Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 157471 Details for
Bug 237356
Move DS Admin Code into Admin Server
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
diffs - support for ca cert for configds
cvsdiffs (text/plain), 15.44 KB, created by
Rich Megginson
on 2007-06-20 14:51:19 UTC
(
hide
)
Description:
diffs - support for ca cert for configds
Filename:
MIME Type:
Creator:
Rich Megginson
Created:
2007-06-20 14:51:19 UTC
Size:
15.44 KB
patch
obsolete
>Index: adminserver/admserv/newinst/src/ASDialogs.pm.in >=================================================================== >RCS file: /cvs/dirsec/adminserver/admserv/newinst/src/ASDialogs.pm.in,v >retrieving revision 1.3 >diff -u -8 -r1.3 ASDialogs.pm.in >--- adminserver/admserv/newinst/src/ASDialogs.pm.in 19 Jun 2007 18:32:28 -0000 1.3 >+++ adminserver/admserv/newinst/src/ASDialogs.pm.in 20 Jun 2007 14:49:16 -0000 >@@ -70,16 +70,17 @@ > my $asport = new Dialog ( > $TYPICAL, > 'dialog_asport_text', > sub { > my $self = shift; > my $port = $self->{manager}->{inf}->{admin}->{Port}; > if (!defined($port)) { > $port = @admservport@; >+ $self->{manager}->{setup}->{asorigport} = $port; > } > if (!$self->{manager}->{setup}->{reconfigas}) { > if (!portAvailable($port)) { > $port = getAvailablePort(); > } > } > return $port; > }, >Index: adminserver/admserv/newinst/src/AdminServer.pm.in >=================================================================== >RCS file: /cvs/dirsec/adminserver/admserv/newinst/src/AdminServer.pm.in,v >retrieving revision 1.1 >diff -u -8 -r1.1 AdminServer.pm.in >--- adminserver/admserv/newinst/src/AdminServer.pm.in 19 Jun 2007 18:32:28 -0000 1.1 >+++ adminserver/admserv/newinst/src/AdminServer.pm.in 20 Jun 2007 14:49:16 -0000 >@@ -151,16 +151,46 @@ > $rc = updateAdmpw($setup->{inf}->{admin}->{ServerAdminID}, > $setup->{inf}->{admin}->{ServerAdminPwd}, > $configdir); > if (!$rc) { > $setup->msg($FATAL, 'error_updating_admpw'); > return 0; > } > >+ # chown and chmod other files appropriately >+ for (glob("$configdir/*")) { >+ # these are owned by root >+ next if (/httpd.conf$/); >+ next if (/nss.conf$/); >+ next if (/admserv.conf$/); >+ # these should have been handled above >+ next if (/adm.conf$/); >+ next if (/admpw$/); >+ next if (/local.conf$/); >+ next if (! -f $_); # should never happen >+ # all other files should be owned by SysUser >+ $! = 0; # clear errno >+ chown $uid, -1, $_; >+ if ($!) { >+ $setup->msg($FATAL, 'error_chowning_file', $_, >+ $setup->{inf}->{admin}->{SysUser}, $!); >+ return 0; >+ } >+ # the files should be writable >+ $! = 0; # clear errno >+ my ($ignore, $ignore, $mode, @rest) = stat $_; >+ $mode &= 0700; # disallow access to non-owner >+ chmod $mode, $_; >+ if ($!) { >+ $setup->msg($FATAL, 'error_chmoding_file', $_, $!); >+ return 0; >+ } >+ } >+ > return 1; > } > > # This is how we extract the sie and isie as the as entries are > # being added > sub registercb { > my ($context, $entry) = @_; > >@@ -265,17 +295,17 @@ > my $serverAddress = shift; > my $port = shift; > my $configdir = shift; > my $origport = shift; > my $admConf = getAdmConf($configdir); > my $user = $admConf->{sysuser}; > > my $cmd = "@cgibindir@/config op=set configuration.nsSuiteSpotUser=\"$user\""; >- if ($origport && ($port != $origport)) { >+ if ($port != $origport) { # need to change the port number > $cmd .= " configuration.nsServerPort=\"$port\""; > } > if ($serverAddress) { > $cmd .= " configuration.nsServerAddress=\"$serverAddress\""; > } > > if (system($cmd)) { > return 0; >Index: adminserver/admserv/newinst/src/AdminUtil.pm.in >=================================================================== >RCS file: /cvs/dirsec/adminserver/admserv/newinst/src/AdminUtil.pm.in,v >retrieving revision 1.2 >diff -u -8 -r1.2 AdminUtil.pm.in >--- adminserver/admserv/newinst/src/AdminUtil.pm.in 19 Jun 2007 18:32:28 -0000 1.2 >+++ adminserver/admserv/newinst/src/AdminUtil.pm.in 20 Jun 2007 14:49:16 -0000 >@@ -34,18 +34,20 @@ > # Copyright (C) 2007 Red Hat, Inc. > # All rights reserved. > # END COPYRIGHT BLOCK > # > > package AdminUtil; > require Exporter; > @ISA = qw(Exporter); >-@EXPORT = qw(getAdmConf getConfigDSConn createConfigDS updateAdmConf updateAdmpw updateLocalConf); >-@EXPORT_OK = qw(getAdmConf getConfigDSConn createConfigDS updateAdmConf updateAdmpw updateLocalConf); >+@EXPORT = qw(getAdmConf getConfigDSConn createConfigDS updateAdmConf >+ updateAdmpw updateLocalConf importCACert); >+@EXPORT_OK = qw(getAdmConf getConfigDSConn createConfigDS updateAdmConf >+ updateAdmpw updateLocalConf importCACert); > > # load perldap > use Mozilla::LDAP::Conn; > use Mozilla::LDAP::Utils qw(normalizeDN); > use Mozilla::LDAP::API qw(:constant ldap_url_parse ldap_explode_dn); > use Mozilla::LDAP::LDIF qw(enlist_values); > > use Util; >@@ -161,17 +163,17 @@ > my $basedn = $h->{dn}; > if ($h->{options} & LDAP_URL_OPT_SECURE) { > $certdir = getCertDir($configdir); > } > > # first try anon bind > # 3 is LDAPv3 - 1 means use nspr > my $conn = new Mozilla::LDAP::Conn($h->{host}, $h->{port}, "", "", >- $certdir, 0, 3, 1); >+ $certdir); > > my $errstr = "Success"; > if ($conn) { > $errstr = $conn->getErrorString(); > } > if (!$conn or ($errstr ne "Success")) { > if ($conn) { > $conn->close(); >@@ -388,8 +390,59 @@ > } > foreach my $val ($entry->getValues($attr)) { > print $localfh "$attrName: $val\n"; > } > } > > return 1; > } >+ >+sub importCACert { >+ my $securitydir = shift; >+ my $cacert = shift; # may be a file or the actual cert in ascii/pem format >+ my @errs = (); # return >+ >+ if (! -d $securitydir) { >+ @errs = ('securitydir_not_exist', $securitydir); >+ return @errs; >+ } >+ >+ if (! -w $securitydir) { >+ @errs = ('securitydir_not_writable', $securitydir); >+ return @errs; >+ } >+ >+ # see if "CA certificate" already exists >+ my $output = `certutil -L -d \"$securitydir\" 2>&1`; >+ if ($output =~ /CA certificate/) { >+ @errs = ('cacert_already_exists', $securitydir); >+ return @errs; >+ } >+ >+ if ($cacert =~ /^-----BEGIN CERTIFICATE-----/) { >+ $! = 0; >+ $? = 0; # clear error indicators >+ if (!open(CERTUTIL, "|certutil -A -d \"$securitydir\" -a -t CT,, -n \"CA certificate\"")) { >+ @errs = ("error_running_certutil", $!); >+ return @errs; >+ } >+ print CERTUTIL $cacert, "\n"; >+ close(CERTUTIL); >+ if ($?) { >+ @errs = ('error_return_certutil', $?, $!); >+ return @errs; >+ } >+ } elsif (! -f $cacert) { >+ @errs = ('cacertfile_not_found', $cacert); >+ return @errs; >+ } else { >+ $! = 0; >+ $? = 0; # clear error indicators >+ $output = `certutil -A -d \"$securitydir\" -a -t CT,, -n \"CA certificate\" -i \"$cacert\" 2>&1`; >+ if ($?) { >+ @errs = ('error_return2_certutil', $?, $!, $output); >+ return @errs; >+ } >+ } >+ >+ return @errs; >+} >Index: adminserver/admserv/newinst/src/ConfigDSDialogs.pm >=================================================================== >RCS file: /cvs/dirsec/adminserver/admserv/newinst/src/ConfigDSDialogs.pm,v >retrieving revision 1.3 >diff -u -8 -r1.3 ConfigDSDialogs.pm >--- adminserver/admserv/newinst/src/ConfigDSDialogs.pm 19 Jun 2007 23:06:43 -0000 1.3 >+++ adminserver/admserv/newinst/src/ConfigDSDialogs.pm 20 Jun 2007 14:49:17 -0000 >@@ -52,17 +52,17 @@ > my $certdir; > my @errs; > if ($url =~ /^ldaps/) { > if (!$self->{manager}->{inf}->{General}->{certdb} and > !$self->{manager}->{inf}->{General}->{CACertificate}) { > return ('dialog_configdsinfo_nocacert'); > } > if (!$self->{manager}->{inf}->{General}->{certdb}) { >- (@errs) = AdminUtil::importCACert($self->{manager}->{setup}->{configdir}, >+ (@errs) = AdminUtil::importCACert($self->{manager}->{setup}->{configdir} . "/admin-serv", > $self->{manager}->{inf}->{General}->{CACertificate}); > if (@errs) { > return @errs; > } > } > } > my $conn = AdminUtil::getConfigDSConn($url, > $self->{manager}->{inf}->{General}->{ConfigDirectoryAdminID}, >@@ -111,17 +111,19 @@ > if (!defined($admindomain)) { > $admindomain = $self->{manager}->{inf}->{General}->{FullMachineName} || > hostfqdn; > $admindomain =~ s/^[^\.]*\.//; # just the domain part > } > return $admindomain; > } else { # the CA cert > my $url = $self->{manager}->{inf}->{General}->{ConfigDirectoryLdapURL}; >- if (($url !~ /^ldaps/) or $self->{manager}->{inf}->{General}->{certdb}) { >+ my $cert = $self->{manager}->{inf}->{General}->{CACertificate}; >+ if (($url !~ /^ldaps/) or $self->{manager}->{inf}->{General}->{certdb} or >+ ($cert =~ /^-----BEGIN CERTIFICATE-----/)) { > # not using LDAPS, or already have a certdb - hide CA prompt > $self->{prompts}->[4]->[2] = 1; > } else { > $self->{prompts}->[4]->[2] = 0; # unhide CA prompt > } > return $self->{manager}->{inf}->{General}->{CACertificate}; > } > }, >@@ -154,17 +156,18 @@ > } else { > $self->{manager}->{inf}->{General}->{ConfigDirectoryAdminPwd} = $ans; > $res = $DialogManager::NEXT; > } > } elsif ($index == 3) { # admin domain > $self->{manager}->{inf}->{General}->{AdminDomain} = $ans; > $res = $DialogManager::NEXT; > } else { # CA cert filename >- if ($ans && length($ans) && ! -f $ans) { >+ if ($ans && length($ans) && >+ ($ans !~ /^-----BEGIN CERTIFICATE-----/) && ! -f $ans) { > $self->{manager}->alert("dialog_configdsinfo_ca_error", $ans); > } else { > $self->{manager}->{inf}->{General}->{CACertificate} = $ans; > $res = $DialogManager::NEXT; > } > } > > if (($index == 4) && ($res == $DialogManager::NEXT)) { >@@ -266,25 +269,29 @@ > my $useconfigds = new DialogYesNo ( > $EXPRESS, > 'dialog_useconfigds_text', > sub { > my $self = shift; > my $yes = $self->{"manager"}->getText("yes"); > my $nno = $self->{"manager"}->getText("no"); > my $ret = 0; >- if (!defined($self->{manager}->{inf}->{slapd}->{SlapdConfigForMC}) and >- !defined($self->{manager}->{inf}->{slapd}->{UseExistingMC})) { >- $ret = 0; # implicitly create the config ds >- } elsif (($yes =~ /^$self->{manager}->{inf}->{slapd}->{SlapdConfigForMC}/i) or >- !$self->{manager}->{inf}->{slapd}->{UseExistingMC}) { >+ if ((defined($self->{manager}->{inf}->{slapd}->{SlapdConfigForMC}) and >+ ($yes =~ /^$self->{manager}->{inf}->{slapd}->{SlapdConfigForMC}/i)) or >+ (defined($self->{manager}->{inf}->{slapd}->{UseExistingMC}) and >+ !$self->{manager}->{inf}->{slapd}->{UseExistingMC})) { > # we have to set up the directory server as the config ds > $self->{manager}->{inf}->{slapd}->{SlapdConfigForMC} = "yes"; > $self->{manager}->{inf}->{slapd}->{UseExistingMC} = 0; > $ret = 0; # explicitly create the config ds >+ } elsif (defined($self->{manager}->{inf}->{General}->{ConfigDirectoryLdapURL})) { >+ $ret = 1; # use an existing config ds and register the servers with that one >+ } elsif (!defined($self->{manager}->{inf}->{slapd}->{SlapdConfigForMC}) and >+ !defined($self->{manager}->{inf}->{slapd}->{UseExistingMC})) { >+ $ret = 0; # implicitly create the config ds > } else { > $ret = 1; # use an existing config ds and register the servers with that one > if (exists($self->{manager}->{inf}->{slapd}->{SlapdConfigForMC})) { > delete $self->{manager}->{inf}->{slapd}->{SlapdConfigForMC}; > } > $self->{manager}->{inf}->{slapd}->{UseExistingMC} = 1; > } > return $ret; >Index: adminserver/admserv/newinst/src/setup-ds-admin.res.in >=================================================================== >RCS file: /cvs/dirsec/adminserver/admserv/newinst/src/setup-ds-admin.res.in,v >retrieving revision 1.3 >diff -u -8 -r1.3 setup-ds-admin.res.in >--- adminserver/admserv/newinst/src/setup-ds-admin.res.in 19 Jun 2007 18:32:28 -0000 1.3 >+++ adminserver/admserv/newinst/src/setup-ds-admin.res.in 20 Jun 2007 14:49:17 -0000 >@@ -89,16 +89,18 @@ > missing_adminserver_param = Missing required Admin Server setup parameter '%s'. Cannot continue.\n > missing_general_param = Missing required General setup parameter '%s'. Cannot continue.\n > creating_admpw = Could not create the Admin Server password file '%s'. Error %s\n > error_create_dirserver = Failed to create directory server instance\n > error_create_configds = Failed to create the configuration directory server\n > error_create_adminserver = Failed to create and configure the admin server\n > error_creating_directory = Could not create admin server directory '%s'. Error: %s\n > error_chowning_directory = Could not change ownership of directory '%s' to userid '%s': Error: %s\n >+error_chowning_file = Could not change ownership of file '%s' to userid '%s': Error: %s\n >+error_chmoding_file = Could not change permissions of file '%s': Error: %s\n > error_chgrping_directory = Could not change group of directory '%s' to group '%s': Error: %s\n > updating_admconf = Updating adm.conf . . .\n > error_updating_admconf = Could not update adm.conf. Error: %s\n > updating_admpw = Updating admpw . . .\n > error_updating_admpw = Could not update admpw. Error: %s\n > error_creating_adminserver_maptbl = Could not create the map table for registering the Admin Server with the configuration directory server.\n > error_updating_localconf = Could not update the local admin server configuration file '%s'. Error: %s\n > error_starting_adminserver = Could not start the admin server. Error: %s\n >@@ -116,8 +118,16 @@ > end_reconfig_adminserver = Admin server was successfully reconfigured and started.\n > create_dirserver = Creating directory server . . .\n > create_configds = Creating the configuration directory server . . .\n > setup_complete = Setup is complete.\n\n > error_register_dirserver = Could not register the directory server with the configuration directory server.\n > registering_dirserver = Registering directory server with the configuration directory server . . .\n > error_creating_dirserver_maptbl = Could not create the map table for registering the directory server with the configuration directory server.\n > error_reconfig_adminserver = Could not reconfigure the admin server.\n >+ >+securitydir_not_exist = The security file directory '%s' does not exist.\n >+securitydir_not_writable = The security file directory '%s' is not writable.\n >+cacertfile_not_found = The CA certificate file '%s' was not found.\n >+error_running_certutil = Could not run the certutil program to add the CA certificate. Error: %s\n >+error_return_certutil = The certutil program returned error code '%s' from attempting to add the CA certificate. Error: %s >+error_return2_certutil = The certutil program returned error code '%s' from attempting to add the CA certificate. Error: %s\nHere is the output of the command: %s >+cacert_already_exists = The certificate database in '%s' already contains a CA certificate. Please remove it first, or use the certutil program to add the CA certificate with a different name.\n
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=157471">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 237356
:
153230
|
153562
|
153667
|
153668
|
153674
|
153675
|
153677
|
153678
|
155103
|
155105
|
155406
|
155407
|
155408
|
155409
|
155410
|
155411
|
155412
|
155413
|
155414
|
155483
|
155484
|
155485
|
155486
|
155487
|
155488
|
155489
|
155490
|
156389
|
156510
|
156525
|
156539
|
156540
|
156541
|
156612
|
156613
|
156614
|
156626
|
156633
|
156634
|
156741
|
156829
|
156834
|
156839
|
156840
|
156895
|
157043
|
157044
|
157133
|
157159
|
157160
|
157164
|
157165
|
157167
|
157298
|
157378
|
157381
|
157388
|
157390
|
157400
|
157401
|
157407
|
157408
|
157429
|
157431
|
157469
| 157471 |
157479
|
157480
|
160762