Fixes to cloning and security domain tables for client auth internaldb user

The mechanism for getting an ldap connection to the internaldb was incorrect,
both in the Security Domain Session Table and the DatabasePanel.  As a result,
connections to the internaldb failed for accessing the security domain session
table and when trying to clone a master which connects to its database using
client auth.

The thread that handles reading the security domain session table is now only
instantiated when running on a configured security domain master.

Additionally, needed acls for the client auth certificate ldap user have been
moved to manager.ldif.  This includes acls to allow creation and management of
replication agreements and replication users (now being created under
ou=csusers, cn=config)

Added logs to show when ldif import errors occur.  Also made sure to write and
remove master ldap password for use in replication.

Ticket #5

2 files changed, 49 insertions, 0 deletions

diff --git a/pki/base/ca/shared/conf/CS.cfg.in b/pki/base/ca/shared/conf/CS.cfg.in
index 1ba0d2f40..980ed5854 100644
--- a/pki/base/ca/shared/conf/CS.cfg.in
+++ b/pki/base/ca/shared/conf/CS.cfg.in
@@ -818,6 +818,7 @@ preop.internaldb.schema.ldif=/usr/share/[PKI_FLAVOR]/ca/conf/schema.ldif
 preop.internaldb.ldif=/usr/share/[PKI_FLAVOR]/ca/conf/database.ldif
 preop.internaldb.data_ldif=/usr/share/[PKI_FLAVOR]/ca/conf/db.ldif,/usr/share/[PKI_FLAVOR]/ca/conf/acl.ldif
 preop.internaldb.index_ldif=
+preop.internaldb.manager_ldif=/usr/share/[PKI_FLAVOR]/ca/conf/manager.ldif
 preop.internaldb.post_ldif=/usr/share/[PKI_FLAVOR]/ca/conf/index.ldif,/usr/share/[PKI_FLAVOR]/ca/conf/vlv.ldif,/usr/share/[PKI_FLAVOR]/ca/conf/vlvtasks.ldif
 preop.internaldb.wait_dn=cn=index1160589769, cn=index, cn=tasks, cn=config
 internaldb.multipleSuffix.enable=false
diff --git a/pki/base/ca/shared/conf/manager.ldif b/pki/base/ca/shared/conf/manager.ldif
new file mode 100644
index 000000000..52e486987
--- /dev/null
+++ b/pki/base/ca/shared/conf/manager.ldif
@@ -0,0 +1,48 @@
+# acis for cert manager
+
+dn: ou=csusers,cn=config
+objectClass: top
+objectClass: organizationalUnit
+ou: csusers
+
+dn: {rootSuffix}
+changetype: modify
+add: aci
+aci: (targetattr=*)(version 3.0; acl "cert manager access"; allow (all) userdn = "ldap:///{dbuser}";)
+
+dn: cn=ldbm database,cn=plugins,cn=config
+changetype: modify
+add: aci
+aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; allow (read) userdn="ldap:///{dbuser}";)
+
+dn: cn=config
+changetype: modify
+add: aci
+aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (read, search, compare) userdn = "ldap:///{dbuser}";)
+
+dn: ou=csusers,cn=config
+changetype: modify
+add: aci
+aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication users"; allow (all) userdn = "ldap:///{dbuser}";)
+
+dn: cn="{rootSuffix}",cn=mapping tree,cn=config
+changetype: modify
+add: aci
+aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements";allow (add) userdn = "ldap:///{dbuser}";)
+
+dn: cn="{rootSuffix}",cn=mapping tree,cn=config
+changetype: modify
+add: aci
+aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agreements"; allow (read, write, search) userdn = "ldap:///{dbuser}";)
+
+dn: cn="{rootSuffix}",cn=mapping tree,cn=config
+changetype: modify
+add: aci
+aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager: Remove Replication Agreements";allow (delete) userdn = "ldap:///{dbuser}";)
+
+dn: cn=tasks,cn=config
+changetype: modify
+add: aci
+aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re-initialization"; allow (add) userdn = "ldap:///{dbuser}";)
+
+