diff options
author | Ade Lee <alee@redhat.com> | 2012-02-16 14:38:40 -0500 |
---|---|---|
committer | Ade Lee <alee@redhat.com> | 2012-02-23 21:31:24 -0500 |
commit | 1c4c45a87e62a74b68b7d235e94cfe5dc21b8da2 (patch) | |
tree | ee413dd31d1a9d118c8c1367740ee95460919fae /pki/base/common/src/com/netscape/cmscore | |
parent | 0df68f85d453e5fb087a2cf04dc5d3ce4bcdff01 (diff) | |
download | pki-1c4c45a87e62a74b68b7d235e94cfe5dc21b8da2.tar.gz pki-1c4c45a87e62a74b68b7d235e94cfe5dc21b8da2.tar.xz pki-1c4c45a87e62a74b68b7d235e94cfe5dc21b8da2.zip |
Add client auth user to default install
When a subsystem is configured, a user is created to facilitate communication
between subsystems. This user is created on the security domain ca, and is
has the subsystem certificate in its user record.
This user will be reused as a user that can talk to the database using the
subsystem certificate for client auth. To do this, this patch does the following:
1. If not the security domain master CA, adds this user to the subsystem, and
adds the subsystem cert.
2. Adds the subsystem cert subject dn to the user's record in the seeAlso attribute
3. Adds acis for this user for the $basedn and for cn=config (for VLV searches)
By default, this user and acls will be added when the system is configured.
To actually use the user and client auth, more config steps are required. They
will be doc'ed in https://fedorahosted.org/pki/ticket/5
Diffstat (limited to 'pki/base/common/src/com/netscape/cmscore')
-rw-r--r-- | pki/base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java | 69 |
1 files changed, 54 insertions, 15 deletions
diff --git a/pki/base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java b/pki/base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java index 1bf251865..6796a3322 100644 --- a/pki/base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java +++ b/pki/base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java @@ -72,7 +72,7 @@ public final class UGSubsystem implements IUGSubsystem { protected static final String GROUP_ATTR_VALUE = "groupofuniquenames"; protected static final String LDAP_ATTR_USER_CERT_STRING = "description"; - // protected static final String LDAP_ATTR_CERTDN = "seeAlso"; + protected static final String LDAP_ATTR_CERTDN = "seeAlso"; protected static final String LDAP_ATTR_USER_CERT = "userCertificate"; protected static final String PROP_BASEDN = "basedn"; @@ -726,27 +726,18 @@ public final class UGSubsystem implements IUGSubsystem { LDAPModificationSet addCert = new LDAPModificationSet(); if ((cert = user.getX509Certificates()) != null) { - LDAPAttribute attrCertStr = new - LDAPAttribute(LDAP_ATTR_USER_CERT_STRING); - - /* - LDAPAttribute attrCertDNStr = new - LDAPAttribute(LDAP_ATTR_CERTDN); - */ - LDAPAttribute attrCertBin = new - LDAPAttribute(LDAP_ATTR_USER_CERT); + LDAPAttribute attrCertStr = new LDAPAttribute(LDAP_ATTR_USER_CERT_STRING); + LDAPAttribute attrCertBin = new LDAPAttribute(LDAP_ATTR_USER_CERT); try { attrCertBin.addValue(cert[0].getEncoded()); attrCertStr.addValue(getCertificateString(cert[0])); - // attrCertDNStr.addValue(cert[0].getSubjectDN().toString()); } catch (CertificateEncodingException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_USRGRP_ADD_USER_CERT", e.toString())); throw new EUsrGrpException(CMS.getUserMessage("CMS_USRGRP_USR_CERT_ERROR")); } addCert.add(LDAPModification.ADD, attrCertStr); - //addCert.add(LDAPModification.ADD, attrCertDNStr); addCert.add(LDAPModification.ADD, attrCertBin); LDAPConnection ldapconn = null; @@ -783,6 +774,54 @@ public final class UGSubsystem implements IUGSubsystem { return; } + public void addCertSubjectDN(IUser identity) throws EUsrGrpException, LDAPException { + User user = (User) identity; + + if (user == null) { + return; + } + + X509Certificate cert[] = null; + LDAPModificationSet addCert = new LDAPModificationSet(); + + if ((cert = user.getX509Certificates()) != null) { + LDAPAttribute attrCertDNStr = new LDAPAttribute(LDAP_ATTR_CERTDN); + attrCertDNStr.addValue(cert[0].getSubjectDN().toString()); + addCert.add(LDAPModification.ADD, attrCertDNStr); + + LDAPConnection ldapconn = null; + + try { + ldapconn = getConn(); + ldapconn.modify("uid=" + user.getUserID() + + "," + getUserBaseDN(), addCert); + // for audit log + SessionContext sessionContext = SessionContext.getContext(); + String adminId = (String) sessionContext.get(SessionContext.USER_ID); + + mLogger.log(ILogger.EV_AUDIT, ILogger.S_USRGRP, + AuditFormat.LEVEL, AuditFormat.ADDCERTSUBJECTDNFORMAT, + new Object[] { adminId, user.getUserID(), + cert[0].getSubjectDN().toString()} + ); + + } catch (LDAPException e) { + if (Debug.ON) { + e.printStackTrace(); + } + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_USRGRP_ADD_USER", e.toString())); + throw e; + } catch (ELdapException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_USRGRP_ADD_USER", e.toString())); + } finally { + if (ldapconn != null) + returnConn(ldapconn); + } + } + + return; + } + /** * Removes a user certificate for a user entry * given a user certificate DN (actually, a combination of version, @@ -821,7 +860,7 @@ public final class UGSubsystem implements IUGSubsystem { LDAPAttribute certAttrS = new LDAPAttribute(LDAP_ATTR_USER_CERT_STRING); - //LDAPAttribute certDNAttrS = new LDAPAttribute(LDAP_ATTR_CERTDN); + LDAPAttribute certDNAttrS = new LDAPAttribute(LDAP_ATTR_CERTDN); int certCount = 0; @@ -839,14 +878,14 @@ public final class UGSubsystem implements IUGSubsystem { try { certAttr.addValue(certs[i].getEncoded()); certAttrS.addValue(getCertificateString(certs[i])); - // certDNAttrS.addValue(certs[i].getSubjectDN().toString()); + certDNAttrS.addValue(certs[i].getSubjectDN().toString()); } catch (CertificateEncodingException e) { throw new EUsrGrpException(CMS.getUserMessage("CMS_USRGRP_USR_CERT_ERROR")); } attrs.add(LDAPModification.DELETE, certAttr); attrs.add(LDAPModification.DELETE, certAttrS); - //attrs.add(LDAPModification.DELETE, certDNAttrS); + attrs.add(LDAPModification.DELETE, certDNAttrS); LDAPConnection ldapconn = null; |