diff options
| author | Endi Sukma Dewata <edewata@redhat.com> | 2012-06-18 18:51:51 -0500 |
|---|---|---|
| committer | Endi Sukma Dewata <edewata@redhat.com> | 2012-06-27 10:13:47 -0500 |
| commit | 4ccfcebe532b97607cfab406a1fa900070573f24 (patch) | |
| tree | 5140013e29d003eae685923cfd37b8dd79850d09 /base | |
| parent | 8a8436f73d4c4edd10b43313b724f32ccb7b957e (diff) | |
| download | pki-4ccfcebe532b97607cfab406a1fa900070573f24.tar.gz pki-4ccfcebe532b97607cfab406a1fa900070573f24.tar.xz pki-4ccfcebe532b97607cfab406a1fa900070573f24.zip | |
Fixed problem removing user certificate.
Generally the user LDAP entry does not contain a seeAlso attribute
unless it's a special database user. The UGSubsystem.removeUserCert()
would fail because it tried to remove the seeAlso attribute. Now the
code has been fixed to remove the seeAlso using a separate modify
operation and ignore the error if it fails due to missing attribute.
Ticket #182
Diffstat (limited to 'base')
| -rw-r--r-- | base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java | 104 |
1 files changed, 59 insertions, 45 deletions
diff --git a/base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java b/base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java index 20ad26524..ee53708ec 100644 --- a/base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java +++ b/base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java @@ -852,75 +852,89 @@ public final class UGSubsystem implements IUGSubsystem { throw new EUsrGrpException(CMS.getUserMessage("CMS_USRGRP_CERT_NOT_FOUND")); } - LDAPAttribute certAttr = new - LDAPAttribute(LDAP_ATTR_USER_CERT); - LDAPAttribute certAttrS = new - LDAPAttribute(LDAP_ATTR_USER_CERT_STRING); - - LDAPAttribute certDNAttrS = new LDAPAttribute(LDAP_ATTR_CERTDN); - int certCount = 0; for (int i = 0; i < certs.length; i++) { - LDAPModificationSet attrs = new LDAPModificationSet(); - - String certStr = null; + String certStr; if (delCertdn.startsWith("-1;")) { certStr = getCertificateStringWithoutVersion(certs[i]); } else { certStr = getCertificateString(certs[i]); } - if (delCertdn.equalsIgnoreCase(certStr)) { + + if (!delCertdn.equalsIgnoreCase(certStr)) continue; + + LDAPConnection ldapconn = null; + + try { + ldapconn = getConn(); + + String dn = "uid=" + user.getUserID() + "," + getUserBaseDN(); + try { - certAttr.addValue(certs[i].getEncoded()); - certAttrS.addValue(getCertificateString(certs[i])); + // remove seeAlso attribute + LDAPModificationSet attrs = new LDAPModificationSet(); + LDAPAttribute certDNAttrS = new LDAPAttribute(LDAP_ATTR_CERTDN); certDNAttrS.addValue(certs[i].getSubjectDN().toString()); - } catch (CertificateEncodingException e) { - throw new EUsrGrpException(CMS.getUserMessage("CMS_USRGRP_USR_CERT_ERROR")); + attrs.add(LDAPModification.DELETE, certDNAttrS); + ldapconn.modify(dn, attrs); + + } catch (LDAPException e) { + if (e.getLDAPResultCode() == 16) { // ignore missing seeAlso attribute + CMS.debug("removeUserCert: No attribute "+LDAP_ATTR_CERTDN+" in entry "+dn); + } else { + throw e; + } } + // remove userCertificate and description attributes + LDAPModificationSet attrs = new LDAPModificationSet(); + + LDAPAttribute certAttr = new LDAPAttribute(LDAP_ATTR_USER_CERT); + certAttr.addValue(certs[i].getEncoded()); attrs.add(LDAPModification.DELETE, certAttr); + + LDAPAttribute certAttrS = new LDAPAttribute(LDAP_ATTR_USER_CERT_STRING); + certAttrS.addValue(getCertificateString(certs[i])); attrs.add(LDAPModification.DELETE, certAttrS); - attrs.add(LDAPModification.DELETE, certDNAttrS); - LDAPConnection ldapconn = null; + ldapconn.modify(dn, attrs); - try { - ldapconn = getConn(); - ldapconn.modify("uid=" + user.getUserID() + - "," + getUserBaseDN(), attrs); - certCount++; - // for audit log - SessionContext sessionContext = SessionContext.getContext(); - String adminId = (String) sessionContext.get(SessionContext.USER_ID); - - mLogger.log(ILogger.EV_AUDIT, - ILogger.S_USRGRP, - AuditFormat.LEVEL, - AuditFormat.REMOVEUSERCERTFORMAT, - new Object[] { adminId, user.getUserID(), - certs[0].getSubjectDN().toString(), - certs[i].getSerialNumber().toString(16) } - ); + certCount++; - } catch (LDAPException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_USRGRP_REMOVE_USER", e.toString())); - throw new EUsrGrpException(CMS.getUserMessage("CMS_USRGRP_MOD_USER_FAIL")); - } catch (ELdapException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_USRGRP_REMOVE_USER", e.toString())); - } finally { - if (ldapconn != null) - returnConn(ldapconn); - } + // for audit log + SessionContext sessionContext = SessionContext.getContext(); + String adminId = (String) sessionContext.get(SessionContext.USER_ID); + + mLogger.log(ILogger.EV_AUDIT, + ILogger.S_USRGRP, + AuditFormat.LEVEL, + AuditFormat.REMOVEUSERCERTFORMAT, + new Object[] { adminId, user.getUserID(), + certs[0].getSubjectDN().toString(), + certs[i].getSerialNumber().toString(16) } + ); + + } catch (CertificateEncodingException e) { + throw new EUsrGrpException(CMS.getUserMessage("CMS_USRGRP_USR_CERT_ERROR")); + + } catch (LDAPException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_USRGRP_REMOVE_USER", e.toString())); + throw new EUsrGrpException(CMS.getUserMessage("CMS_USRGRP_MOD_USER_FAIL")); + + } catch (ELdapException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_USRGRP_REMOVE_USER", e.toString())); + + } finally { + if (ldapconn != null) + returnConn(ldapconn); } } if (certCount == 0) { throw new EUsrGrpException(CMS.getUserMessage("CMS_USRGRP_CERT_NOT_FOUND")); } - - return; } public void addUserToGroup(IGroup grp, String userid) |