diff options
Diffstat (limited to 'pki')
16 files changed, 364 insertions, 204 deletions
diff --git a/pki/base/ca/shared/conf/CS.cfg.in b/pki/base/ca/shared/conf/CS.cfg.in index 1ba0d2f40..980ed5854 100644 --- a/pki/base/ca/shared/conf/CS.cfg.in +++ b/pki/base/ca/shared/conf/CS.cfg.in @@ -818,6 +818,7 @@ preop.internaldb.schema.ldif=/usr/share/[PKI_FLAVOR]/ca/conf/schema.ldif preop.internaldb.ldif=/usr/share/[PKI_FLAVOR]/ca/conf/database.ldif preop.internaldb.data_ldif=/usr/share/[PKI_FLAVOR]/ca/conf/db.ldif,/usr/share/[PKI_FLAVOR]/ca/conf/acl.ldif preop.internaldb.index_ldif= +preop.internaldb.manager_ldif=/usr/share/[PKI_FLAVOR]/ca/conf/manager.ldif preop.internaldb.post_ldif=/usr/share/[PKI_FLAVOR]/ca/conf/index.ldif,/usr/share/[PKI_FLAVOR]/ca/conf/vlv.ldif,/usr/share/[PKI_FLAVOR]/ca/conf/vlvtasks.ldif preop.internaldb.wait_dn=cn=index1160589769, cn=index, cn=tasks, cn=config internaldb.multipleSuffix.enable=false diff --git a/pki/base/ca/shared/conf/manager.ldif b/pki/base/ca/shared/conf/manager.ldif new file mode 100644 index 000000000..52e486987 --- /dev/null +++ b/pki/base/ca/shared/conf/manager.ldif @@ -0,0 +1,48 @@ +# acis for cert manager + +dn: ou=csusers,cn=config +objectClass: top +objectClass: organizationalUnit +ou: csusers + +dn: {rootSuffix} +changetype: modify +add: aci +aci: (targetattr=*)(version 3.0; acl "cert manager access"; allow (all) userdn = "ldap:///{dbuser}";) + +dn: cn=ldbm database,cn=plugins,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; allow (read) userdn="ldap:///{dbuser}";) + +dn: cn=config +changetype: modify +add: aci +aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (read, search, compare) userdn = "ldap:///{dbuser}";) + +dn: ou=csusers,cn=config +changetype: modify +add: aci +aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication users"; allow (all) userdn = "ldap:///{dbuser}";) + +dn: cn="{rootSuffix}",cn=mapping tree,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements";allow (add) userdn = "ldap:///{dbuser}";) + +dn: cn="{rootSuffix}",cn=mapping tree,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agreements"; allow (read, write, search) userdn = "ldap:///{dbuser}";) + +dn: cn="{rootSuffix}",cn=mapping tree,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager: Remove Replication Agreements";allow (delete) userdn = "ldap:///{dbuser}";) + +dn: cn=tasks,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re-initialization"; allow (add) userdn = "ldap:///{dbuser}";) + + diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/AdminAuthenticatePanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/AdminAuthenticatePanel.java index 7912486f5..b8cc8022e 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/AdminAuthenticatePanel.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/AdminAuthenticatePanel.java @@ -249,14 +249,13 @@ public class AdminAuthenticatePanel extends WizardPanelBase { if (!cstype.equals("ca")) { c1.append(",preop.ca.hostname,preop.ca.httpport,preop.ca.httpsport,preop.ca.list,preop.ca.pkcs7,preop.ca.type"); } - + s1.append(",internaldb,internaldb.ldapauth,internaldb.ldapconn"); String content = - "uid=" - + uid - + "&pwd=" - + pwd - + "&op=get&names=cloning.module.token,instanceId,internaldb.basedn,internaldb.ldapauth.password,internaldb.replication.password,internaldb.ldapconn.host,internaldb.ldapconn.port,internaldb.ldapauth.bindDN" - + c1.toString() + "&substores=" + s1.toString(); + "uid=" + uid + + "&pwd=" + pwd + + "&op=get&names=cloning.module.token,instanceId," + + "internaldb.ldapauth.password,internaldb.replication.password" + + c1.toString() + "&substores=" + s1.toString(); boolean success = updateConfigEntries(host, httpsport, true, "/" + cstype + "/admin/" + cstype + "/getConfigEntries", content, config, diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/DatabasePanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/DatabasePanel.java index 5615c6dfb..d3b0e380e 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/DatabasePanel.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/DatabasePanel.java @@ -23,6 +23,7 @@ import java.io.FileOutputStream; import java.io.FileReader; import java.io.IOException; import java.io.PrintStream; +import java.util.ArrayList; import java.util.Enumeration; import java.util.Random; import java.util.StringTokenizer; @@ -52,6 +53,7 @@ import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.ca.ICertificateAuthority; import com.netscape.certsrv.dbs.IDBSubsystem; +import com.netscape.certsrv.ldap.ILdapConnFactory; import com.netscape.certsrv.property.Descriptor; import com.netscape.certsrv.property.IDescriptor; import com.netscape.certsrv.property.PropertySet; @@ -318,8 +320,8 @@ public class DatabasePanel extends WizardPanelBase { String masterport = ""; String masterbasedn = ""; try { - masterhost = cs.getString("preop.internaldb.master.hostname", ""); - masterport = cs.getString("preop.internaldb.master.port", ""); + masterhost = cs.getString("preop.internaldb.master.ldapconn.host", ""); + masterport = cs.getString("preop.internaldb.master.ldapconn.port", ""); masterbasedn = cs.getString("preop.internaldb.master.basedn", ""); } catch (Exception e) { } @@ -518,13 +520,10 @@ public class DatabasePanel extends WizardPanelBase { String baseDN = ""; String database = ""; String dn = ""; - String dbuser = ""; try { baseDN = cs.getString("internaldb.basedn"); database = cs.getString("internaldb.database", ""); - dbuser = "uid=" + cs.getString("cs.type") + "-" + cs.getString("machineName") + "-" - + cs.getString("service.securePort") + ",ou=people," + baseDN; } catch (Exception e) { CMS.debug("DatabasePanel populateDB: " + e.toString()); throw new IOException( @@ -656,10 +655,6 @@ public class DatabasePanel extends WizardPanelBase { attrs.add(new LDAPAttribute("objectClass", oc3)); attrs.add(new LDAPAttribute(n, v)); - String dbuserACI = "(targetattr=\"*\")(version 3.0; acl \"Cert Manager access\"; allow (all) userdn=\"ldap:///" - + dbuser + "\";)"; - CMS.debug("ACI string is ["+ dbuserACI + "]"); - attrs.add(new LDAPAttribute("aci", dbuserACI)); LDAPEntry entry = new LDAPEntry(baseDN, attrs); conn.add(entry); } catch (Exception e) { @@ -727,23 +722,6 @@ public class DatabasePanel extends WizardPanelBase { throw new IOException("Failed to find base DN"); } - // add dbuser aci to cn=config - String dbuserACI = "(targetattr=\"*\")(version 3.0; acl \"Cert Manager access\"; allow (read) userdn=\"ldap:///" - + dbuser + "\";)"; - CMS.debug("ACI string is [" + dbuserACI + "]"); - String configDN = "cn=ldbm database,cn=plugins,cn=config"; - try { - - LDAPAttribute attr = new LDAPAttribute("aci", dbuserACI); - LDAPModification mod = new LDAPModification(LDAPModification.ADD, attr); - conn.modify(configDN, mod); - } catch (LDAPException e) { - if (e.getLDAPResultCode() != LDAPException.ATTRIBUTE_OR_VALUE_EXISTS) { - e.printStackTrace(); - throw new IOException("Failed to add aci to " + configDN); - } - } - String select = ""; try { select = cs.getString("preop.subsystem.select", ""); @@ -753,9 +731,9 @@ public class DatabasePanel extends WizardPanelBase { if (select.equals("clone")) { // if this is clone, add index before replication // don't put in the schema or bad things will happen - importLDIFS("preop.internaldb.ldif", conn); importLDIFS("preop.internaldb.index_ldif", conn); + importLDIFS("preop.internaldb.manager_ldif", conn); } else { // data will be replicated from the master to the clone // so clone does not need the data @@ -765,6 +743,7 @@ public class DatabasePanel extends WizardPanelBase { importLDIFS("preop.internaldb.ldif", conn); importLDIFS("preop.internaldb.data_ldif", conn); importLDIFS("preop.internaldb.index_ldif", conn); + importLDIFS("preop.internaldb.manager_ldif", conn); } try { @@ -821,6 +800,16 @@ public class DatabasePanel extends WizardPanelBase { throw new IOException("instanceId is missing"); } + String dbuser = null; + try { + dbuser = "uid=" + cs.getString("cs.type") + "-" + cs.getString("machineName") + "-" + + cs.getString("service.securePort") + ",ou=people," + baseDN; + } catch (EBaseException e) { + CMS.debug("Unable to construct dbuser" + e.toString()); + e.printStackTrace(); + throw new IOException("unable to construct dbuser"); + } + String configDir = instancePath + File.separator + "conf"; while (tokenizer.hasMoreTokens()) { @@ -862,6 +851,8 @@ public class DatabasePanel extends WizardPanelBase { ps.print(baseDN); } else if (tok.equals("database")) { ps.print(database); + } else if (tok.equals("dbuser")) { + ps.print(dbuser); } if ((s.length() + 1) == n1) { endOfline = true; @@ -883,8 +874,14 @@ public class DatabasePanel extends WizardPanelBase { throw new IOException( "Problem of copying ldif file: " + filename); } - - LDAPUtil.importLDIF(conn, filename); + ArrayList<String> errors = new ArrayList<String>(); + LDAPUtil.importLDIF(conn, filename, errors); + if (! errors.isEmpty()) { + CMS.debug("DatabasePanel: importLDIFS: LDAP Errors in importing " + filename); + for (String error: errors) { + CMS.debug(error); + } + } } } @@ -899,6 +896,7 @@ public class DatabasePanel extends WizardPanelBase { context.put("firsttime", "false"); try { + @SuppressWarnings("unused") String s = cs.getString("preop.database.removeData"); // check whether it's first time } catch (Exception e) { context.put("firsttime", "true"); @@ -1087,7 +1085,6 @@ public class DatabasePanel extends WizardPanelBase { private void setupReplication(HttpServletRequest request, Context context, String secure, String cloneStartTLS) throws IOException { - String bindpwd = HttpInput.getPassword(request, "__bindpwd"); IConfigStore cs = CMS.getConfigStore(); String cstype = ""; @@ -1112,46 +1109,49 @@ public class DatabasePanel extends WizardPanelBase { } catch (Exception e) { } - String master1_hostname = ""; - int master1_port = -1; - String master1_binddn = ""; - String master1_bindpwd = ""; - String master1_replicationpwd = ""; - + // get connection to master + LDAPConnection masterConn = null; + ILdapConnFactory masterFactory = null; try { - master1_hostname = cs.getString("preop.internaldb.master.hostname", ""); - master1_port = cs.getInteger("preop.internaldb.master.port", -1); - master1_binddn = cs.getString("preop.internaldb.master.binddn", ""); - master1_bindpwd = cs.getString("preop.internaldb.master.bindpwd", ""); - master1_replicationpwd = cs.getString("preop.internaldb.master.replicationpwd", ""); + IConfigStore masterCfg = cs.getSubStore("preop.internaldb.master"); + masterFactory = CMS.getLdapBoundConnFactory(); + masterFactory.init(masterCfg); + masterConn = masterFactory.getConn(); } catch (Exception e) { + CMS.debug("Failed to set up connection to master:" + e.toString()); + e.printStackTrace(); + throw new IOException("Failed to set up replication: No connection to master"); } - String master2_hostname = ""; - int master2_port = -1; - String master2_binddn = ""; - String master2_bindpwd = ""; - String master2_replicationpwd = ""; - + // get connection to replica + LDAPConnection replicaConn = null; + ILdapConnFactory replicaFactory = null; try { - master2_hostname = cs.getString("internaldb.ldapconn.host", ""); - master2_port = cs.getInteger("internaldb.ldapconn.port", -1); - master2_binddn = cs.getString("internaldb.ldapauth.bindDN", ""); - master2_bindpwd = bindpwd; - master2_replicationpwd = cs.getString("preop.internaldb.replicationpwd", ""); + IConfigStore replicaCfg = cs.getSubStore("internaldb"); + replicaFactory = CMS.getLdapBoundConnFactory(); + replicaFactory.init(replicaCfg); + replicaConn = replicaFactory.getConn(); } catch (Exception e) { + CMS.debug("Failed to set up connection to replica:" + e.toString()); + e.printStackTrace(); + throw new IOException("Failed to set up replication: No connection to replica"); } - LDAPConnection conn1 = null; - LDAPConnection conn2 = null; - if (secure.equals("true")) { - CMS.debug("DatabasePanel setupReplication: creating secure (SSL) connections for internal ldap"); - conn1 = new LDAPConnection(CMS.getLdapJssSSLSocketFactory()); - conn2 = new LDAPConnection(CMS.getLdapJssSSLSocketFactory()); - } else { - CMS.debug("DatabasePanel setupreplication: creating non-secure (non-SSL) connections for internal ldap"); - conn1 = new LDAPConnection(); - conn2 = new LDAPConnection(); + String master_hostname = ""; + int master_port = -1; + String master_replicationpwd = ""; + String replica_hostname = ""; + int replica_port = -1; + String replica_replicationpwd = ""; + + try { + master_hostname = cs.getString("preop.internaldb.master.ldapconn.host", ""); + master_port = cs.getInteger("preop.internaldb.master.ldapconn.port", -1); + master_replicationpwd = cs.getString("preop.internaldb.master.replication.password", ""); + replica_hostname = cs.getString("internaldb.ldapconn.host", ""); + replica_port = cs.getInteger("internaldb.ldapconn.port", -1); + replica_replicationpwd = cs.getString("preop.internaldb.replicationpwd", ""); + } catch (Exception e) { } String basedn = ""; @@ -1161,10 +1161,6 @@ public class DatabasePanel extends WizardPanelBase { } try { - conn1.connect(master1_hostname, master1_port, master1_binddn, - master1_bindpwd); - conn2.connect(master2_hostname, master2_port, master2_binddn, - master2_bindpwd); String suffix = cs.getString("internaldb.basedn", ""); String replicadn = "cn=replica,cn=\"" + suffix + "\",cn=mapping tree,cn=config"; @@ -1173,46 +1169,52 @@ public class DatabasePanel extends WizardPanelBase { String masterBindUser = "Replication Manager " + masterAgreementName; String cloneBindUser = "Replication Manager " + cloneAgreementName; - createReplicationManager(conn1, masterBindUser, master1_replicationpwd); - createReplicationManager(conn2, cloneBindUser, master2_replicationpwd); + createReplicationManager(masterConn, masterBindUser, master_replicationpwd); + createReplicationManager(replicaConn, cloneBindUser, replica_replicationpwd); - String dir1 = getInstanceDir(conn1); - createChangeLog(conn1, dir1 + "/changelogs"); + String dir1 = getInstanceDir(masterConn); + createChangeLog(masterConn, dir1 + "/changelogs"); - String dir2 = getInstanceDir(conn2); - createChangeLog(conn2, dir2 + "/changelogs"); + String dir2 = getInstanceDir(replicaConn); + createChangeLog(replicaConn, dir2 + "/changelogs"); int replicaId = cs.getInteger("dbs.beginReplicaNumber", 1); - replicaId = enableReplication(replicadn, conn1, masterBindUser, basedn, replicaId); - replicaId = enableReplication(replicadn, conn2, cloneBindUser, basedn, replicaId); + replicaId = enableReplication(replicadn, masterConn, masterBindUser, basedn, replicaId); + replicaId = enableReplication(replicadn, replicaConn, cloneBindUser, basedn, replicaId); cs.putString("dbs.beginReplicaNumber", Integer.toString(replicaId)); CMS.debug("DatabasePanel setupReplication: Finished enabling replication"); - createReplicationAgreement(replicadn, conn1, masterAgreementName, - master2_hostname, master2_port, master2_replicationpwd, basedn, cloneBindUser, secure, + createReplicationAgreement(replicadn, masterConn, masterAgreementName, + replica_hostname, replica_port, replica_replicationpwd, basedn, cloneBindUser, secure, cloneStartTLS); - createReplicationAgreement(replicadn, conn2, cloneAgreementName, - master1_hostname, master1_port, master1_replicationpwd, basedn, masterBindUser, secure, + createReplicationAgreement(replicadn, replicaConn, cloneAgreementName, + master_hostname, master_port, master_replicationpwd, basedn, masterBindUser, secure, cloneStartTLS); // initialize consumer - initializeConsumer(replicadn, conn1, masterAgreementName); + initializeConsumer(replicadn, masterConn, masterAgreementName); - while (!replicationDone(replicadn, conn1, masterAgreementName)) { + while (!replicationDone(replicadn, masterConn, masterAgreementName)) { CMS.debug("DatabasePanel setupReplication: Waiting for replication to complete"); Thread.sleep(1000); } - String status = replicationStatus(replicadn, conn1, masterAgreementName); + String status = replicationStatus(replicadn, masterConn, masterAgreementName); if (!status.startsWith("0 ")) { CMS.debug("DatabasePanel setupReplication: consumer initialization failed. " + status); throw new IOException("consumer initialization failed. " + status); } + // remove master ldap password from password.conf (if present) + String passwordFile = cs.getString("passwordFile"); + IConfigStore psStore = CMS.createFileConfigStore(passwordFile); + psStore.remove("master_internaldb"); + psStore.commit(false); + } catch (Exception e) { CMS.debug("DatabasePanel setupReplication: " + e.toString()); throw new IOException("Failed to setup the replication for cloning."); @@ -1238,7 +1240,7 @@ public class DatabasePanel extends WizardPanelBase { throws LDAPException { LDAPAttributeSet attrs = null; LDAPEntry entry = null; - String dn = "cn=" + bindUser + ",cn=config"; + String dn = "cn=" + bindUser + ",ou=csusers,cn=config"; try { attrs = new LDAPAttributeSet(); attrs.add(new LDAPAttribute("objectclass", "top")); @@ -1315,7 +1317,7 @@ public class DatabasePanel extends WizardPanelBase { attrs.add(new LDAPAttribute("nsDS5ReplicaRoot", basedn)); attrs.add(new LDAPAttribute("nsDS5ReplicaType", "3")); attrs.add(new LDAPAttribute("nsDS5ReplicaBindDN", - "cn=" + bindUser + ",cn=config")); + "cn=" + bindUser + ",ou=csusers,cn=config")); attrs.add(new LDAPAttribute("cn", "replica")); attrs.add(new LDAPAttribute("nsDS5ReplicaId", Integer.toString(id))); attrs.add(new LDAPAttribute("nsds5flags", "1")); @@ -1330,7 +1332,7 @@ public class DatabasePanel extends WizardPanelBase { try { entry = conn.read(replicadn); LDAPAttribute attr = entry.getAttribute("nsDS5ReplicaBindDN"); - attr.addValue("cn=" + bindUser + ",cn=config"); + attr.addValue("cn=" + bindUser + ",ou=csusers,cn=config"); LDAPModification mod = new LDAPModification(LDAPModification.REPLACE, attr); conn.modify(replicadn, mod); } catch (LDAPException ee) { @@ -1367,7 +1369,7 @@ public class DatabasePanel extends WizardPanelBase { attrs.add(new LDAPAttribute("nsDS5ReplicaHost", replicahost)); attrs.add(new LDAPAttribute("nsDS5ReplicaPort", "" + replicaport)); attrs.add(new LDAPAttribute("nsDS5ReplicaBindDN", - "cn=" + bindUser + ",cn=config")); + "cn=" + bindUser + ",ou=csusers,cn=config")); attrs.add(new LDAPAttribute("nsDS5ReplicaBindMethod", "Simple")); attrs.add(new LDAPAttribute("nsds5replicacredentials", replicapwd)); diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/LDAPSecurityDomainSessionTable.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/LDAPSecurityDomainSessionTable.java index 244b7df4c..b9932722e 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/LDAPSecurityDomainSessionTable.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/LDAPSecurityDomainSessionTable.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.servlet.csadmin; -import java.io.IOException; import java.util.Date; import java.util.Enumeration; import java.util.Vector; @@ -31,9 +30,11 @@ import netscape.ldap.LDAPSearchResults; import netscape.ldap.LDAPv2; import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.base.ISecurityDomainSessionTable; -import com.netscape.cmsutil.password.IPasswordStore; +import com.netscape.certsrv.ldap.ELdapException; +import com.netscape.certsrv.ldap.ILdapConnFactory; /** * This object stores the values for IP, uid and group based on the cookie id in LDAP. @@ -43,9 +44,14 @@ public class LDAPSecurityDomainSessionTable implements ISecurityDomainSessionTable { private long m_timeToLive; + private ILdapConnFactory mLdapConnFactory = null; - public LDAPSecurityDomainSessionTable(long timeToLive) { + public LDAPSecurityDomainSessionTable(long timeToLive) throws ELdapException, EBaseException { m_timeToLive = timeToLive; + IConfigStore cs = CMS.getConfigStore(); + IConfigStore internaldb = cs.getSubStore("internaldb"); + mLdapConnFactory = CMS.getLdapBoundConnFactory(); + mLdapConnFactory.init(internaldb); } public int addEntry(String sessionId, String ip, @@ -67,7 +73,7 @@ public class LDAPSecurityDomainSessionTable try { // create session entry (if it does not exist) - conn = getLDAPConn(); + conn = mLdapConnFactory.getConn(); LDAPEntry entry = null; LDAPAttributeSet attrs = null; @@ -112,7 +118,7 @@ public class LDAPSecurityDomainSessionTable } try { - conn.disconnect(); + mLdapConnFactory.returnConn(conn); } catch (Exception e) { CMS.debug("SecurityDomainSessionTable:addEntry: Error in disconnecting from database: " + e); } @@ -126,7 +132,7 @@ public class LDAPSecurityDomainSessionTable try { String basedn = cs.getString("internaldb.basedn"); String dn = "cn=" + sessionId + ",ou=sessions,ou=Security Domain," + basedn; - conn = getLDAPConn(); + conn = mLdapConnFactory.getConn(); conn.delete(dn); status = SUCCESS; } catch (Exception e) { @@ -138,7 +144,7 @@ public class LDAPSecurityDomainSessionTable } } try { - conn.disconnect(); + mLdapConnFactory.returnConn(conn); } catch (Exception e) { CMS.debug("SecurityDomainSessionTable: removeEntry: Error in disconnecting from database: " + e); } @@ -155,7 +161,7 @@ public class LDAPSecurityDomainSessionTable String filter = "(cn=" + sessionId + ")"; String[] attrs = { "cn" }; - conn = getLDAPConn(); + conn = mLdapConnFactory.getConn(); LDAPSearchResults res = conn.search(sessionsdn, LDAPv2.SCOPE_SUB, filter, attrs, false); if (res.getCount() > 0) ret = true; @@ -164,7 +170,7 @@ public class LDAPSecurityDomainSessionTable } try { - conn.disconnect(); + mLdapConnFactory.returnConn(conn); } catch (Exception e) { CMS.debug("SecurityDomainSessionTable: isSessionIdExist: Error in disconnecting from database: " + e); } @@ -182,7 +188,7 @@ public class LDAPSecurityDomainSessionTable String filter = "(objectclass=securityDomainSessionEntry)"; String[] attrs = { "cn" }; - conn = getLDAPConn(); + conn = mLdapConnFactory.getConn(); LDAPSearchResults res = conn.search(sessionsdn, LDAPv2.SCOPE_SUB, filter, attrs, false); while (res.hasMoreElements()) { LDAPEntry entry = res.next(); @@ -201,7 +207,7 @@ public class LDAPSecurityDomainSessionTable } try { - conn.disconnect(); + mLdapConnFactory.returnConn(conn); } catch (Exception e) { CMS.debug("SecurityDomainSessionTable: getSessionIds: Error in disconnecting from database: " + e); } @@ -218,7 +224,7 @@ public class LDAPSecurityDomainSessionTable String sessionsdn = "ou=sessions,ou=Security Domain," + basedn; String filter = "(cn=" + sessionId + ")"; String[] attrs = { attr }; - conn = getLDAPConn(); + conn = mLdapConnFactory.getConn(); LDAPSearchResults res = conn.search(sessionsdn, LDAPv2.SCOPE_SUB, filter, attrs, false); if (res.getCount() > 0) { LDAPEntry entry = res.next(); @@ -229,7 +235,7 @@ public class LDAPSecurityDomainSessionTable } try { - conn.disconnect(); + mLdapConnFactory.returnConn(conn); } catch (Exception e) { CMS.debug("SecurityDomainSessionTable: isSessionIdExist: Error in disconnecting from database: " + e); } @@ -271,7 +277,7 @@ public class LDAPSecurityDomainSessionTable String filter = "(objectclass=securityDomainSessionEntry)"; String[] attrs = { "cn" }; - conn = getLDAPConn(); + conn = mLdapConnFactory.getConn(); LDAPSearchResults res = conn.search(sessionsdn, LDAPv2.SCOPE_SUB, filter, attrs, false); ret = res.getCount(); } catch (Exception e) { @@ -279,78 +285,11 @@ public class LDAPSecurityDomainSessionTable } try { - conn.disconnect(); + mLdapConnFactory.returnConn(conn); } catch (Exception e) { CMS.debug("SecurityDomainSessionTable: getSessionIds: Error in disconnecting from database: " + e); } return ret; } - - private LDAPConnection getLDAPConn() - throws IOException { - IConfigStore cs = CMS.getConfigStore(); - - String host = ""; - String port = ""; - String pwd = null; - String binddn = ""; - String security = ""; - String clientNick = ""; - - IPasswordStore pwdStore = CMS.getPasswordStore(); - - if (pwdStore != null) { - //CMS.debug("SecurityDomainSessionTable: getLDAPConn: password store available"); - pwd = pwdStore.getPassword("internaldb"); - } - - if (pwd == null) { - throw new IOException("SecurityDomainSessionTable: Failed to obtain password from password store"); - } - - try { - host = cs.getString("internaldb.ldapconn.host"); - port = cs.getString("internaldb.ldapconn.port"); - binddn = cs.getString("internaldb.ldapauth.bindDN"); - security = cs.getString("internaldb.ldapconn.secureConn"); - clientNick = cs.getString("internaldb.ldapauth.clientCertNickname"); - } catch (Exception e) { - CMS.debug("SecurityDomainSessionTable: getLDAPConn" + e.toString()); - throw new IOException( - "Failed to retrieve LDAP information from CS.cfg."); - } - - int p = -1; - - try { - p = Integer.parseInt(port); - } catch (Exception e) { - CMS.debug("SecurityDomainSessionTable getLDAPConn: " + e.toString()); - throw new IOException("Port is not valid"); - } - - LDAPConnection conn = null; - if (!clientNick.equals("")) { - CMS.debug("SecurityDomainSessionTable getLDAPConn: creating secure (SSL) client auth connection for internal ldap"); - conn = new LDAPConnection(CMS.getLdapJssSSLSocketFactory(clientNick)); - } else if (security.equals("true")) { - //CMS.debug("SecurityDomainSessionTable getLDAPConn: creating secure (SSL) connection for internal ldap"); - conn = new LDAPConnection(CMS.getLdapJssSSLSocketFactory()); - } else { - //CMS.debug("SecurityDomainSessionTable getLDAPConn: creating non-secure (non-SSL) connection for internal ldap"); - conn = new LDAPConnection(); - } - - //CMS.debug("SecurityDomainSessionTable connecting to " + host + ":" + p); - try { - conn.connect(host, p, binddn, pwd); - } catch (LDAPException e) { - CMS.debug("SecurityDomainSessionTable getLDAPConn: " + e.toString()); - throw new IOException("Failed to connect to the internal database."); - } - - return conn; - } - } diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java index 80a887fd2..ea0e79787 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java @@ -456,14 +456,15 @@ public class RestoreKeyCertPanel extends WizardPanelBase { s1.append(","); s1.append("ca.connector.KRA"); } + + s1.append(",internaldb,internaldb.ldapauth,internaldb.ldapconn"); content = - "op=get&names=cloning.token,instanceId,internaldb.basedn,internaldb.ldapauth.password,internaldb.replication.password,internaldb.ldapconn.host,internaldb.ldapconn.port,internaldb.ldapauth.bindDN" - + c1.toString() - + "&substores=" - + s1.toString() - + "&xmlOutput=true&sessionID=" - + session_id; + "op=get&names=cloning.token,instanceId,internaldb.basedn,internaldb.ldapauth.password," + + "internaldb.replication.password" + c1.toString() + + "&substores=" + s1.toString() + + "&xmlOutput=true&sessionID=" + + session_id; boolean success = updateConfigEntries(master_hostname, master_port, true, "/" + cstype + "/admin/" + cstype + "/getConfigEntries", content, config, response); if (!success) { diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java index 40190c9a7..ea47e82ed 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java @@ -620,19 +620,11 @@ public class WizardPanelBase implements IWizardPanel { } } - if (name.equals("internaldb.ldapconn.host")) { - config.putString("preop.internaldb.master.hostname", v); - } else if (name.equals("internaldb.ldapconn.port")) { - config.putString("preop.internaldb.master.port", v); - } else if (name.equals("internaldb.ldapauth.bindDN")) { - config.putString("preop.internaldb.master.binddn", v); - } else if (name.equals("internaldb.basedn")) { + if (name.equals("internaldb.basedn")) { config.putString(name, v); config.putString("preop.internaldb.master.basedn", v); - } else if (name.equals("internaldb.ldapauth.password")) { - config.putString("preop.internaldb.master.bindpwd", v); - } else if (name.equals("internaldb.replication.password")) { - config.putString("preop.internaldb.master.replicationpwd", v); + } else if (name.startsWith("internaldb")) { + config.putString(name.replaceFirst("internaldb", "preop.internaldb.master"), v); } else if (name.equals("instanceId")) { config.putString("preop.master.instanceId", v); } else if (name.equals("cloning.cert.signing.nickname")) { @@ -681,6 +673,23 @@ public class WizardPanelBase implements IWizardPanel { } } + // set master ldap password (if it exists) temporarily in password store + // in case it is needed for replication. Not stored in password.conf. + try { + String master_pwd = config.getString("preop.internaldb.master.ldapauth.password", ""); + if (!master_pwd.equals("")) { + config.putString("preop.internaldb.master.ldapauth.bindPWPrompt", "master_internaldb"); + String passwordFile = config.getString("passwordFile"); + IConfigStore psStore = CMS.createFileConfigStore(passwordFile); + psStore.putString("master_internaldb", master_pwd); + psStore.commit(false); + } + } catch (Exception e) { + CMS.debug("updateConfigEntries: Failed to temporarily store master bindpwd: " + e.toString()); + e.printStackTrace(); + throw new IOException(e.toString()); + } + return true; } else if (status.equals(AUTH_FAILURE)) { reloginSecurityDomain(response); diff --git a/pki/base/common/src/com/netscape/cmscore/apps/CMSEngine.java b/pki/base/common/src/com/netscape/cmscore/apps/CMSEngine.java index 5fdcaece0..6ca1b6e7e 100644 --- a/pki/base/common/src/com/netscape/cmscore/apps/CMSEngine.java +++ b/pki/base/common/src/com/netscape/cmscore/apps/CMSEngine.java @@ -345,18 +345,19 @@ public class CMSEngine implements ICMSEngine { String secdomain_source = config.getString("securitydomain.source", "memory"); String secdomain_check_interval = config.getString("securitydomain.checkinterval", "5000"); - if (secdomain_source.equals("ldap")) { - mSecurityDomainSessionTable = new LDAPSecurityDomainSessionTable((new Long(flush_timeout)).longValue()); - } else { - mSecurityDomainSessionTable = new SecurityDomainSessionTable((new Long(flush_timeout)).longValue()); - } + if ((state == 1) && (!sd.equals("existing"))) { + // check session domain table only if this is a + // configured security domain host + + if (secdomain_source.equals("ldap")) { + mSecurityDomainSessionTable = new LDAPSecurityDomainSessionTable((new Long(flush_timeout)).longValue()); + } else { + mSecurityDomainSessionTable = new SecurityDomainSessionTable((new Long(flush_timeout)).longValue()); + } + + mSDTimer = new Timer(); + SessionTimer timertask = new SessionTimer(mSecurityDomainSessionTable); - mSDTimer = new Timer(); - SessionTimer timertask = new SessionTimer(mSecurityDomainSessionTable); - if ((state != 1) || (sd.equals("existing"))) { - // for non-security domain hosts or if not yet configured, - // do not check session domain table - } else { mSDTimer.schedule(timertask, 5, (new Long(secdomain_check_interval)).longValue()); } diff --git a/pki/base/kra/shared/conf/CS.cfg.in b/pki/base/kra/shared/conf/CS.cfg.in index 19570155c..a6d49ceb5 100644 --- a/pki/base/kra/shared/conf/CS.cfg.in +++ b/pki/base/kra/shared/conf/CS.cfg.in @@ -225,6 +225,7 @@ preop.internaldb.schema.ldif=/usr/share/[PKI_FLAVOR]/kra/conf/schema.ldif preop.internaldb.ldif=/usr/share/[PKI_FLAVOR]/kra/conf/database.ldif preop.internaldb.data_ldif=/usr/share/[PKI_FLAVOR]/kra/conf/db.ldif,/usr/share/[PKI_FLAVOR]/kra/conf/acl.ldif preop.internaldb.index_ldif= +preop.internaldb.manager_ldif=/usr/share/[PKI_FLAVOR]/ca/conf/manager.ldif preop.internaldb.post_ldif=/usr/share/[PKI_FLAVOR]/kra/conf/index.ldif,/usr/share/[PKI_FLAVOR]/kra/conf/vlv.ldif,/usr/share/[PKI_FLAVOR]/kra/conf/vlvtasks.ldif preop.internaldb.wait_dn=cn=index1160527115, cn=index, cn=tasks, cn=config internaldb.multipleSuffix.enable=false diff --git a/pki/base/kra/shared/conf/manager.ldif b/pki/base/kra/shared/conf/manager.ldif new file mode 100644 index 000000000..52e486987 --- /dev/null +++ b/pki/base/kra/shared/conf/manager.ldif @@ -0,0 +1,48 @@ +# acis for cert manager + +dn: ou=csusers,cn=config +objectClass: top +objectClass: organizationalUnit +ou: csusers + +dn: {rootSuffix} +changetype: modify +add: aci +aci: (targetattr=*)(version 3.0; acl "cert manager access"; allow (all) userdn = "ldap:///{dbuser}";) + +dn: cn=ldbm database,cn=plugins,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; allow (read) userdn="ldap:///{dbuser}";) + +dn: cn=config +changetype: modify +add: aci +aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (read, search, compare) userdn = "ldap:///{dbuser}";) + +dn: ou=csusers,cn=config +changetype: modify +add: aci +aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication users"; allow (all) userdn = "ldap:///{dbuser}";) + +dn: cn="{rootSuffix}",cn=mapping tree,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements";allow (add) userdn = "ldap:///{dbuser}";) + +dn: cn="{rootSuffix}",cn=mapping tree,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agreements"; allow (read, write, search) userdn = "ldap:///{dbuser}";) + +dn: cn="{rootSuffix}",cn=mapping tree,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager: Remove Replication Agreements";allow (delete) userdn = "ldap:///{dbuser}";) + +dn: cn=tasks,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re-initialization"; allow (add) userdn = "ldap:///{dbuser}";) + + diff --git a/pki/base/migrate/80/MigrateSecurityDomain.java b/pki/base/migrate/80/MigrateSecurityDomain.java index 67f6c4b33..420e17805 100644 --- a/pki/base/migrate/80/MigrateSecurityDomain.java +++ b/pki/base/migrate/80/MigrateSecurityDomain.java @@ -18,6 +18,7 @@ import java.io.FileInputStream; import java.io.IOException; +import java.util.ArrayList; import java.util.Vector; import netscape.ldap.LDAPAttribute; @@ -120,8 +121,15 @@ public class MigrateSecurityDomain { // add new schema elements String importFile = "./schema-add.ldif"; + ArrayList<String> errors = new ArrayList<String>(); try { - LDAPUtil.importLDIF(conn, importFile); + LDAPUtil.importLDIF(conn, importFile, errors); + if (! errors.isEmpty()) { + System.out.println("MigrateSecurityDomain: Errors in adding new schema elements:"); + for (String error: errors) { + System.out.println(error); + } + } } catch (Exception e) { System.out.println("MigrateSecurityDomain: Error in adding new schema elements"); System.exit(1); diff --git a/pki/base/ocsp/shared/conf/CS.cfg.in b/pki/base/ocsp/shared/conf/CS.cfg.in index 4dbda23cb..5be916e7c 100644 --- a/pki/base/ocsp/shared/conf/CS.cfg.in +++ b/pki/base/ocsp/shared/conf/CS.cfg.in @@ -187,6 +187,7 @@ preop.internaldb.schema.ldif=/usr/share/[PKI_FLAVOR]/ocsp/conf/schema.ldif preop.internaldb.ldif=/usr/share/[PKI_FLAVOR]/ocsp/conf/database.ldif preop.internaldb.data_ldif=/usr/share/[PKI_FLAVOR]/ocsp/conf/db.ldif,/usr/share/[PKI_FLAVOR]/ocsp/conf/acl.ldif preop.internaldb.index_ldif=/usr/share/[PKI_FLAVOR]/ocsp/conf/index.ldif +preop.internaldb.manager_ldif=/usr/share/[PKI_FLAVOR]/ca/conf/manager.ldif preop.internaldb.post_ldif= preop.internaldb.wait_dn= internaldb.multipleSuffix.enable=false diff --git a/pki/base/ocsp/shared/conf/manager.ldif b/pki/base/ocsp/shared/conf/manager.ldif new file mode 100644 index 000000000..52e486987 --- /dev/null +++ b/pki/base/ocsp/shared/conf/manager.ldif @@ -0,0 +1,48 @@ +# acis for cert manager + +dn: ou=csusers,cn=config +objectClass: top +objectClass: organizationalUnit +ou: csusers + +dn: {rootSuffix} +changetype: modify +add: aci +aci: (targetattr=*)(version 3.0; acl "cert manager access"; allow (all) userdn = "ldap:///{dbuser}";) + +dn: cn=ldbm database,cn=plugins,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; allow (read) userdn="ldap:///{dbuser}";) + +dn: cn=config +changetype: modify +add: aci +aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (read, search, compare) userdn = "ldap:///{dbuser}";) + +dn: ou=csusers,cn=config +changetype: modify +add: aci +aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication users"; allow (all) userdn = "ldap:///{dbuser}";) + +dn: cn="{rootSuffix}",cn=mapping tree,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements";allow (add) userdn = "ldap:///{dbuser}";) + +dn: cn="{rootSuffix}",cn=mapping tree,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agreements"; allow (read, write, search) userdn = "ldap:///{dbuser}";) + +dn: cn="{rootSuffix}",cn=mapping tree,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager: Remove Replication Agreements";allow (delete) userdn = "ldap:///{dbuser}";) + +dn: cn=tasks,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re-initialization"; allow (add) userdn = "ldap:///{dbuser}";) + + diff --git a/pki/base/tks/shared/conf/CS.cfg.in b/pki/base/tks/shared/conf/CS.cfg.in index bf195d234..195201e4d 100644 --- a/pki/base/tks/shared/conf/CS.cfg.in +++ b/pki/base/tks/shared/conf/CS.cfg.in @@ -180,6 +180,7 @@ preop.internaldb.schema.ldif=/usr/share/[PKI_FLAVOR]/tks/conf/schema.ldif preop.internaldb.ldif=/usr/share/[PKI_FLAVOR]/tks/conf/database.ldif preop.internaldb.data_ldif=/usr/share/[PKI_FLAVOR]/tks/conf/db.ldif,/usr/share/[PKI_FLAVOR]/tks/conf/acl.ldif preop.internaldb.index_ldif=/usr/share/[PKI_FLAVOR]/tks/conf/index.ldif +preop.internaldb.manager_ldif=/usr/share/[PKI_FLAVOR]/ca/conf/manager.ldif preop.internaldb.post_ldif= preop.internaldb.wait_dn= internaldb.multipleSuffix.enable=false diff --git a/pki/base/tks/shared/conf/manager.ldif b/pki/base/tks/shared/conf/manager.ldif new file mode 100644 index 000000000..52e486987 --- /dev/null +++ b/pki/base/tks/shared/conf/manager.ldif @@ -0,0 +1,48 @@ +# acis for cert manager + +dn: ou=csusers,cn=config +objectClass: top +objectClass: organizationalUnit +ou: csusers + +dn: {rootSuffix} +changetype: modify +add: aci +aci: (targetattr=*)(version 3.0; acl "cert manager access"; allow (all) userdn = "ldap:///{dbuser}";) + +dn: cn=ldbm database,cn=plugins,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; allow (read) userdn="ldap:///{dbuser}";) + +dn: cn=config +changetype: modify +add: aci +aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (read, search, compare) userdn = "ldap:///{dbuser}";) + +dn: ou=csusers,cn=config +changetype: modify +add: aci +aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication users"; allow (all) userdn = "ldap:///{dbuser}";) + +dn: cn="{rootSuffix}",cn=mapping tree,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements";allow (add) userdn = "ldap:///{dbuser}";) + +dn: cn="{rootSuffix}",cn=mapping tree,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agreements"; allow (read, write, search) userdn = "ldap:///{dbuser}";) + +dn: cn="{rootSuffix}",cn=mapping tree,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager: Remove Replication Agreements";allow (delete) userdn = "ldap:///{dbuser}";) + +dn: cn=tasks,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re-initialization"; allow (add) userdn = "ldap:///{dbuser}";) + + diff --git a/pki/base/util/src/com/netscape/cmsutil/ldap/LDAPUtil.java b/pki/base/util/src/com/netscape/cmsutil/ldap/LDAPUtil.java index 132e65e6c..a78f8ac55 100644 --- a/pki/base/util/src/com/netscape/cmsutil/ldap/LDAPUtil.java +++ b/pki/base/util/src/com/netscape/cmsutil/ldap/LDAPUtil.java @@ -18,6 +18,7 @@ package com.netscape.cmsutil.ldap; import java.io.IOException; +import java.util.ArrayList; import netscape.ldap.LDAPAttribute; import netscape.ldap.LDAPAttributeSet; @@ -32,7 +33,7 @@ import netscape.ldap.util.LDIFModifyContent; import netscape.ldap.util.LDIFRecord; public class LDAPUtil { - public static void importLDIF(LDAPConnection conn, String filename) throws IOException { + public static void importLDIF(LDAPConnection conn, String filename, ArrayList<String> errors) throws IOException { LDIF ldif = new LDIF(filename); while (true) { try { @@ -53,6 +54,8 @@ public class LDAPUtil { try { conn.add(entry); } catch (LDAPException ee) { + errors.add("LDAPUtil:importLDIF: exception in adding entry " + dn + + ":" + ee.toString() + "\n"); } } else if (type == LDIFContent.MODIFICATION_CONTENT) { LDIFModifyContent c = (LDIFModifyContent) content; @@ -60,6 +63,8 @@ public class LDAPUtil { try { conn.modify(dn, mods); } catch (LDAPException ee) { + errors.add("LDAPUtil:importLDIF: exception in modifying entry " + dn + + ":" + ee.toString()); } } } catch (Exception e) { |