bz223361 - security domains in ldap

git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@127 c9f7a03b-bd48-0410-a16d-cbbf54688b0b

5 files changed, 284 insertions, 0 deletions

diff --git a/pki/base/migrate/80/MigrateSecurityDomain.class b/pki/base/migrate/80/MigrateSecurityDomain.class
new file mode 100644
index 000000000..f2a174dab
--- /dev/null
+++ b/pki/base/migrate/80/MigrateSecurityDomain.class
diff --git a/pki/base/migrate/80/MigrateSecurityDomain.java b/pki/base/migrate/80/MigrateSecurityDomain.java
new file mode 100644
index 000000000..5cfdf584a
--- /dev/null
+++ b/pki/base/migrate/80/MigrateSecurityDomain.java
@@ -0,0 +1,215 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2008 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+import com.netscape.cmsutil.xml.*;
+import com.netscape.cmscore.base.*;
+import com.netscape.cmscore.ldapconn.*;
+import com.netscape.cmsutil.ldap.*;
+import netscape.ldap.*;
+import java.io.*; 
+import java.util.*;
+import org.w3c.dom.*;
+
+public class MigrateSecurityDomain {
+
+    private static LDAPConnection getLDAPConn(FileConfigStore cs, String passwd)
+            throws IOException
+    {
+
+        String host = "";
+        String port = "";
+        String binddn = "";
+        String security = "";
+
+        try {
+            host = cs.getString("internaldb.ldapconn.host");
+            port = cs.getString("internaldb.ldapconn.port");
+            binddn = cs.getString("internaldb.ldapauth.bindDN");
+            security = cs.getString("internaldb.ldapconn.secureConn");
+        } catch (Exception e) {
+            System.out.println("MigrateSecurityDomain: getLDAPConnection" + e.toString());
+            throw new IOException(
+                    "Failed to retrieve LDAP information from CS.cfg.");
+        }
+
+        int p = -1;
+
+        try {
+            p = Integer.parseInt(port);
+        } catch (Exception e) {
+            System.out.println("MigrateSecurityDomain getLDAPConn: " + e.toString());
+            throw new IOException("Port is not valid");
+        }
+
+        LDAPConnection conn = null;
+        if (security.equals("true")) {
+          System.out.println("MigrateSecurityDomain getLDAPConn: creating secure (SSL) connection for internal ldap");
+          conn = new LDAPConnection(new LdapJssSSLSocketFactory());
+        } else {
+          System.out.println("MigrateSecurityDomain getLDAPConn: creating non-secure (non-SSL) connection for internal ldap");
+          conn = new LDAPConnection();
+        }
+
+        System.out.println("MigrateSecurityDomain connecting to " + host + ":" + p);
+        try {
+            conn.connect(host, p, binddn, passwd);
+        } catch (LDAPException e) {
+            System.out.println("MigrateSecurityDomain getLDAPConn: " + e.toString());
+            throw new IOException("Failed to connect to the internal database.");
+        }
+
+      return conn;
+    }
+
+
+    public static void main(String args[]) throws Exception
+    {
+        if (args.length != 2) {
+             System.out.println("Usage: MigrateSecurityDomain <instance root path> <directory manager password>");
+             System.exit(0);
+        }
+
+        String instRoot = args[0];
+        String dmPass = args[1];
+
+        XMLObject parser = null;
+        // get the security domain data from the domain.xml file
+        try {
+            String path = instRoot + "/conf/domain.xml";
+            System.out.println("MigrateSecurityDomain: Reading domain.xml from file ...");
+            parser = new XMLObject(new FileInputStream(path));
+
+        }
+        catch (Exception e) {
+            System.out.println("MigrateSecurityDomain: Unable to get domain info from domain.xml file");
+            System.out.println(e.toString());
+            System.exit(1);
+        }
+
+        try {
+            String configFile = instRoot + "/conf/CS.cfg";
+            FileConfigStore cs = new FileConfigStore(configFile);
+            
+            LDAPConnection conn = null;
+            conn = MigrateSecurityDomain.getLDAPConn(cs, dmPass);
+            if (conn == null) {
+                System.out.println("MigrateSecurityDomain: Failed to connect to internal database");
+                System.exit(1);
+            } 
+
+            // add new schema elements
+            String importFile = "./schema-add.ldif";
+            try {
+                LDAPUtil.importLDIF(conn, importFile);
+            } catch (Exception e) {
+               System.out.println("MigrateSecurityDomain: Error in adding new schema elements");
+               System.exit(1);
+            }
+            // create the containers
+            String basedn = cs.getString("internaldb.basedn");
+            String secdomain = parser.getValue("Name");
+
+            try {
+                String dn = "ou=Security Domain," + basedn;
+                System.out.println("MigrateSecurityDomain: creating ldap entry : " + dn);
+
+                LDAPEntry entry = null;
+                LDAPAttributeSet attrs = null;
+                attrs = new LDAPAttributeSet();
+                attrs.add(new LDAPAttribute("objectclass", "top"));
+                attrs.add(new LDAPAttribute("objectclass", "organizationalUnit"));
+                attrs.add(new LDAPAttribute("name",  secdomain));
+                attrs.add(new LDAPAttribute("ou", "Security Domain"));
+                entry = new LDAPEntry(dn, attrs);
+                conn.add(entry);
+            } catch (LDAPException e) {
+                if (e.getLDAPResultCode() != 68) {
+                    System.out.println("Unable to create security domain" + e.toString());
+                    System.exit(1);
+                }
+            }
+
+            // create list containers
+            String clist[] = {"CAList", "OCSPList", "KRAList", "RAList", "TKSList", "TPSList"};
+            for (int i=0; i< 6; i++) {
+                LDAPEntry entry = null;
+                LDAPAttributeSet attrs = null;
+                String dn = "cn=" + clist[i] + ",ou=Security Domain," + basedn;
+                attrs = new LDAPAttributeSet();
+                attrs.add(new LDAPAttribute("objectclass", "top"));
+                attrs.add(new LDAPAttribute("objectclass", "pkiSecurityGroup"));
+                attrs.add(new LDAPAttribute("cn", clist[i]));
+                entry = new LDAPEntry(dn, attrs);
+                try {
+                    conn.add(entry);
+                } catch (LDAPException e) {
+                    if (e.getLDAPResultCode() != 68) {
+                        System.out.println("Unable to create security domain list entry " + dn +": "+ e.toString());
+                        System.exit(1);
+                    }
+                }
+            }
+
+            // create system entries 
+            String tlist[] = {"CA", "OCSP", "KRA", "RA", "TKS", "TPS"};
+            Document doc = parser.getDocument();
+            for (int j=0; j<6; j++) {
+                String type = tlist[j];
+                NodeList nodeList = doc.getElementsByTagName(type);
+                int len = nodeList.getLength();
+                for (int i = 0; i < len; i++) {
+                    Vector v_clone = parser.getValuesFromContainer(nodeList.item(i), "Clone");
+                    Vector v_name = parser.getValuesFromContainer(nodeList.item(i), "SubsystemName");
+                    Vector v_host = parser.getValuesFromContainer(nodeList.item(i), "Host");
+                    Vector v_port = parser.getValuesFromContainer(nodeList.item(i), "SecurePort");
+
+                    String cn = (String)v_host.elementAt(0) + ":" + (String)v_port.elementAt(0);
+                    String dn = "cn=" + cn + ",cn=" + type +"List,ou=Security Domain," + basedn;
+                    LDAPEntry entry = null;
+                    LDAPAttributeSet attrs = null;
+                    attrs = new LDAPAttributeSet();
+                    attrs.add(new LDAPAttribute("objectclass", "top"));
+                    attrs.add(new LDAPAttribute("objectclass", "pkiSubsystem"));
+                    attrs.add(new LDAPAttribute("Host", (String)v_host.elementAt(0)));
+                    attrs.add(new LDAPAttribute("SecurePort", (String)v_port.elementAt(0)));
+                    attrs.add(new LDAPAttribute("Clone", (String)v_clone.elementAt(0)));
+                    attrs.add(new LDAPAttribute("SubsystemName", (String)v_name.elementAt(0)));
+                    attrs.add(new LDAPAttribute("cn", cn));
+                    attrs.add(new LDAPAttribute("DomainManager", "true"));
+                    entry = new LDAPEntry(dn, attrs);
+
+                    try {
+                        conn.add(entry);
+                    }
+                    catch (LDAPException e) {
+                        if (e.getLDAPResultCode() != 68) {
+                            System.out.println("Unable to create entry " + dn +": "+ e.toString());
+                        }
+                    }
+                }
+            }
+            cs.putString("securitydomain.store", "ldap");
+            cs.commit(false);
+            System.out.println("MigrateSecurityDomain: Domain successfully migrated.");
+        } catch (Exception e) {
+            System.out.println("MigrateSecurityDomain: Migration failed. " + e.toString());
+        }
+        System.exit(0);
+    }
+
+}
diff --git a/pki/base/migrate/80/readme b/pki/base/migrate/80/readme
new file mode 100644
index 000000000..50365c985
--- /dev/null
+++ b/pki/base/migrate/80/readme
@@ -0,0 +1,29 @@
+Date
+
+  Fri Oct  3 00:37:14 EDT 2008
+
+Version
+
+  CMS 8.0
+
+Overview
+
+  In CMS8.0, the security domain data has been migrated into the 
+  internal LDAP database to allow easier replication of this data
+  when cloning.  Prior to this release, this information was stored
+  in the domain.xml configuration file on the CA serving as the Domain 
+  Master.  
+
+Program
+
+  MigrateSecurityDomain - This command will add the relevant schema and migrate 
+  security domain data that resides in domain.xml into the internal database.  
+  The program needs only two arguments - the location of the instance root directory 
+  (like /var/lib/pki-ca) and the directory user's password.
+
+Example
+
+  Here is an example of MigrateSecurityDomain usage
+java -cp /usr/share/java/ldapjdk.jar:/usr/share/java/pki/cmscore.jar:/usr/share/java/pki/cmsutil.jar:/usr/share/java/pki/certsrv.jar:.  MigrateSecurityDomain  /var/lib/pki-ca  mypassword
+
+
diff --git a/pki/base/migrate/80/schema-add.ldif b/pki/base/migrate/80/schema-add.ldif
new file mode 100644
index 000000000..7d9cec640
--- /dev/null
+++ b/pki/base/migrate/80/schema-add.ldif
@@ -0,0 +1,36 @@
+dn: cn=schema
+changetype: modify
+add: attributeTypes
+attributeTypes: ( Clone-oid NAME 'Clone'  SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'user defined' )
+
+dn: cn=schema
+changetype: modify
+add: attributeTypes
+attributeTypes: ( DomainManager-oid NAME 'DomainManager'  SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'user defined' )
+
+dn: cn=schema
+changetype: modify
+add: attributeTypes
+attributeTypes: ( securePort-oid NAME 'securePort'  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' )
+
+dn: cn=schema
+changetype: modify
+add: attributeTypes
+attributeTypes: ( SubsystemName-oid NAME 'SubsystemName'  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' )
+
+dn: cn=schema
+changetype: modify
+add: objectClasses
+objectClasses: ( pkiSecurityDomain-oid NAME 'pkiSecurityDomain' DESC 'CMS defined class' SUP top STRUCTURAL MUST ( cn $ name ) X-ORIGIN 'user defined' )
+
+dn: cn=schema
+changetype: modify
+add: objectClasses
+objectClasses: ( pkiSecurityGroup-oid NAME 'pkiSecurityGroup' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn X-ORIGIN 'user defined' )
+
+dn: cn=schema
+changetype: modify
+add: objectClasses
+objectClasses: ( pkiSubsystem-oid NAME 'pkiSubsystem' DESC 'CMS defined class' SUP top STRUCTURAL MUST ( cn $ Host $ SecurePort $ SubsystemName $ Clone ) MAY ( DomainManager ) X-ORIGIN 'user defined' ) 
+
+
diff --git a/pki/base/migrate/build.xml b/pki/base/migrate/build.xml
index 48623cdac..bcdc1e37b 100644
--- a/pki/base/migrate/build.xml
+++ b/pki/base/migrate/build.xml
@@ -159,6 +159,7 @@
                 <include name="41ToTxt/**"/>
                 <include name="73ToTxt/**"/>
                 <include name="TxtTo73/**"/>
+                <include name="80/**"/>
             </zipfileset>
             <zipfileset dir="."
                         filemode="755"
@@ -194,6 +195,7 @@
                 <include name="41ToTxt/**"/>
                 <include name="73ToTxt/**"/>
                 <include name="TxtTo73/**"/>
+                <include name="80/**"/>
             </tarfileset>
             <tarfileset dir="."
                         mode="755"
@@ -266,6 +268,7 @@
                 <include name="TxtTo71/**"/>
                 <include name="TxtTo72/**"/>
                 <include name="TxtTo73/**"/>
+                <include name="80/**"/>
             </zipfileset>
         </zip>
         <echo message="${end.source.zip.log.message}"/>
@@ -302,6 +305,7 @@
                 <include name="TxtTo71/**"/>
                 <include name="TxtTo72/**"/>
                 <include name="TxtTo73/**"/>
+                <include name="80/**"/>
             </tarfileset>
         </tar>
         <echo message="${end.source.tar.log.message}"/>