446685 - LDAP publisher doesn't store the bind password properly

git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@63 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
author: cfu <cfu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> 2008-06-26 17:45:10 +0000
committer: cfu <cfu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> 2008-06-26 17:45:10 +0000
commit: a9f7f6c2e7cf66967dbd093da18557455311ebe1 (patch)
tree: cb09194520fd8d2d236f8b2d4b80205b53142cb6 /pki
parent: 3cd29ec6ca12bc86df562c4481b48c3b46c3c5c9 (diff)
download: pki-a9f7f6c2e7cf66967dbd093da18557455311ebe1.tar.gz
pki-a9f7f6c2e7cf66967dbd093da18557455311ebe1.tar.xz
pki-a9f7f6c2e7cf66967dbd093da18557455311ebe1.zip
5 files changed, 134 insertions, 13 deletions
diff --git a/pki/base/common/src/com/netscape/certsrv/ldap/ILdapConnModule.java b/pki/base/common/src/com/netscape/certsrv/ldap/ILdapConnModule.java
index 25bff8984..51a966238 100644
--- a/pki/base/common/src/com/netscape/certsrv/ldap/ILdapConnModule.java
+++ b/pki/base/common/src/com/netscape/certsrv/ldap/ILdapConnModule.java
@@ -56,5 +56,7 @@ public interface ILdapConnModule {
      */
 
     public ILdapConnFactory getLdapConnFactory();
+
+    public  ILdapAuthInfo  getLdapAuthInfo();
 }
 
diff --git a/pki/base/common/src/com/netscape/cms/servlet/admin/PublisherAdminServlet.java b/pki/base/common/src/com/netscape/cms/servlet/admin/PublisherAdminServlet.java
index c8d3555d9..90037f4ca 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/admin/PublisherAdminServlet.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/admin/PublisherAdminServlet.java
@@ -41,6 +41,7 @@ import com.netscape.certsrv.apps.*;
 import com.netscape.certsrv.ca.*; 
 import com.netscape.certsrv.ldap.*;
 import com.netscape.certsrv.publish.*;
+import com.netscape.cmsutil.password.*;
 
 
 /**
@@ -499,13 +500,40 @@ public class PublisherAdminServlet extends AdminServlet {
 			
         commit(true);
 
-        /* Do a "PUT" of the new pw to the watchdog" */
+        /* Do a "PUT" of the new pw to the watchdog" 
+         ** do not remove - cfu
         if (pwd != null)
             CMS.putPasswordCache(PW_TAG_CA_LDAP_PUBLISHING, pwd);
+         */
+
+        // support publishing dirsrv with different pwd than internaldb
+        // update passwordFile
+        String prompt = ldap.getString(Constants.PR_BINDPWD_PROMPT);
+        IPasswordStore pwdStore = CMS.getPasswordStore();
+        CMS.debug("PublisherAdminServlet: setLDAPDest(): saving password for "+            prompt + " to password file");
+        pwdStore.putPassword(prompt,
+            req.getParameter(Constants.PR_BIND_PASSWD));
+        pwdStore.commit();
+        CMS.debug("PublisherAdminServlet: setLDAPDest(): password saved");
+
+        // what a hack to  do this without require restart server
+//        ILdapAuthInfo authInfo = CMS.getLdapAuthInfo();
+        ILdapConnModule connModule = mProcessor.getLdapConnModule();
+        ILdapAuthInfo authInfo = null;
+        if (connModule != null) {
+            authInfo = connModule.getLdapAuthInfo();
+        }
+
+//        authInfo.addPassword(PW_TAG_CA_LDAP_PUBLISHING, pwd);
+        if (authInfo != null)
+            CMS.debug("PublisherAdminServlet: setLDAPDest(): adding password to memory cache");
+            authInfo.addPassword(prompt, pwd);
 
         try {
+            CMS.debug("PublisherAdminServlet: setLDAPDest(): restarting publishing processor");
             mProcessor.shutdown();
             mProcessor.startup();
+            CMS.debug("PublisherAdminServlet: setLDAPDest(): publishing processor restarted");
         } catch (Exception ex) {
             // force to save the config even there is error
             // ignore any exception
@@ -756,12 +784,36 @@ public class PublisherAdminServlet extends AdminServlet {
         if (ldapcfg.getBoolean(IPublisherProcessor.PROP_ENABLE) &&
             pwd != null) {
 
-            /* Do a "PUT" of the new pw to the watchdog" */
+            /* Do a "PUT" of the new pw to the watchdog"
+             ** do not remove - cfu
             CMS.putPasswordCache(PW_TAG_CA_LDAP_PUBLISHING, pwd);
-            // what a hack to  do this without require restart server
-            ILdapAuthInfo authInfo = CMS.getLdapAuthInfo();
-
-            authInfo.addPassword(PW_TAG_CA_LDAP_PUBLISHING, pwd);
+             */
+
+            // support publishing dirsrv with different pwd than internaldb
+            // update passwordFile
+            String prompt = ldap.getString(Constants.PR_BINDPWD_PROMPT);
+            IPasswordStore pwdStore = CMS.getPasswordStore();
+            CMS.debug("PublisherAdminServlet: testSetLDAPDest(): saving password for "+
+                prompt + " to password file");
+            pwdStore.putPassword(prompt, pwd);
+            pwdStore.commit();
+            CMS.debug("PublisherAdminServlet: testSetLDAPDest(): password saved");
+
+             // what a hack to  do this without require restart server
+//        ILdapAuthInfo authInfo = CMS.getLdapAuthInfo();
+            ILdapConnModule connModule = mProcessor.getLdapConnModule();
+            ILdapAuthInfo authInfo = null;
+            if (connModule != null) {
+                authInfo = connModule.getLdapAuthInfo();
+            } else
+                CMS.debug("PublisherAdminServlet: testSetLDAPDest(): connModule null");
+
+//        authInfo.addPassword(PW_TAG_CA_LDAP_PUBLISHING, pwd);
+            if (authInfo != null) {
+                CMS.debug("PublisherAdminServlet: testSetLDAPDest(): adding password to memory cache");
+                authInfo.addPassword(prompt, pwd);
+            } else
+                CMS.debug("PublisherAdminServlet: testSetLDAPDest(): authInfo null");
         }
         //params.add(Constants.PR_SAVE_OK, 
         //		   "\n \nConfiguration changes are now committed.");
diff --git a/pki/base/common/src/com/netscape/cmscore/ldap/LdapConnModule.java b/pki/base/common/src/com/netscape/cmscore/ldap/LdapConnModule.java
index 7cff2edb3..bcbdf464c 100644
--- a/pki/base/common/src/com/netscape/cmscore/ldap/LdapConnModule.java
+++ b/pki/base/common/src/com/netscape/cmscore/ldap/LdapConnModule.java
@@ -44,6 +44,7 @@ import com.netscape.cmscore.util.Debug;
 public class LdapConnModule implements ILdapConnModule {
     protected IConfigStore mConfig = null;
     protected LdapBoundConnFactory mLdapConnFactory = null;
+    protected LdapAuthInfo mLdapAuthInfo = null;
     protected ILogger mLogger = CMS.getLogger();
     private boolean mInited = false;
 
@@ -66,15 +67,42 @@ public class LdapConnModule implements ILdapConnModule {
     public void init(ISubsystem p,
         IConfigStore config)
         throws EBaseException {
-        if (mInited)
+
+        CMS.debug("LdapConnModule: init called");
+        if (mInited) {
+            CMS.debug("LdapConnModule: already initialized. return.");
             return;
+        }
+        CMS.debug("LdapConnModule: init begins");
 
         mPubProcessor = p;
         mConfig = config;
+        /*
         mLdapConnFactory = new LdapBoundConnFactory();
         mLdapConnFactory.init(mConfig.getSubStore("ldap"));
+        */
+        // support publishing dirsrv with different pwd than internaldb
+        IConfigStore ldap = mConfig.getSubStore("ldap");
+
+        IConfigStore ldapconn = ldap.getSubStore(
+                         ILdapBoundConnFactory.PROP_LDAPCONNINFO);
+        IConfigStore authinfo = ldap.getSubStore(
+                         ILdapBoundConnFactory.PROP_LDAPAUTHINFO);
+        ILdapConnInfo connInfo =
+                CMS.getLdapConnInfo(ldapconn);
+        LdapAuthInfo authInfo =
+            new LdapAuthInfo(authinfo, ldapconn.getString("host"),
+                ldapconn.getInteger("port"), false);
+
+        int minConns = mConfig.getInteger(ILdapBoundConnFactory.PROP_MINCONNS, 3);
+        int maxConns = mConfig.getInteger(ILdapBoundConnFactory.PROP_MAXCONNS, 15);
+        // must get authInfo from the config, don't default to internaldb!!!
+        mLdapConnFactory =
+             new LdapBoundConnFactory(minConns, maxConns, (LdapConnInfo)connInfo, authInfo);
+
         mInited = true;
 
+        CMS.debug("LdapConnModule: init ends");
     }
 
     /**
@@ -94,6 +122,10 @@ public class LdapConnModule implements ILdapConnModule {
         return mLdapConnFactory;
     }
 
+    public ILdapAuthInfo  getLdapAuthInfo() {
+        return mLdapAuthInfo;
+    }
+
     public LDAPConnection getConn() throws ELdapException {
         return mLdapConnFactory.getConn();
     }
diff --git a/pki/base/common/src/com/netscape/cmscore/ldap/PublisherProcessor.java b/pki/base/common/src/com/netscape/cmscore/ldap/PublisherProcessor.java
index 78e58b1ed..ef7375ea7 100644
--- a/pki/base/common/src/com/netscape/cmscore/ldap/PublisherProcessor.java
+++ b/pki/base/common/src/com/netscape/cmscore/ldap/PublisherProcessor.java
@@ -1021,8 +1021,10 @@ public class PublisherProcessor implements
         boolean error = false;
         String errorRule = "";
 
+        CMS.debug("PublisherProcessor: publishCert() begins");
         if (!enabled())
             return;
+        CMS.debug("PublisherProcessor: publishCert() enabled.");
 
             // get mapper and publisher for cert type.
         Enumeration rules = getRules("certs", req);
@@ -1035,7 +1037,7 @@ public class PublisherProcessor implements
             LdapRule rule = (LdapRule) rules.nextElement();
 
             try {
-                log(ILogger.LL_INFO, 
+                CMS.debug(
                     "publish certificate (with request) type=" + 
                     "certs" + " rule=" + rule.getInstanceName() + 
                     " publisher=" + rule.getPublisher());
@@ -1047,7 +1049,7 @@ public class PublisherProcessor implements
                     m = getActiveMapperInstance(mapperName);
                 }
                 publishNow(m, p, req, cert);
-                log(ILogger.LL_INFO, "published certificate using rule=" + 
+                CMS.debug("published certificate using rule=" + 
                     rule.getInstanceName());
             } catch (Exception e) {
                 // continue publishing even publisher has errors
@@ -1283,11 +1285,13 @@ public class PublisherProcessor implements
 
     private void publishNow(ILdapMapper mapper, ILdapPublisher publisher,
         IRequest r, Object obj) throws ELdapException {
+        CMS.debug("PublisherProcessor: in publishNow()");
         if (!enabled())
             return;
         LDAPConnection conn = null;
 
         try {
+            CMS.debug("PublisherProcessor: publishNow(): about to call publisher.publish()");
             String dirdn = null;
 
             if (mapper != null) {
@@ -1307,12 +1311,13 @@ public class PublisherProcessor implements
             X509Certificate cert = (X509Certificate) obj;
 
             try {
+                CMS.debug("PublisherProcessor: publishNow(): about to call publisher.publish()");
                 publisher.publish(conn, dirdn, cert);
             } catch (Throwable e1) {
                 CMS.debug("Error publishing: publisher=" + publisher + " error=" + e1.toString());
                 throw e1;
             }
-            log(ILogger.LL_INFO, "published certificate serial number: 0x" + 
+            CMS.debug("published certificate serial number: 0x" + 
                 cert.getSerialNumber().toString(16));
         } catch (ELdapException e) {
             throw e;
diff --git a/pki/base/common/src/com/netscape/cmscore/ldapconn/LdapAuthInfo.java b/pki/base/common/src/com/netscape/cmscore/ldapconn/LdapAuthInfo.java
index 060389584..d8287a307 100644
--- a/pki/base/common/src/com/netscape/cmscore/ldapconn/LdapAuthInfo.java
+++ b/pki/base/common/src/com/netscape/cmscore/ldapconn/LdapAuthInfo.java
@@ -29,6 +29,7 @@ import com.netscape.certsrv.apps.*;
 import com.netscape.certsrv.base.*;
 import com.netscape.certsrv.ldap.*;
 import com.netscape.cmscore.base.*;
+import com.netscape.cmsutil.password.*;
 
 
 /**
@@ -82,8 +83,13 @@ public class LdapAuthInfo implements ILdapAuthInfo {
      */
     public void init(IConfigStore config, String host, int port, boolean secure)
         throws EBaseException {
-        if (mInited) 
-            return;			// XXX throw exception here ?
+
+        CMS.debug("LdapAuthInfo: init()");
+        if (mInited)  {
+            CMS.debug("LdapAuthInfo: already initialized");
+            return;            // XXX throw exception here ?
+        }
+        CMS.debug("LdapAuthInfo: init begins");
 
         String authTypeStr = config.getString(PROP_LDAPAUTHTYPE);
 
@@ -101,25 +107,48 @@ public class LdapAuthInfo implements ILdapAuthInfo {
 
             if (prompt == null) {
                 prompt = "LDAP Authentication";
-            }
+                CMS.debug("LdapAuthInfo: init: prompt is null, change to "+prompt);
+            } else
+                CMS.debug("LdapAuthInfo: init: prompt is "+prompt);
+
+/* in init(), there should not have been passwords in memory
             if (mParms[1] == null) {
                 mParms[1] = (String) passwords.get(prompt);
             }
+*/
 
             // Finally, interactively obtain the password from the user
             if (mParms[1] == null) {
+                CMS.debug("LdapAuthInfo: init: try to get it from password file");
+/* hey - should use password store interface to allow different implementations
                 IConfigStore mainConfig = CMS.getConfigStore();
                 String pwdFile = mainConfig.getString("passwordFile");
                 FileConfigStore pstore = new FileConfigStore(pwdFile);
                 mParms[1] = pstore.getString("internaldb");
+*/
+//cfu
+                IPasswordStore pwdStore = CMS.getPasswordStore();
+
+//                mParms[1] = pstore.getString(prompt);
+
+                // support publishing dirsrv with different pwd than internaldb
+                mParms[1] = pwdStore.getPassword(prompt);
+                if ( mParms[1] == null) {
+                    CMS.debug("LdapAuthInfo: password for "+prompt+
+                        " not found, trying internaldb");
+                    mParms[1] = pwdStore.getPassword("internaldb"); // last resort
+                }
 
                 // verify the password
                 if ((!mParms[1].equals("")) && (host == null ||
                   authInfoOK(host, port, secure, mParms[0], mParms[1]))) {
                     // The password is OK or uncheckable
+                    CMS.debug("LdapAuthInfo: password ok: store in memory cache");
                     passwords.put(prompt, mParms[1]);
                 } else {
+/* what do you know?  Our IPasswordStore does not have a remove function.
                     pstore.remove("internaldb");
+*/
                 }
             }
         } else if (authTypeStr.equals(LDAP_SSLCLIENTAUTH_STR)) {
@@ -131,6 +160,7 @@ public class LdapAuthInfo implements ILdapAuthInfo {
                     "Unknown Ldap authentication type " + authTypeStr);
         }
         mInited = true;
+        CMS.debug("LdapAuthInfo: init ends");
     }
 
     public void reset() {
author	cfu <cfu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b>	2008-06-26 17:45:10 +0000
committer	cfu <cfu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b>	2008-06-26 17:45:10 +0000
commit	a9f7f6c2e7cf66967dbd093da18557455311ebe1 (patch)
tree	cb09194520fd8d2d236f8b2d4b80205b53142cb6 /pki
parent	3cd29ec6ca12bc86df562c4481b48c3b46c3c5c9 (diff)
download	pki-a9f7f6c2e7cf66967dbd093da18557455311ebe1.tar.gz pki-a9f7f6c2e7cf66967dbd093da18557455311ebe1.tar.xz pki-a9f7f6c2e7cf66967dbd093da18557455311ebe1.zip