summaryrefslogtreecommitdiffstats
path: root/pki/base
diff options
context:
space:
mode:
authorAde Lee <alee@redhat.com>2012-02-29 23:31:15 -0500
committerAde Lee <alee@redhat.com>2012-03-09 02:30:37 -0500
commitada9213433a122e83c7d0cc0c04a4711ae003a79 (patch)
tree304c0afe6c09d1ededfdbaa70d7bc66d2c3fa2d0 /pki/base
parent8b9dc39ca6592d5c0cd6c0e6b24775de1dad161a (diff)
downloadpki-ada9213433a122e83c7d0cc0c04a4711ae003a79.tar.gz
pki-ada9213433a122e83c7d0cc0c04a4711ae003a79.tar.xz
pki-ada9213433a122e83c7d0cc0c04a4711ae003a79.zip
Fixes to cloning and security domain tables for client auth internaldb user
The mechanism for getting an ldap connection to the internaldb was incorrect, both in the Security Domain Session Table and the DatabasePanel. As a result, connections to the internaldb failed for accessing the security domain session table and when trying to clone a master which connects to its database using client auth. The thread that handles reading the security domain session table is now only instantiated when running on a configured security domain master. Additionally, needed acls for the client auth certificate ldap user have been moved to manager.ldif. This includes acls to allow creation and management of replication agreements and replication users (now being created under ou=csusers, cn=config) Added logs to show when ldif import errors occur. Also made sure to write and remove master ldap password for use in replication. Ticket #5 Conflicts resolved: pki/base/common/src/com/netscape/cms/servlet/csadmin/AdminAuthenticatePanel.java pki/base/common/src/com/netscape/cms/servlet/csadmin/DatabasePanel.java pki/base/common/src/com/netscape/cms/servlet/csadmin/LDAPSecurityDomainSessionTable.java pki/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java pki/base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java pki/base/migrate/80/MigrateSecurityDomain.java pki/base/util/src/com/netscape/cmsutil/ldap/LDAPUtil.java
Diffstat (limited to 'pki/base')
-rw-r--r--pki/base/ca/shared/conf/CS.cfg.in1
-rw-r--r--pki/base/ca/shared/conf/manager.ldif48
-rw-r--r--pki/base/common/src/com/netscape/cms/servlet/csadmin/AdminAuthenticatePanel.java9
-rw-r--r--pki/base/common/src/com/netscape/cms/servlet/csadmin/DatabasePanel.java197
-rw-r--r--pki/base/common/src/com/netscape/cms/servlet/csadmin/LDAPSecurityDomainSessionTable.java103
-rw-r--r--pki/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java11
-rw-r--r--pki/base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java33
-rw-r--r--pki/base/common/src/com/netscape/cmscore/apps/CMSEngine.java23
-rw-r--r--pki/base/kra/shared/conf/CS.cfg.in1
-rw-r--r--pki/base/kra/shared/conf/manager.ldif48
-rw-r--r--pki/base/migrate/80/MigrateSecurityDomain.java10
-rw-r--r--pki/base/ocsp/shared/conf/CS.cfg.in1
-rw-r--r--pki/base/ocsp/shared/conf/manager.ldif48
-rw-r--r--pki/base/tks/shared/conf/CS.cfg.in1
-rw-r--r--pki/base/tks/shared/conf/manager.ldif48
-rw-r--r--pki/base/util/src/com/netscape/cmsutil/ldap/LDAPUtil.java7
16 files changed, 380 insertions, 209 deletions
diff --git a/pki/base/ca/shared/conf/CS.cfg.in b/pki/base/ca/shared/conf/CS.cfg.in
index 52a6d4b04..31e79d64d 100644
--- a/pki/base/ca/shared/conf/CS.cfg.in
+++ b/pki/base/ca/shared/conf/CS.cfg.in
@@ -817,6 +817,7 @@ preop.internaldb.schema.ldif=/usr/share/[PKI_FLAVOR]/ca/conf/schema.ldif
preop.internaldb.ldif=/usr/share/[PKI_FLAVOR]/ca/conf/database.ldif
preop.internaldb.data_ldif=/usr/share/[PKI_FLAVOR]/ca/conf/db.ldif,/usr/share/[PKI_FLAVOR]/ca/conf/acl.ldif
preop.internaldb.index_ldif=
+preop.internaldb.manager_ldif=/usr/share/[PKI_FLAVOR]/ca/conf/manager.ldif
preop.internaldb.post_ldif=/usr/share/[PKI_FLAVOR]/ca/conf/index.ldif,/usr/share/[PKI_FLAVOR]/ca/conf/vlv.ldif,/usr/share/[PKI_FLAVOR]/ca/conf/vlvtasks.ldif
preop.internaldb.wait_dn=cn=index1160589769, cn=index, cn=tasks, cn=config
internaldb.multipleSuffix.enable=false
diff --git a/pki/base/ca/shared/conf/manager.ldif b/pki/base/ca/shared/conf/manager.ldif
new file mode 100644
index 000000000..52e486987
--- /dev/null
+++ b/pki/base/ca/shared/conf/manager.ldif
@@ -0,0 +1,48 @@
+# acis for cert manager
+
+dn: ou=csusers,cn=config
+objectClass: top
+objectClass: organizationalUnit
+ou: csusers
+
+dn: {rootSuffix}
+changetype: modify
+add: aci
+aci: (targetattr=*)(version 3.0; acl "cert manager access"; allow (all) userdn = "ldap:///{dbuser}";)
+
+dn: cn=ldbm database,cn=plugins,cn=config
+changetype: modify
+add: aci
+aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; allow (read) userdn="ldap:///{dbuser}";)
+
+dn: cn=config
+changetype: modify
+add: aci
+aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (read, search, compare) userdn = "ldap:///{dbuser}";)
+
+dn: ou=csusers,cn=config
+changetype: modify
+add: aci
+aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication users"; allow (all) userdn = "ldap:///{dbuser}";)
+
+dn: cn="{rootSuffix}",cn=mapping tree,cn=config
+changetype: modify
+add: aci
+aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements";allow (add) userdn = "ldap:///{dbuser}";)
+
+dn: cn="{rootSuffix}",cn=mapping tree,cn=config
+changetype: modify
+add: aci
+aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agreements"; allow (read, write, search) userdn = "ldap:///{dbuser}";)
+
+dn: cn="{rootSuffix}",cn=mapping tree,cn=config
+changetype: modify
+add: aci
+aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager: Remove Replication Agreements";allow (delete) userdn = "ldap:///{dbuser}";)
+
+dn: cn=tasks,cn=config
+changetype: modify
+add: aci
+aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re-initialization"; allow (add) userdn = "ldap:///{dbuser}";)
+
+
diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/AdminAuthenticatePanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/AdminAuthenticatePanel.java
index 876cd2a04..435c92fa2 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/AdminAuthenticatePanel.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/AdminAuthenticatePanel.java
@@ -246,8 +246,13 @@ public class AdminAuthenticatePanel extends WizardPanelBase {
if (!cstype.equals("ca")) {
c1.append(",preop.ca.hostname,preop.ca.httpport,preop.ca.httpsport,preop.ca.list,preop.ca.pkcs7,preop.ca.type");
}
-
- String content = "uid="+uid+"&pwd="+pwd+"&op=get&names=cloning.module.token,instanceId,internaldb.basedn,internaldb.ldapauth.password,internaldb.replication.password,internaldb.ldapconn.host,internaldb.ldapconn.port,internaldb.ldapauth.bindDN"+c1.toString()+"&substores="+s1.toString();
+ s1.append(",internaldb,internaldb.ldapauth,internaldb.ldapconn");
+ String content =
+ "uid=" + uid
+ + "&pwd=" + pwd
+ + "&op=get&names=cloning.module.token,instanceId,"
+ + "internaldb.ldapauth.password,internaldb.replication.password"
+ + c1.toString() + "&substores=" + s1.toString();
boolean success = updateConfigEntries(host, httpsport, true,
"/"+cstype+"/admin/"+cstype+"/getConfigEntries", content, config,
diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/DatabasePanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/DatabasePanel.java
index b81c25659..6c8cbbb19 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/DatabasePanel.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/DatabasePanel.java
@@ -17,6 +17,7 @@
// --- END COPYRIGHT BLOCK ---
package com.netscape.cms.servlet.csadmin;
+import java.util.ArrayList;
import org.apache.velocity.Template;
import org.apache.velocity.servlet.VelocityServlet;
@@ -26,6 +27,7 @@ import javax.servlet.*;
import javax.servlet.http.*;
import netscape.ldap.*;
import com.netscape.certsrv.apps.*;
+import com.netscape.certsrv.ldap.ILdapConnFactory;
import com.netscape.certsrv.property.*;
import com.netscape.certsrv.dbs.*;
import com.netscape.certsrv.util.*;
@@ -296,8 +298,8 @@ public class DatabasePanel extends WizardPanelBase {
String masterport = "";
String masterbasedn = "";
try {
- masterhost = cs.getString("preop.internaldb.master.hostname", "");
- masterport = cs.getString("preop.internaldb.master.port", "");
+ masterhost = cs.getString("preop.internaldb.master.ldapconn.host", "");
+ masterport = cs.getString("preop.internaldb.master.ldapconn.port", "");
masterbasedn = cs.getString("preop.internaldb.master.basedn", "");
} catch (Exception e) {
}
@@ -502,13 +504,10 @@ public class DatabasePanel extends WizardPanelBase {
String baseDN = "";
String database = "";
String dn = "";
- String dbuser = "";
try {
baseDN = cs.getString("internaldb.basedn");
database = cs.getString("internaldb.database", "");
- dbuser = "uid=" + cs.getString("cs.type") + "-" + cs.getString("machineName") + "-"
- + cs.getString("service.securePort") + ",ou=people," + baseDN;
} catch (Exception e) {
CMS.debug("DatabasePanel populateDB: " + e.toString());
throw new IOException(
@@ -635,10 +634,6 @@ public class DatabasePanel extends WizardPanelBase {
attrs.add(new LDAPAttribute("objectClass", oc3));
attrs.add(new LDAPAttribute(n, v));
- String dbuserACI = "(targetattr=\"*\")(version 3.0; acl \"Cert Manager access\"; allow (all) userdn=\"ldap:///"
- + dbuser + "\";)";
- CMS.debug("ACI string is ["+ dbuserACI + "]");
- attrs.add(new LDAPAttribute("aci", dbuserACI));
LDAPEntry entry = new LDAPEntry(baseDN, attrs);
conn.add(entry);
} catch (Exception e) {
@@ -703,23 +698,6 @@ public class DatabasePanel extends WizardPanelBase {
throw new IOException("Failed to find base DN");
}
- // add dbuser aci to cn=config
- String dbuserACI = "(targetattr=\"*\")(version 3.0; acl \"Cert Manager access\"; allow (read) userdn=\"ldap:///"
- + dbuser + "\";)";
- CMS.debug("ACI string is [" + dbuserACI + "]");
- String configDN = "cn=ldbm database,cn=plugins,cn=config";
- try {
-
- LDAPAttribute attr = new LDAPAttribute("aci", dbuserACI);
- LDAPModification mod = new LDAPModification(LDAPModification.ADD, attr);
- conn.modify(configDN, mod);
- } catch (LDAPException e) {
- if (e.getLDAPResultCode() != LDAPException.ATTRIBUTE_OR_VALUE_EXISTS) {
- e.printStackTrace();
- throw new IOException("Failed to add aci to " + configDN);
- }
- }
-
String select = "";
try {
select = cs.getString("preop.subsystem.select", "");
@@ -727,20 +705,21 @@ public class DatabasePanel extends WizardPanelBase {
}
if (select.equals("clone")) {
- // if this is clone, add index before replication
- // don't put in the schema or bad things will happen
-
- importLDIFS("preop.internaldb.ldif", conn);
- importLDIFS("preop.internaldb.index_ldif", conn);
+ // if this is clone, add index before replication
+ // don't put in the schema or bad things will happen
+ importLDIFS("preop.internaldb.ldif", conn);
+ importLDIFS("preop.internaldb.index_ldif", conn);
+ importLDIFS("preop.internaldb.manager_ldif", conn);
} else {
// data will be replicated from the master to the clone
// so clone does not need the data
//
- importLDIFS("preop.internaldb.schema.ldif", conn);
- importLDIFS("preop.internaldb.ldif", conn);
- importLDIFS("preop.internaldb.data_ldif", conn);
- importLDIFS("preop.internaldb.index_ldif", conn);
+ importLDIFS("preop.internaldb.schema.ldif", conn);
+ importLDIFS("preop.internaldb.ldif", conn);
+ importLDIFS("preop.internaldb.data_ldif", conn);
+ importLDIFS("preop.internaldb.index_ldif", conn);
+ importLDIFS("preop.internaldb.manager_ldif", conn);
}
try {
@@ -796,8 +775,17 @@ public class DatabasePanel extends WizardPanelBase {
throw new IOException("instanceId is missing");
}
+ String dbuser = null;
+ try {
+ dbuser = "uid=" + cs.getString("cs.type") + "-" + cs.getString("machineName") + "-"
+ + cs.getString("service.securePort") + ",ou=people," + baseDN;
+ } catch (EBaseException e) {
+ CMS.debug("Unable to construct dbuser" + e.toString());
+ e.printStackTrace();
+ throw new IOException("unable to construct dbuser");
+ }
- String configDir = instancePath + File.separator + "conf";
+ String configDir = instancePath + File.separator + "conf";
while (tokenizer.hasMoreTokens()) {
String token = tokenizer.nextToken().trim();
@@ -838,6 +826,8 @@ public class DatabasePanel extends WizardPanelBase {
ps.print(baseDN);
} else if (tok.equals("database")) {
ps.print(database);
+ } else if (tok.equals("dbuser")) {
+ ps.print(dbuser);
}
if ((s.length() + 1) == n1) {
endOfline = true;
@@ -859,8 +849,14 @@ public class DatabasePanel extends WizardPanelBase {
throw new IOException(
"Problem of copying ldif file: " + filename);
}
-
- LDAPUtil.importLDIF(conn, filename);
+ ArrayList<String> errors = new ArrayList<String>();
+ LDAPUtil.importLDIF(conn, filename, errors);
+ if (! errors.isEmpty()) {
+ CMS.debug("DatabasePanel: importLDIFS: LDAP Errors in importing " + filename);
+ for (String error: errors) {
+ CMS.debug(error);
+ }
+ }
}
}
@@ -876,7 +872,8 @@ public class DatabasePanel extends WizardPanelBase {
boolean firsttime = false;
context.put("firsttime", "false");
try {
- String v = cs.getString("preop.database.removeData");
+ @SuppressWarnings("unused")
+ String s = cs.getString("preop.database.removeData"); // check whether it's first time
} catch (Exception e) {
context.put("firsttime", "true");
firsttime = true;
@@ -1067,8 +1064,7 @@ public class DatabasePanel extends WizardPanelBase {
}
private void setupReplication(HttpServletRequest request,
- Context context, String secure, String cloneStartTLS) throws IOException {
- String bindpwd = HttpInput.getPassword(request, "__bindpwd");
+ Context context, String secure, String cloneStartTLS) throws IOException {
IConfigStore cs = CMS.getConfigStore();
String cstype = "";
@@ -1094,47 +1090,50 @@ public class DatabasePanel extends WizardPanelBase {
} catch (Exception e) {
}
- String master1_hostname = "";
- int master1_port = -1;
- String master1_binddn = "";
- String master1_bindpwd = "";
- String master1_replicationpwd = "";
+ // get connection to master
+ LDAPConnection masterConn = null;
+ ILdapConnFactory masterFactory = null;
+ try {
+ IConfigStore masterCfg = cs.getSubStore("preop.internaldb.master");
+ masterFactory = CMS.getLdapBoundConnFactory();
+ masterFactory.init(masterCfg);
+ masterConn = masterFactory.getConn();
+ } catch (Exception e) {
+ CMS.debug("Failed to set up connection to master:" + e.toString());
+ e.printStackTrace();
+ throw new IOException("Failed to set up replication: No connection to master");
+ }
+ // get connection to replica
+ LDAPConnection replicaConn = null;
+ ILdapConnFactory replicaFactory = null;
try {
- master1_hostname = cs.getString("preop.internaldb.master.hostname", "");
- master1_port = cs.getInteger("preop.internaldb.master.port", -1);
- master1_binddn = cs.getString("preop.internaldb.master.binddn", "");
- master1_bindpwd = cs.getString("preop.internaldb.master.bindpwd", "");
- master1_replicationpwd = cs.getString("preop.internaldb.master.replicationpwd", "");
+ IConfigStore replicaCfg = cs.getSubStore("internaldb");
+ replicaFactory = CMS.getLdapBoundConnFactory();
+ replicaFactory.init(replicaCfg);
+ replicaConn = replicaFactory.getConn();
} catch (Exception e) {
+ CMS.debug("Failed to set up connection to replica:" + e.toString());
+ e.printStackTrace();
+ throw new IOException("Failed to set up replication: No connection to replica");
}
- String master2_hostname = "";
- int master2_port = -1;
- String master2_binddn = "";
- String master2_bindpwd = "";
- String master2_replicationpwd = "";
+ String master_hostname = "";
+ int master_port = -1;
+ String master_replicationpwd = "";
+ String replica_hostname = "";
+ int replica_port = -1;
+ String replica_replicationpwd = "";
try {
- master2_hostname = cs.getString("internaldb.ldapconn.host", "");
- master2_port = cs.getInteger("internaldb.ldapconn.port", -1);
- master2_binddn = cs.getString("internaldb.ldapauth.bindDN", "");
- master2_bindpwd = bindpwd;
- master2_replicationpwd = cs.getString("preop.internaldb.replicationpwd", "");
+ master_hostname = cs.getString("preop.internaldb.master.ldapconn.host", "");
+ master_port = cs.getInteger("preop.internaldb.master.ldapconn.port", -1);
+ master_replicationpwd = cs.getString("preop.internaldb.master.replication.password", "");
+ replica_hostname = cs.getString("internaldb.ldapconn.host", "");
+ replica_port = cs.getInteger("internaldb.ldapconn.port", -1);
+ replica_replicationpwd = cs.getString("preop.internaldb.replicationpwd", "");
} catch (Exception e) {
}
-
- LDAPConnection conn1 = null;
- LDAPConnection conn2 = null;
- if (secure.equals("true")) {
- CMS.debug("DatabasePanel setupReplication: creating secure (SSL) connections for internal ldap");
- conn1 = new LDAPConnection(CMS.getLdapJssSSLSocketFactory());
- conn2 = new LDAPConnection(CMS.getLdapJssSSLSocketFactory());
- } else {
- CMS.debug("DatabasePanel setupreplication: creating non-secure (non-SSL) connections for internal ldap");
- conn1 = new LDAPConnection();
- conn2 = new LDAPConnection();
- }
String basedn = "";
try {
@@ -1143,10 +1142,6 @@ public class DatabasePanel extends WizardPanelBase {
}
try {
- conn1.connect(master1_hostname, master1_port, master1_binddn,
- master1_bindpwd);
- conn2.connect(master2_hostname, master2_port, master2_binddn,
- master2_bindpwd);
String suffix = cs.getString("internaldb.basedn", "");
String replicadn = "cn=replica,cn=\""+suffix+"\",cn=mapping tree,cn=config";
@@ -1155,44 +1150,52 @@ public class DatabasePanel extends WizardPanelBase {
String masterBindUser = "Replication Manager " + masterAgreementName;
String cloneBindUser = "Replication Manager " + cloneAgreementName;
- createReplicationManager(conn1, masterBindUser, master1_replicationpwd);
- createReplicationManager(conn2, cloneBindUser, master2_replicationpwd);
+ createReplicationManager(masterConn, masterBindUser, master_replicationpwd);
+ createReplicationManager(replicaConn, cloneBindUser, replica_replicationpwd);
- String dir1 = getInstanceDir(conn1);
- createChangeLog(conn1, dir1 + "/changelogs");
+ String dir1 = getInstanceDir(masterConn);
+ createChangeLog(masterConn, dir1 + "/changelogs");
- String dir2 = getInstanceDir(conn2);
- createChangeLog(conn2, dir2 + "/changelogs");
+ String dir2 = getInstanceDir(replicaConn);
+ createChangeLog(replicaConn, dir2 + "/changelogs");
int replicaId = cs.getInteger("dbs.beginReplicaNumber", 1);
- replicaId = enableReplication(replicadn, conn1, masterBindUser, basedn, replicaId);
- replicaId = enableReplication(replicadn, conn2, cloneBindUser, basedn, replicaId);
+ replicaId = enableReplication(replicadn, masterConn, masterBindUser, basedn, replicaId);
+ replicaId = enableReplication(replicadn, replicaConn, cloneBindUser, basedn, replicaId);
cs.putString("dbs.beginReplicaNumber", Integer.toString(replicaId));
CMS.debug("DatabasePanel setupReplication: Finished enabling replication");
+
+ createReplicationAgreement(replicadn, masterConn, masterAgreementName,
+ replica_hostname, replica_port, replica_replicationpwd, basedn, cloneBindUser, secure,
+ cloneStartTLS);
- createReplicationAgreement(replicadn, conn1, masterAgreementName,
- master2_hostname, master2_port, master2_replicationpwd, basedn, cloneBindUser, secure, cloneStartTLS);
-
- createReplicationAgreement(replicadn, conn2, cloneAgreementName,
- master1_hostname, master1_port, master1_replicationpwd, basedn, masterBindUser, secure, cloneStartTLS);
+ createReplicationAgreement(replicadn, replicaConn, cloneAgreementName,
+ master_hostname, master_port, master_replicationpwd, basedn, masterBindUser, secure,
+ cloneStartTLS);
// initialize consumer
- initializeConsumer(replicadn, conn1, masterAgreementName);
+ initializeConsumer(replicadn, masterConn, masterAgreementName);
- while (! replicationDone(replicadn, conn1, masterAgreementName)) {
+ while (!replicationDone(replicadn, masterConn, masterAgreementName)) {
CMS.debug("DatabasePanel setupReplication: Waiting for replication to complete");
Thread.sleep(1000);
}
- String status = replicationStatus(replicadn, conn1, masterAgreementName);
+ String status = replicationStatus(replicadn, masterConn, masterAgreementName);
if (!status.startsWith("0 ")) {
CMS.debug("DatabasePanel setupReplication: consumer initialization failed. " +
status);
throw new IOException("consumer initialization failed. " + status);
}
+ // remove master ldap password from password.conf (if present)
+ String passwordFile = cs.getString("passwordFile");
+ IConfigStore psStore = CMS.createFileConfigStore(passwordFile);
+ psStore.remove("master_internaldb");
+ psStore.commit(false);
+
} catch (Exception e) {
CMS.debug("DatabasePanel setupReplication: "+e.toString());
throw new IOException("Failed to setup the replication for cloning.");
@@ -1235,7 +1238,7 @@ public class DatabasePanel extends WizardPanelBase {
throws LDAPException {
LDAPAttributeSet attrs = null;
LDAPEntry entry = null;
- String dn = "cn=" + bindUser + ",cn=config";
+ String dn = "cn=" + bindUser + ",ou=csusers,cn=config";
try {
attrs = new LDAPAttributeSet();
attrs.add(new LDAPAttribute("objectclass", "top"));
@@ -1311,7 +1314,7 @@ public class DatabasePanel extends WizardPanelBase {
attrs.add(new LDAPAttribute("nsDS5ReplicaRoot", basedn));
attrs.add(new LDAPAttribute("nsDS5ReplicaType", "3"));
attrs.add(new LDAPAttribute("nsDS5ReplicaBindDN",
- "cn=" + bindUser + ",cn=config"));
+ "cn=" + bindUser + ",ou=csusers,cn=config"));
attrs.add(new LDAPAttribute("cn", "replica"));
attrs.add(new LDAPAttribute("nsDS5ReplicaId", Integer.toString(id)));
attrs.add(new LDAPAttribute("nsds5flags", "1"));
@@ -1326,7 +1329,7 @@ public class DatabasePanel extends WizardPanelBase {
try {
entry = conn.read(replicadn);
LDAPAttribute attr = entry.getAttribute("nsDS5ReplicaBindDN");
- attr.addValue( "cn=" + bindUser + ",cn=config");
+ attr.addValue("cn=" + bindUser + ",ou=csusers,cn=config");
LDAPModification mod = new LDAPModification(LDAPModification.REPLACE, attr);
conn.modify(replicadn, mod);
} catch (LDAPException ee) {
@@ -1361,7 +1364,7 @@ public class DatabasePanel extends WizardPanelBase {
attrs.add(new LDAPAttribute("nsDS5ReplicaHost", replicahost));
attrs.add(new LDAPAttribute("nsDS5ReplicaPort", ""+replicaport));
attrs.add(new LDAPAttribute("nsDS5ReplicaBindDN",
- "cn=" + bindUser + ",cn=config"));
+ "cn=" + bindUser + ",ou=csusers,cn=config"));
attrs.add(new LDAPAttribute("nsDS5ReplicaBindMethod", "Simple"));
attrs.add(new LDAPAttribute("nsds5replicacredentials", replicapwd));
diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/LDAPSecurityDomainSessionTable.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/LDAPSecurityDomainSessionTable.java
index f47e0e59c..e1d360be0 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/LDAPSecurityDomainSessionTable.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/LDAPSecurityDomainSessionTable.java
@@ -18,11 +18,11 @@
package com.netscape.cms.servlet.csadmin;
import java.util.*;
-import java.io.*;
import com.netscape.certsrv.base.*;
import com.netscape.certsrv.apps.*;
import netscape.ldap.*;
-import com.netscape.cmsutil.password.*;
+import com.netscape.certsrv.ldap.ELdapException;
+import com.netscape.certsrv.ldap.ILdapConnFactory;
/**
* This object stores the values for IP, uid and group based on the cookie id in LDAP.
@@ -32,9 +32,14 @@ public class LDAPSecurityDomainSessionTable
implements ISecurityDomainSessionTable {
private long m_timeToLive;
+ private ILdapConnFactory mLdapConnFactory = null;
- public LDAPSecurityDomainSessionTable(long timeToLive) {
+ public LDAPSecurityDomainSessionTable(long timeToLive) throws ELdapException, EBaseException {
m_timeToLive = timeToLive;
+ IConfigStore cs = CMS.getConfigStore();
+ IConfigStore internaldb = cs.getSubStore("internaldb");
+ mLdapConnFactory = CMS.getLdapBoundConnFactory();
+ mLdapConnFactory.init(internaldb);
}
public int addEntry(String sessionId, String ip,
@@ -56,7 +61,7 @@ public class LDAPSecurityDomainSessionTable
try {
// create session entry (if it does not exist)
- conn = getLDAPConn();
+ conn = mLdapConnFactory.getConn();
LDAPEntry entry = null;
LDAPAttributeSet attrs = null;
@@ -100,7 +105,7 @@ public class LDAPSecurityDomainSessionTable
}
try {
- conn.disconnect();
+ mLdapConnFactory.returnConn(conn);
} catch (Exception e) {
CMS.debug("SecurityDomainSessionTable:addEntry: Error in disconnecting from database: " + e);
}
@@ -114,7 +119,7 @@ public class LDAPSecurityDomainSessionTable
try {
String basedn = cs.getString("internaldb.basedn");
String dn = "cn=" + sessionId + ",ou=sessions,ou=Security Domain," + basedn;
- conn = getLDAPConn();
+ conn = mLdapConnFactory.getConn();
conn.delete(dn);
status = SUCCESS;
} catch (Exception e) {
@@ -125,7 +130,7 @@ public class LDAPSecurityDomainSessionTable
}
}
try {
- conn.disconnect();
+ mLdapConnFactory.returnConn(conn);
} catch (Exception e) {
CMS.debug("SecurityDomainSessionTable: removeEntry: Error in disconnecting from database: " + e);
}
@@ -142,7 +147,7 @@ public class LDAPSecurityDomainSessionTable
String filter = "(cn=" + sessionId + ")";
String[] attrs = { "cn" };
- conn = getLDAPConn();
+ conn = mLdapConnFactory.getConn();
LDAPSearchResults res = conn.search(sessionsdn, LDAPv2.SCOPE_SUB, filter, attrs, false);
if (res.getCount() > 0) ret = true;
} catch(Exception e) {
@@ -150,7 +155,7 @@ public class LDAPSecurityDomainSessionTable
}
try {
- conn.disconnect();
+ mLdapConnFactory.returnConn(conn);
} catch (Exception e) {
CMS.debug("SecurityDomainSessionTable: isSessionIdExist: Error in disconnecting from database: " + e);
}
@@ -169,7 +174,7 @@ public class LDAPSecurityDomainSessionTable
String filter = "(objectclass=securityDomainSessionEntry)";
String[] attrs = { "cn" };
- conn = getLDAPConn();
+ conn = mLdapConnFactory.getConn();
LDAPSearchResults res = conn.search(sessionsdn, LDAPv2.SCOPE_SUB, filter, attrs, false);
while (res.hasMoreElements()) {
LDAPEntry entry = res.next();
@@ -188,7 +193,7 @@ public class LDAPSecurityDomainSessionTable
}
try {
- conn.disconnect();
+ mLdapConnFactory.returnConn(conn);
} catch (Exception e) {
CMS.debug("SecurityDomainSessionTable: getSessionIds: Error in disconnecting from database: " + e);
}
@@ -205,7 +210,7 @@ public class LDAPSecurityDomainSessionTable
String sessionsdn = "ou=sessions,ou=Security Domain," + basedn;
String filter = "(cn=" + sessionId + ")";
String[] attrs = { attr };
- conn = getLDAPConn();
+ conn = mLdapConnFactory.getConn();
LDAPSearchResults res = conn.search(sessionsdn, LDAPv2.SCOPE_SUB, filter, attrs, false);
if (res.getCount() > 0) {
LDAPEntry entry = res.next();
@@ -216,7 +221,7 @@ public class LDAPSecurityDomainSessionTable
}
try {
- conn.disconnect();
+ mLdapConnFactory.returnConn(conn);
} catch (Exception e) {
CMS.debug("SecurityDomainSessionTable: isSessionIdExist: Error in disconnecting from database: " + e);
}
@@ -258,7 +263,7 @@ public class LDAPSecurityDomainSessionTable
String filter = "(objectclass=securityDomainSessionEntry)";
String[] attrs = { "cn" };
- conn = getLDAPConn();
+ conn = mLdapConnFactory.getConn();
LDAPSearchResults res = conn.search(sessionsdn, LDAPv2.SCOPE_SUB, filter, attrs, false);
ret = res.getCount();
} catch(Exception e) {
@@ -266,79 +271,11 @@ public class LDAPSecurityDomainSessionTable
}
try {
- conn.disconnect();
+ mLdapConnFactory.returnConn(conn);
} catch (Exception e) {
CMS.debug("SecurityDomainSessionTable: getSessionIds: Error in disconnecting from database: " + e);
}
return ret;
}
-
- private LDAPConnection getLDAPConn()
- throws IOException
- {
- IConfigStore cs = CMS.getConfigStore();
-
- String host = "";
- String port = "";
- String pwd = null;
- String binddn = "";
- String security = "";
- String clientNick = "";
-
- IPasswordStore pwdStore = CMS.getPasswordStore();
-
- if (pwdStore != null) {
- //CMS.debug("SecurityDomainSessionTable: getLDAPConn: password store available");
- pwd = pwdStore.getPassword("internaldb");
- }
-
- if ( pwd == null) {
- throw new IOException("SecurityDomainSessionTable: Failed to obtain password from password store");
- }
-
- try {
- host = cs.getString("internaldb.ldapconn.host");
- port = cs.getString("internaldb.ldapconn.port");
- binddn = cs.getString("internaldb.ldapauth.bindDN");
- security = cs.getString("internaldb.ldapconn.secureConn");
- clientNick = cs.getString("internaldb.ldapauth.clientCertNickname");
- } catch (Exception e) {
- CMS.debug("SecurityDomainSessionTable: getLDAPConn" + e.toString());
- throw new IOException(
- "Failed to retrieve LDAP information from CS.cfg.");
- }
-
- int p = -1;
-
- try {
- p = Integer.parseInt(port);
- } catch (Exception e) {
- CMS.debug("SecurityDomainSessionTable getLDAPConn: " + e.toString());
- throw new IOException("Port is not valid");
- }
-
- LDAPConnection conn = null;
- if (!clientNick.equals("")) {
- CMS.debug("SecurityDomainSessionTable getLDAPConn: creating secure (SSL) client auth connection for internal ldap");
- conn = new LDAPConnection(CMS.getLdapJssSSLSocketFactory(clientNick));
- } else if (security.equals("true")) {
- //CMS.debug("SecurityDomainSessionTable getLDAPConn: creating secure (SSL) connection for internal ldap");
- conn = new LDAPConnection(CMS.getLdapJssSSLSocketFactory());
- } else {
- //CMS.debug("SecurityDomainSessionTable getLDAPConn: creating non-secure (non-SSL) connection for internal ldap");
- conn = new LDAPConnection();
- }
-
- //CMS.debug("SecurityDomainSessionTable connecting to " + host + ":" + p);
- try {
- conn.connect(host, p, binddn, pwd);
- } catch (LDAPException e) {
- CMS.debug("SecurityDomainSessionTable getLDAPConn: " + e.toString());
- throw new IOException("Failed to connect to the internal database.");
- }
-
- return conn;
- }
-
}
diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java
index d9ee171d9..c34f56069 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java
@@ -431,8 +431,15 @@ public class RestoreKeyCertPanel extends WizardPanelBase {
s1.append(",");
s1.append("ca.connector.KRA");
}
-
- content = "op=get&names=cloning.token,instanceId,internaldb.basedn,internaldb.ldapauth.password,internaldb.replication.password,internaldb.ldapconn.host,internaldb.ldapconn.port,internaldb.ldapauth.bindDN"+c1.toString()+"&substores="+s1.toString()+"&xmlOutput=true&sessionID="+session_id;
+
+ s1.append(",internaldb,internaldb.ldapauth,internaldb.ldapconn");
+
+ content =
+ "op=get&names=cloning.token,instanceId,internaldb.basedn,internaldb.ldapauth.password,"
+ + "internaldb.replication.password" + c1.toString()
+ + "&substores=" + s1.toString()
+ + "&xmlOutput=true&sessionID="
+ + session_id;
boolean success = updateConfigEntries(master_hostname, master_port, true,
"/"+cstype+"/admin/"+cstype+"/getConfigEntries", content, config, response);
if (!success) {
diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java
index 2ec81f7b7..821fc8e7c 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java
@@ -601,19 +601,11 @@ public class WizardPanelBase implements IWizardPanel {
}
}
- if (name.equals("internaldb.ldapconn.host")) {
- config.putString("preop.internaldb.master.hostname", v);
- } else if (name.equals("internaldb.ldapconn.port")) {
- config.putString("preop.internaldb.master.port", v);
- } else if (name.equals("internaldb.ldapauth.bindDN")) {
- config.putString("preop.internaldb.master.binddn", v);
- } else if (name.equals("internaldb.basedn")) {
+ if (name.equals("internaldb.basedn")) {
config.putString(name, v);
- config.putString("preop.internaldb.master.basedn", v);
- } else if (name.equals("internaldb.ldapauth.password")) {
- config.putString("preop.internaldb.master.bindpwd", v);
- } else if (name.equals("internaldb.replication.password")) {
- config.putString("preop.internaldb.master.replicationpwd", v);
+ config.putString("preop.internaldb.master.basedn", v);
+ } else if (name.startsWith("internaldb")) {
+ config.putString(name.replaceFirst("internaldb", "preop.internaldb.master"), v);
} else if (name.equals("instanceId")) {
config.putString("preop.master.instanceId", v);
} else if (name.equals("cloning.cert.signing.nickname")) {
@@ -662,6 +654,23 @@ public class WizardPanelBase implements IWizardPanel {
}
}
+ // set master ldap password (if it exists) temporarily in password store
+ // in case it is needed for replication. Not stored in password.conf.
+ try {
+ String master_pwd = config.getString("preop.internaldb.master.ldapauth.password", "");
+ if (!master_pwd.equals("")) {
+ config.putString("preop.internaldb.master.ldapauth.bindPWPrompt", "master_internaldb");
+ String passwordFile = config.getString("passwordFile");
+ IConfigStore psStore = CMS.createFileConfigStore(passwordFile);
+ psStore.putString("master_internaldb", master_pwd);
+ psStore.commit(false);
+ }
+ } catch (Exception e) {
+ CMS.debug("updateConfigEntries: Failed to temporarily store master bindpwd: " + e.toString());
+ e.printStackTrace();
+ throw new IOException(e.toString());
+ }
+
return true;
} else if (status.equals(AUTH_FAILURE)) {
reloginSecurityDomain(response);
diff --git a/pki/base/common/src/com/netscape/cmscore/apps/CMSEngine.java b/pki/base/common/src/com/netscape/cmscore/apps/CMSEngine.java
index afaa5c9fc..da6b8ee7a 100644
--- a/pki/base/common/src/com/netscape/cmscore/apps/CMSEngine.java
+++ b/pki/base/common/src/com/netscape/cmscore/apps/CMSEngine.java
@@ -261,18 +261,19 @@ public class CMSEngine implements ICMSEngine {
String secdomain_source = config.getString("securitydomain.source", "memory");
String secdomain_check_interval = config.getString("securitydomain.checkinterval", "5000");
- if (secdomain_source.equals("ldap")) {
- mSecurityDomainSessionTable = new LDAPSecurityDomainSessionTable((new Long(flush_timeout)).longValue());
- } else {
- mSecurityDomainSessionTable = new SecurityDomainSessionTable((new Long(flush_timeout)).longValue());
- }
+ if ((state == 1) && (!sd.equals("existing"))) {
+ // check session domain table only if this is a
+ // configured security domain host
+
+ if (secdomain_source.equals("ldap")) {
+ mSecurityDomainSessionTable = new LDAPSecurityDomainSessionTable((new Long(flush_timeout)).longValue());
+ } else {
+ mSecurityDomainSessionTable = new SecurityDomainSessionTable((new Long(flush_timeout)).longValue());
+ }
+
+ mSDTimer = new Timer();
+ SessionTimer timertask = new SessionTimer(mSecurityDomainSessionTable);
- mSDTimer = new Timer();
- SessionTimer timertask = new SessionTimer(mSecurityDomainSessionTable);
- if ((state != 1) || (sd.equals("existing"))) {
- // for non-security domain hosts or if not yet configured,
- // do not check session domain table
- } else {
mSDTimer.schedule(timertask, 5, (new Long(secdomain_check_interval)).longValue());
}
diff --git a/pki/base/kra/shared/conf/CS.cfg.in b/pki/base/kra/shared/conf/CS.cfg.in
index ef0830a81..fb1f60c90 100644
--- a/pki/base/kra/shared/conf/CS.cfg.in
+++ b/pki/base/kra/shared/conf/CS.cfg.in
@@ -224,6 +224,7 @@ preop.internaldb.schema.ldif=/usr/share/[PKI_FLAVOR]/kra/conf/schema.ldif
preop.internaldb.ldif=/usr/share/[PKI_FLAVOR]/kra/conf/database.ldif
preop.internaldb.data_ldif=/usr/share/[PKI_FLAVOR]/kra/conf/db.ldif,/usr/share/[PKI_FLAVOR]/kra/conf/acl.ldif
preop.internaldb.index_ldif=
+preop.internaldb.manager_ldif=/usr/share/[PKI_FLAVOR]/ca/conf/manager.ldif
preop.internaldb.post_ldif=/usr/share/[PKI_FLAVOR]/kra/conf/index.ldif,/usr/share/[PKI_FLAVOR]/kra/conf/vlv.ldif,/usr/share/[PKI_FLAVOR]/kra/conf/vlvtasks.ldif
preop.internaldb.wait_dn=cn=index1160527115, cn=index, cn=tasks, cn=config
internaldb.multipleSuffix.enable=false
diff --git a/pki/base/kra/shared/conf/manager.ldif b/pki/base/kra/shared/conf/manager.ldif
new file mode 100644
index 000000000..52e486987
--- /dev/null
+++ b/pki/base/kra/shared/conf/manager.ldif
@@ -0,0 +1,48 @@
+# acis for cert manager
+
+dn: ou=csusers,cn=config
+objectClass: top
+objectClass: organizationalUnit
+ou: csusers
+
+dn: {rootSuffix}
+changetype: modify
+add: aci
+aci: (targetattr=*)(version 3.0; acl "cert manager access"; allow (all) userdn = "ldap:///{dbuser}";)
+
+dn: cn=ldbm database,cn=plugins,cn=config
+changetype: modify
+add: aci
+aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; allow (read) userdn="ldap:///{dbuser}";)
+
+dn: cn=config
+changetype: modify
+add: aci
+aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (read, search, compare) userdn = "ldap:///{dbuser}";)
+
+dn: ou=csusers,cn=config
+changetype: modify
+add: aci
+aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication users"; allow (all) userdn = "ldap:///{dbuser}";)
+
+dn: cn="{rootSuffix}",cn=mapping tree,cn=config
+changetype: modify
+add: aci
+aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements";allow (add) userdn = "ldap:///{dbuser}";)
+
+dn: cn="{rootSuffix}",cn=mapping tree,cn=config
+changetype: modify
+add: aci
+aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agreements"; allow (read, write, search) userdn = "ldap:///{dbuser}";)
+
+dn: cn="{rootSuffix}",cn=mapping tree,cn=config
+changetype: modify
+add: aci
+aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager: Remove Replication Agreements";allow (delete) userdn = "ldap:///{dbuser}";)
+
+dn: cn=tasks,cn=config
+changetype: modify
+add: aci
+aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re-initialization"; allow (add) userdn = "ldap:///{dbuser}";)
+
+
diff --git a/pki/base/migrate/80/MigrateSecurityDomain.java b/pki/base/migrate/80/MigrateSecurityDomain.java
index 33bbb72b1..9eea47fed 100644
--- a/pki/base/migrate/80/MigrateSecurityDomain.java
+++ b/pki/base/migrate/80/MigrateSecurityDomain.java
@@ -24,6 +24,7 @@ import netscape.ldap.*;
import java.io.*;
import java.util.*;
import org.w3c.dom.*;
+import java.util.ArrayList;
public class MigrateSecurityDomain {
@@ -114,8 +115,15 @@ public class MigrateSecurityDomain {
// add new schema elements
String importFile = "./schema-add.ldif";
+ ArrayList<String> errors = new ArrayList<String>();
try {
- LDAPUtil.importLDIF(conn, importFile);
+ LDAPUtil.importLDIF(conn, importFile, errors);
+ if (! errors.isEmpty()) {
+ System.out.println("MigrateSecurityDomain: Errors in adding new schema elements:");
+ for (String error: errors) {
+ System.out.println(error);
+ }
+ }
} catch (Exception e) {
System.out.println("MigrateSecurityDomain: Error in adding new schema elements");
System.exit(1);
diff --git a/pki/base/ocsp/shared/conf/CS.cfg.in b/pki/base/ocsp/shared/conf/CS.cfg.in
index e73d3da09..6891d1a9c 100644
--- a/pki/base/ocsp/shared/conf/CS.cfg.in
+++ b/pki/base/ocsp/shared/conf/CS.cfg.in
@@ -186,6 +186,7 @@ preop.internaldb.schema.ldif=/usr/share/[PKI_FLAVOR]/ocsp/conf/schema.ldif
preop.internaldb.ldif=/usr/share/[PKI_FLAVOR]/ocsp/conf/database.ldif
preop.internaldb.data_ldif=/usr/share/[PKI_FLAVOR]/ocsp/conf/db.ldif,/usr/share/[PKI_FLAVOR]/ocsp/conf/acl.ldif
preop.internaldb.index_ldif=/usr/share/[PKI_FLAVOR]/ocsp/conf/index.ldif
+preop.internaldb.manager_ldif=/usr/share/[PKI_FLAVOR]/ca/conf/manager.ldif
preop.internaldb.post_ldif=
preop.internaldb.wait_dn=
internaldb.multipleSuffix.enable=false
diff --git a/pki/base/ocsp/shared/conf/manager.ldif b/pki/base/ocsp/shared/conf/manager.ldif
new file mode 100644
index 000000000..52e486987
--- /dev/null
+++ b/pki/base/ocsp/shared/conf/manager.ldif
@@ -0,0 +1,48 @@
+# acis for cert manager
+
+dn: ou=csusers,cn=config
+objectClass: top
+objectClass: organizationalUnit
+ou: csusers
+
+dn: {rootSuffix}
+changetype: modify
+add: aci
+aci: (targetattr=*)(version 3.0; acl "cert manager access"; allow (all) userdn = "ldap:///{dbuser}";)
+
+dn: cn=ldbm database,cn=plugins,cn=config
+changetype: modify
+add: aci
+aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; allow (read) userdn="ldap:///{dbuser}";)
+
+dn: cn=config
+changetype: modify
+add: aci
+aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (read, search, compare) userdn = "ldap:///{dbuser}";)
+
+dn: ou=csusers,cn=config
+changetype: modify
+add: aci
+aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication users"; allow (all) userdn = "ldap:///{dbuser}";)
+
+dn: cn="{rootSuffix}",cn=mapping tree,cn=config
+changetype: modify
+add: aci
+aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements";allow (add) userdn = "ldap:///{dbuser}";)
+
+dn: cn="{rootSuffix}",cn=mapping tree,cn=config
+changetype: modify
+add: aci
+aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agreements"; allow (read, write, search) userdn = "ldap:///{dbuser}";)
+
+dn: cn="{rootSuffix}",cn=mapping tree,cn=config
+changetype: modify
+add: aci
+aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager: Remove Replication Agreements";allow (delete) userdn = "ldap:///{dbuser}";)
+
+dn: cn=tasks,cn=config
+changetype: modify
+add: aci
+aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re-initialization"; allow (add) userdn = "ldap:///{dbuser}";)
+
+
diff --git a/pki/base/tks/shared/conf/CS.cfg.in b/pki/base/tks/shared/conf/CS.cfg.in
index 37e716c56..d5daa95e1 100644
--- a/pki/base/tks/shared/conf/CS.cfg.in
+++ b/pki/base/tks/shared/conf/CS.cfg.in
@@ -179,6 +179,7 @@ preop.internaldb.schema.ldif=/usr/share/[PKI_FLAVOR]/tks/conf/schema.ldif
preop.internaldb.ldif=/usr/share/[PKI_FLAVOR]/tks/conf/database.ldif
preop.internaldb.data_ldif=/usr/share/[PKI_FLAVOR]/tks/conf/db.ldif,/usr/share/[PKI_FLAVOR]/tks/conf/acl.ldif
preop.internaldb.index_ldif=/usr/share/[PKI_FLAVOR]/tks/conf/index.ldif
+preop.internaldb.manager_ldif=/usr/share/[PKI_FLAVOR]/ca/conf/manager.ldif
preop.internaldb.post_ldif=
preop.internaldb.wait_dn=
internaldb.multipleSuffix.enable=false
diff --git a/pki/base/tks/shared/conf/manager.ldif b/pki/base/tks/shared/conf/manager.ldif
new file mode 100644
index 000000000..52e486987
--- /dev/null
+++ b/pki/base/tks/shared/conf/manager.ldif
@@ -0,0 +1,48 @@
+# acis for cert manager
+
+dn: ou=csusers,cn=config
+objectClass: top
+objectClass: organizationalUnit
+ou: csusers
+
+dn: {rootSuffix}
+changetype: modify
+add: aci
+aci: (targetattr=*)(version 3.0; acl "cert manager access"; allow (all) userdn = "ldap:///{dbuser}";)
+
+dn: cn=ldbm database,cn=plugins,cn=config
+changetype: modify
+add: aci
+aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; allow (read) userdn="ldap:///{dbuser}";)
+
+dn: cn=config
+changetype: modify
+add: aci
+aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (read, search, compare) userdn = "ldap:///{dbuser}";)
+
+dn: ou=csusers,cn=config
+changetype: modify
+add: aci
+aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication users"; allow (all) userdn = "ldap:///{dbuser}";)
+
+dn: cn="{rootSuffix}",cn=mapping tree,cn=config
+changetype: modify
+add: aci
+aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements";allow (add) userdn = "ldap:///{dbuser}";)
+
+dn: cn="{rootSuffix}",cn=mapping tree,cn=config
+changetype: modify
+add: aci
+aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agreements"; allow (read, write, search) userdn = "ldap:///{dbuser}";)
+
+dn: cn="{rootSuffix}",cn=mapping tree,cn=config
+changetype: modify
+add: aci
+aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager: Remove Replication Agreements";allow (delete) userdn = "ldap:///{dbuser}";)
+
+dn: cn=tasks,cn=config
+changetype: modify
+add: aci
+aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re-initialization"; allow (add) userdn = "ldap:///{dbuser}";)
+
+
diff --git a/pki/base/util/src/com/netscape/cmsutil/ldap/LDAPUtil.java b/pki/base/util/src/com/netscape/cmsutil/ldap/LDAPUtil.java
index 9f0884833..1b295eada 100644
--- a/pki/base/util/src/com/netscape/cmsutil/ldap/LDAPUtil.java
+++ b/pki/base/util/src/com/netscape/cmsutil/ldap/LDAPUtil.java
@@ -20,9 +20,10 @@ package com.netscape.cmsutil.ldap;
import netscape.ldap.*;
import netscape.ldap.util.*;
import java.io.*;
+import java.util.ArrayList;
public class LDAPUtil {
- public static void importLDIF(LDAPConnection conn, String filename) throws IOException {
+ public static void importLDIF(LDAPConnection conn, String filename, ArrayList<String> errors) throws IOException {
LDIF ldif = new LDIF(filename);
while (true) {
try {
@@ -43,6 +44,8 @@ public class LDAPUtil {
try {
conn.add(entry);
} catch (LDAPException ee) {
+ errors.add("LDAPUtil:importLDIF: exception in adding entry " + dn +
+ ":" + ee.toString() + "\n");
}
} else if (type == LDIFContent.MODIFICATION_CONTENT) {
LDIFModifyContent c = (LDIFModifyContent)content;
@@ -50,6 +53,8 @@ public class LDAPUtil {
try {
conn.modify(dn, mods);
} catch (LDAPException ee) {
+ errors.add("LDAPUtil:importLDIF: exception in modifying entry " + dn +
+ ":" + ee.toString());
}
}
} catch (Exception e) {
generated by cgit (git 2.34.1) at 2024-07-03 01:24:32 +0000