection_ca_pem_file")
+            # Verify existence of a nickname for this
+            # directory server CA certificate
+            self.confirm_data_exists("pki_ds_secure_connection_ca_nickname")
+            # Set trustargs for this directory server CA certificate
+            self.mdict['pki_ds_secure_connection_ca_trustargs'] = "CT,CT,CT"
+
     def verify_command_matches_configuration_file(self):
         # Silently verify that the command-line parameters match the values
         # that are present in the corresponding configuration file
@@ -3957,7 +3969,12 @@ class ConfigClient:
 
     def set_database_parameters(self, data):
         data.dsHost = self.mdict['pki_ds_hostname']
-        data.dsPort = self.mdict['pki_ds_ldap_port']
+        if config.str2bool(self.mdict['pki_ds_secure_connection']):
+            data.secureConn = "true"
+            data.dsPort = self.mdict['pki_ds_ldaps_port']
+        else:
+            data.secureConn = "false"
+            data.dsPort = self.mdict['pki_ds_ldap_port']
         data.baseDN = self.mdict['pki_ds_base_dn']
         data.bindDN = self.mdict['pki_ds_bind_dn']
         data.database = self.mdict['pki_ds_database']
@@ -3970,10 +3987,6 @@ class ConfigClient:
             data.removeData = "true"
         else:
             data.removeData = "false"
-        if config.str2bool(self.mdict['pki_ds_secure_connection']):
-            data.secureConn = "true"
-        else:
-            data.secureConn = "false"
         if config.str2bool(self.mdict['pki_share_db']):
             data.sharedDB = "true"
             data.sharedDBUserDN = self.mdict['pki_share_dbuser_dn']
diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py
index 1e3912084..6fb9e987d 100644
--- a/base/server/python/pki/server/deployment/pkiparser.py
+++ b/base/server/python/pki/server/deployment/pkiparser.py
@@ -400,6 +400,12 @@ class PKIConfigParser:
         if config.str2bool(self.mdict['pki_ds_secure_connection']):
             protocol = 'ldaps'
             port = self.mdict['pki_ds_ldaps_port']
+            # ldap.set_option(ldap.OPT_DEBUG_LEVEL, 255)
+            ldap.set_option(ldap.OPT_X_TLS_DEMAND, True)
+            ldap.set_option(ldap.OPT_X_TLS, ldap.OPT_X_TLS_DEMAND)
+            ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,
+                            self.mdict['pki_ds_secure_connection_ca_pem_file'])
+            ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_DEMAND)
         else:
             protocol = 'ldap'
             port = self.mdict['pki_ds_ldap_port']
@@ -774,6 +780,8 @@ class PKIConfigParser:
                     "-->"
                 self.mdict['PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT_SLOT'] = \
                     "-->"
+                self.mdict['PKI_DS_SECURE_CONNECTION_SLOT'] = \
+                    self.mdict['pki_ds_secure_connection'].lower()
                 self.mdict['PKI_EE_SECURE_CLIENT_AUTH_PORT_SLOT'] = \
                     self.mdict['pki_https_port']
                 self.mdict\
diff --git a/base/server/python/pki/server/deployment/scriptlets/initialization.py b/base/server/python/pki/server/deployment/scriptlets/initialization.py
index 48b120c46..0aa4e1c4a 100644
--- a/base/server/python/pki/server/deployment/scriptlets/initialization.py
+++ b/base/server/python/pki/server/deployment/scriptlets/initialization.py
@@ -71,6 +71,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
         # verify selinux context of selected ports
         deployer.configuration_file.populate_non_default_ports()
         deployer.configuration_file.verify_selinux_ports()
+        # If secure DS connection is required, verify parameters
+        deployer.configuration_file.verify_ds_secure_connection_data()
         return self.rv
 
     def destroy(self, deployer):
diff --git a/base/server/python/pki/server/deployment/scriptlets/security_databases.py b/base/server/python/pki/server/deployment/scriptlets/security_databases.py
index 8adb3c4e3..546050725 100644
--- a/base/server/python/pki/server/deployment/scriptlets/security_databases.py
+++ b/base/server/python/pki/server/deployment/scriptlets/security_databases.py
@@ -95,8 +95,30 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                 # Delete the temporary 'noise' file
                 deployer.file.delete(
                     deployer.mdict['pki_self_signed_noise_file'])
-            # Delete the temporary 'pfile'
-            deployer.file.delete(deployer.mdict['pki_shared_pfile'])
+
+            # Check to see if a secure connection is being used for the DS
+            if config.str2bool(deployer.mdict['pki_ds_secure_connection']):
+                # Check to see if a directory server CA certificate
+                # using the same nickname already exists
+                rv = deployer.certutil.verify_certificate_exists(
+                    deployer.mdict['pki_database_path'],
+                    deployer.mdict['pki_cert_database'],
+                    deployer.mdict['pki_key_database'],
+                    deployer.mdict['pki_secmod_database'],
+                    deployer.mdict['pki_self_signed_token'],
+                    deployer.mdict['pki_ds_secure_connection_ca_nickname'],
+                    password_file=deployer.mdict['pki_shared_pfile'])
+                if not rv:
+                    # Import the directory server CA certificate
+                    rv = deployer.certutil.import_cert(
+                        deployer.mdict['pki_ds_secure_connection_ca_nickname'],
+                        deployer.mdict['pki_ds_secure_connection_ca_trustargs'],
+                        deployer.mdict['pki_ds_secure_connection_ca_pem_file'],
+                        password_file=deployer.mdict['pki_shared_pfile'],
+                        path=deployer.mdict['pki_database_path'])
+
+        # Always delete the temporary 'pfile'
+        deployer.file.delete(deployer.mdict['pki_shared_pfile'])
         return self.rv
 
     def destroy(self, deployer):