summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--base/common/src/com/netscape/certsrv/logging/AuditFormat.java2
-rw-r--r--base/common/src/com/netscape/certsrv/usrgrp/IUGSubsystem.java8
-rw-r--r--base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java54
-rw-r--r--base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java12
-rw-r--r--base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java8
-rw-r--r--base/common/src/com/netscape/cmscore/logging/AuditFormat.java5
-rw-r--r--base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java48
7 files changed, 111 insertions, 26 deletions
diff --git a/base/common/src/com/netscape/certsrv/logging/AuditFormat.java b/base/common/src/com/netscape/certsrv/logging/AuditFormat.java
index 72980aa5a..005043ada 100644
--- a/base/common/src/com/netscape/certsrv/logging/AuditFormat.java
+++ b/base/common/src/com/netscape/certsrv/logging/AuditFormat.java
@@ -106,6 +106,8 @@ public class AuditFormat {
"Admin UID: {0} removed User UID: {1} from group: {2}";
public static final String ADDCERTSUBJECTDNFORMAT =
"Admin UID: {0} added cert subject DN for User UID: {1}. cert DN: {2}";
+ public static final String REMOVECERTSUBJECTDNFORMAT =
+ "Admin UID: {0} removed cert subject DN for User UID: {1}. cert DN: {2}";
// LDAP publishing
public static final String LDAP_PUBLISHED_FORMAT =
diff --git a/base/common/src/com/netscape/certsrv/usrgrp/IUGSubsystem.java b/base/common/src/com/netscape/certsrv/usrgrp/IUGSubsystem.java
index eb7f84ebf..543b33c26 100644
--- a/base/common/src/com/netscape/certsrv/usrgrp/IUGSubsystem.java
+++ b/base/common/src/com/netscape/certsrv/usrgrp/IUGSubsystem.java
@@ -88,6 +88,14 @@ public interface IUGSubsystem extends ISubsystem, IUsrGrp {
public void addCertSubjectDN(IUser identity) throws EUsrGrpException, LDAPException;
/**
+ * Remove a certSubjectDN field from the user
+ * @param identity
+ * @throws EUsrGrpException
+ * @throws LDAPException
+ */
+ public void removeCertSubjectDN(IUser identity) throws EUsrGrpException, LDAPException;
+
+ /**
* Removes a user certificate for a user entry
* given a user certificate DN (actually, a combination of version,
* serialNumber, issuerDN, and SubjectDN), and it gets removed
diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
index 6cd64f654..bcfe36459 100644
--- a/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+++ b/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
@@ -144,6 +144,7 @@ import com.netscape.certsrv.ocsp.IOCSPAuthority;
import com.netscape.certsrv.system.InstallToken;
import com.netscape.certsrv.system.InstallTokenRequest;
import com.netscape.certsrv.system.SystemConfigClient;
+import com.netscape.certsrv.usrgrp.EUsrGrpException;
import com.netscape.certsrv.usrgrp.IGroup;
import com.netscape.certsrv.usrgrp.IUGSubsystem;
import com.netscape.certsrv.usrgrp.IUser;
@@ -170,6 +171,7 @@ public class ConfigurationUtils {
public static String AUTH_FAILURE = "2";
public static final BigInteger BIG_ZERO = new BigInteger("0");
public static final Long MINUS_ONE = Long.valueOf(-1);
+ public static final String DBUSER = "pkidbuser";
public static boolean loginToken(CryptoToken token, String tokPwd) throws TokenException,
IncorrectPasswordException {
@@ -717,8 +719,6 @@ public class ConfigurationUtils {
BadPaddingException, NotInitializedException, NicknameConflictException, UserCertConflictException,
NoSuchItemOnTokenException, InvalidBERException, IOException {
byte b[] = new byte[1000000];
- IConfigStore cs = CMS.getConfigStore();
- String instanceRoot = cs.getString("instanceRoot");
FileInputStream fis = new FileInputStream(p12File);
while (fis.available() > 0)
@@ -1204,8 +1204,7 @@ public class ConfigurationUtils {
String instanceId = cs.getString("instanceId");
String cstype = cs.getString("cs.type");
- String dbuser = "uid=" + LDAPUtil.escapeDN(cstype + "-" + cs.getString("machineName") + "-"
- + cs.getString("service.securePort")) + ",ou=people," + baseDN;
+ String dbuser = "uid=" + DBUSER + ",ou= people," + baseDN;
String configDir = instancePath + File.separator + cstype.toLowerCase() + File.separator + "conf";
@@ -3389,19 +3388,28 @@ public class ConfigurationUtils {
}
}
- public static void setupDBUser(String dbuser) throws CertificateException, LDAPException, EBaseException,
+ public static void setupDBUser() throws CertificateException, LDAPException, EBaseException,
NotInitializedException, ObjectNotFoundException, TokenException, IOException {
IUGSubsystem system =
(IUGSubsystem) (CMS.getSubsystem(IUGSubsystem.ID));
+ try {
+ @SuppressWarnings("unused")
+ Enumeration<IUser> dbusers = system.findUsers(DBUSER);
+ CMS.debug("DB User already exists: " + DBUSER);
+ return;
+ } catch (EUsrGrpException e) {
+ CMS.debug("Creating DB User: " + DBUSER);
+ }
+
String b64 = getSubsystemCert();
if (b64 == null) {
CMS.debug("setupDBUser(): failed to fetch subsystem cert");
- return;
+ throw new EBaseException("setupDBUser(): failed to fetch subsystem cert");
}
- IUser user = system.createUser(dbuser);
- user.setFullName(dbuser);
+ IUser user = system.createUser(DBUSER);
+ user.setFullName(DBUSER);
user.setEmail("");
user.setPassword("");
user.setUserType("agentType");
@@ -3414,6 +3422,36 @@ public class ConfigurationUtils {
CMS.debug("setupDBUser(): successfully added the user");
system.addUserCert(user);
CMS.debug("setupDBUser(): successfully add the user certificate");
+
+ // set subject dn
+ system.addCertSubjectDN(user);
+
+ // remove old db users
+ CMS.debug("Removing seeAlso from old dbusers");
+ removeOldDBUsers(certs[0].getSubjectDN().toString());
+ }
+
+ public static void removeOldDBUsers(String subjectDN) throws EBaseException, LDAPException {
+ IUGSubsystem system = (IUGSubsystem) (CMS.getSubsystem(IUGSubsystem.ID));
+ IConfigStore cs = CMS.getConfigStore();
+ String userbasedn = "ou=people, " + cs.getString("internaldb.basedn");
+ IConfigStore dbCfg = cs.getSubStore("internaldb");
+ ILdapConnFactory dbFactory = CMS.getLdapBoundConnFactory();
+ dbFactory.init(dbCfg);
+ LDAPConnection conn = dbFactory.getConn();
+
+ String filter = "(&(seeAlso=" + LDAPUtil.escapeFilter(subjectDN) + ")(!(uid=" + DBUSER + ")))";
+ String[] attrs = null;
+ LDAPSearchResults res = conn.search(userbasedn, LDAPConnection.SCOPE_SUB, filter,
+ attrs, false);
+ if (res != null) {
+ while (res.hasMoreElements()) {
+ String uid = (String) res.next().getAttribute("uid").getStringValues().nextElement();
+ IUser user = system.getUser(uid);
+ CMS.debug("removeOldDUsers: Removing seeAlso from " + uid);
+ system.removeCertSubjectDN(user);
+ }
+ }
}
public static String getSubsystemCert() throws EBaseException, NotInitializedException, ObjectNotFoundException,
diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java b/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java
index e81afdd2f..197c16ad3 100644
--- a/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java
+++ b/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java
@@ -31,8 +31,6 @@ import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.base.IConfigStore;
import com.netscape.certsrv.ocsp.IOCSPAuthority;
import com.netscape.certsrv.property.PropertySet;
-import com.netscape.certsrv.usrgrp.IUGSubsystem;
-import com.netscape.certsrv.usrgrp.IUser;
import com.netscape.cms.servlet.wizard.WizardServlet;
import com.netscape.cmsutil.util.Utils;
@@ -225,16 +223,8 @@ public class DonePanel extends WizardPanelBase {
e.printStackTrace();
}
- String dbuser = null;
try {
- dbuser = cs.getString("cs.type") + "-" + cs.getString("machineName") + "-"
- + cs.getString("service.securePort");
- if (!sdtype.equals("new")) {
- ConfigurationUtils.setupDBUser(dbuser);
- }
- IUGSubsystem system = (IUGSubsystem) (CMS.getSubsystem(IUGSubsystem.ID));
- IUser user = system.getUser(dbuser);
- system.addCertSubjectDN(user);
+ ConfigurationUtils.setupDBUser();
} catch (Exception e) {
e.printStackTrace();
CMS.debug("DonePanel - update(): Unable to create or update dbuser" + e);
diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java b/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java
index 4ae9579f2..3bbe3ca80 100644
--- a/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java
+++ b/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java
@@ -703,13 +703,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
}
try {
- String dbuser = csType + "-" + CMS.getEEHost() + "-" + cs.getString("service.securePort");
- if (! securityDomainType.equals(ConfigurationRequest.NEW_DOMAIN)) {
- ConfigurationUtils.setupDBUser(dbuser);
- }
- IUGSubsystem system = (IUGSubsystem) (CMS.getSubsystem(IUGSubsystem.ID));
- IUser user = system.getUser(dbuser);
- system.addCertSubjectDN(user);
+ ConfigurationUtils.setupDBUser();
} catch (Exception e) {
e.printStackTrace();
throw new PKIException("Errors in creating or updating dbuser: " + e);
diff --git a/base/common/src/com/netscape/cmscore/logging/AuditFormat.java b/base/common/src/com/netscape/cmscore/logging/AuditFormat.java
index 9ba62babb..42c3b0d6f 100644
--- a/base/common/src/com/netscape/cmscore/logging/AuditFormat.java
+++ b/base/common/src/com/netscape/cmscore/logging/AuditFormat.java
@@ -108,4 +108,9 @@ public class AuditFormat {
"Admin UID: {0} added User UID: {1} to group: {2}";
public static final String REMOVEUSERGROUPFORMAT =
"Admin UID: {0} removed User UID: {1} from group: {2}";
+ public static final String ADDCERTSUBJECTDNFORMAT =
+ "Admin UID: {0} added cert subject DN for User UID: {1}. cert DN: {2}";
+ public static final String REMOVECERTSUBJECTDNFORMAT =
+ "Admin UID: {0} removed cert subject DN for User UID: {1}. cert DN: {2}";
+
}
diff --git a/base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java b/base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java
index 9e3dacb17..6b6157241 100644
--- a/base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java
+++ b/base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java
@@ -820,6 +820,54 @@ public final class UGSubsystem implements IUGSubsystem {
return;
}
+ public void removeCertSubjectDN(IUser identity) throws EUsrGrpException, LDAPException {
+ User user = (User) identity;
+
+ if (user == null) {
+ CMS.debug("removeCertSubjectDN: null user passed in");
+ return;
+ }
+
+ X509Certificate cert[] = null;
+ LDAPModificationSet delAttr = new LDAPModificationSet();
+
+ if ((cert = user.getX509Certificates()) != null) {
+ LDAPAttribute attrCertDNStr = new LDAPAttribute(LDAP_ATTR_CERTDN);
+ attrCertDNStr.addValue(cert[0].getSubjectDN().toString());
+ delAttr.add(LDAPModification.DELETE, attrCertDNStr);
+
+ LDAPConnection ldapconn = null;
+
+ try {
+ ldapconn = getConn();
+ ldapconn.modify("uid=" + LDAPUtil.escapeDN(user.getUserID()) +
+ "," + getUserBaseDN(), delAttr);
+ // for audit log
+ SessionContext sessionContext = SessionContext.getContext();
+ String adminId = (String) sessionContext.get(SessionContext.USER_ID);
+
+ mLogger.log(ILogger.EV_AUDIT, ILogger.S_USRGRP,
+ AuditFormat.LEVEL, AuditFormat.REMOVECERTSUBJECTDNFORMAT,
+ new Object[] { adminId, user.getUserID(),
+ cert[0].getSubjectDN().toString() }
+ );
+
+ } catch (LDAPException e) {
+ if (Debug.ON) {
+ e.printStackTrace();
+ }
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_USRGRP_ADD_USER", e.toString()));
+ throw e;
+ } catch (ELdapException e) {
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_USRGRP_ADD_USER", e.toString()));
+ } finally {
+ if (ldapconn != null)
+ returnConn(ldapconn);
+ }
+ }
+ return;
+ }
+
/**
* Removes a user certificate for a user entry
* given a user certificate DN (actually, a combination of version,