Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 310301 Details for
Bug 446685
LDAP publisher doesn't store the bind password properly
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
fix for dogtag.
ldapPublishPwdFix-dogtag.diff (text/plain), 13.08 KB, created by
Christina Fu
on 2008-06-25 22:08:32 UTC
(
hide
)
Description:
fix for dogtag.
Filename:
MIME Type:
Creator:
Christina Fu
Created:
2008-06-25 22:08:32 UTC
Size:
13.08 KB
patch
obsolete
>Index: src/com/netscape/cms/servlet/admin/PublisherAdminServlet.java >=================================================================== >--- src/com/netscape/cms/servlet/admin/PublisherAdminServlet.java (revision 51) >+++ src/com/netscape/cms/servlet/admin/PublisherAdminServlet.java (working copy) >@@ -41,6 +41,7 @@ > import com.netscape.certsrv.ca.*; > import com.netscape.certsrv.ldap.*; > import com.netscape.certsrv.publish.*; >+import com.netscape.cmsutil.password.*; > > > /** >@@ -499,13 +500,40 @@ > > commit(true); > >- /* Do a "PUT" of the new pw to the watchdog" */ >+ /* Do a "PUT" of the new pw to the watchdog" >+ ** do not remove - cfu > if (pwd != null) > CMS.putPasswordCache(PW_TAG_CA_LDAP_PUBLISHING, pwd); >+ */ > >+ // support publishing dirsrv with different pwd than internaldb >+ // update passwordFile >+ String prompt = ldap.getString(Constants.PR_BINDPWD_PROMPT); >+ IPasswordStore pwdStore = CMS.getPasswordStore(); >+ CMS.debug("PublisherAdminServlet: setLDAPDest(): saving password for "+ prompt + " to password file"); >+ pwdStore.putPassword(prompt, >+ req.getParameter(Constants.PR_BIND_PASSWD)); >+ pwdStore.commit(); >+ CMS.debug("PublisherAdminServlet: setLDAPDest(): password saved"); >+ >+ // what a hack to do this without require restart server >+// ILdapAuthInfo authInfo = CMS.getLdapAuthInfo(); >+ ILdapConnModule connModule = mProcessor.getLdapConnModule(); >+ ILdapAuthInfo authInfo = null; >+ if (connModule != null) { >+ authInfo = connModule.getLdapAuthInfo(); >+ } >+ >+// authInfo.addPassword(PW_TAG_CA_LDAP_PUBLISHING, pwd); >+ if (authInfo != null) >+ CMS.debug("PublisherAdminServlet: setLDAPDest(): adding password to memory cache"); >+ authInfo.addPassword(prompt, pwd); >+ > try { >+ CMS.debug("PublisherAdminServlet: setLDAPDest(): restarting publishing processor"); > mProcessor.shutdown(); > mProcessor.startup(); >+ CMS.debug("PublisherAdminServlet: setLDAPDest(): publishing processor restarted"); > } catch (Exception ex) { > // force to save the config even there is error > // ignore any exception >@@ -756,12 +784,36 @@ > if (ldapcfg.getBoolean(IPublisherProcessor.PROP_ENABLE) && > pwd != null) { > >- /* Do a "PUT" of the new pw to the watchdog" */ >+ /* Do a "PUT" of the new pw to the watchdog" >+ ** do not remove - cfu > CMS.putPasswordCache(PW_TAG_CA_LDAP_PUBLISHING, pwd); >- // what a hack to do this without require restart server >- ILdapAuthInfo authInfo = CMS.getLdapAuthInfo(); >+ */ > >- authInfo.addPassword(PW_TAG_CA_LDAP_PUBLISHING, pwd); >+ // support publishing dirsrv with different pwd than internaldb >+ // update passwordFile >+ String prompt = ldap.getString(Constants.PR_BINDPWD_PROMPT); >+ IPasswordStore pwdStore = CMS.getPasswordStore(); >+ CMS.debug("PublisherAdminServlet: testSetLDAPDest(): saving password for "+ >+ prompt + " to password file"); >+ pwdStore.putPassword(prompt, pwd); >+ pwdStore.commit(); >+ CMS.debug("PublisherAdminServlet: testSetLDAPDest(): password saved"); >+ >+ // what a hack to do this without require restart server >+// ILdapAuthInfo authInfo = CMS.getLdapAuthInfo(); >+ ILdapConnModule connModule = mProcessor.getLdapConnModule(); >+ ILdapAuthInfo authInfo = null; >+ if (connModule != null) { >+ authInfo = connModule.getLdapAuthInfo(); >+ } else >+ CMS.debug("PublisherAdminServlet: testSetLDAPDest(): connModule null"); >+ >+// authInfo.addPassword(PW_TAG_CA_LDAP_PUBLISHING, pwd); >+ if (authInfo != null) { >+ CMS.debug("PublisherAdminServlet: testSetLDAPDest(): adding password to memory cache"); >+ authInfo.addPassword(prompt, pwd); >+ } else >+ CMS.debug("PublisherAdminServlet: testSetLDAPDest(): authInfo null"); > } > //params.add(Constants.PR_SAVE_OK, > // "\n \nConfiguration changes are now committed."); >Index: src/com/netscape/certsrv/ldap/ILdapConnModule.java >=================================================================== >--- src/com/netscape/certsrv/ldap/ILdapConnModule.java (revision 51) >+++ src/com/netscape/certsrv/ldap/ILdapConnModule.java (working copy) >@@ -56,5 +56,7 @@ > */ > > public ILdapConnFactory getLdapConnFactory(); >+ >+ public ILdapAuthInfo getLdapAuthInfo(); > } > >Index: src/com/netscape/cmscore/ldap/LdapConnModule.java >=================================================================== >--- src/com/netscape/cmscore/ldap/LdapConnModule.java (revision 51) >+++ src/com/netscape/cmscore/ldap/LdapConnModule.java (working copy) >@@ -44,6 +44,7 @@ > public class LdapConnModule implements ILdapConnModule { > protected IConfigStore mConfig = null; > protected LdapBoundConnFactory mLdapConnFactory = null; >+ protected LdapAuthInfo mLdapAuthInfo = null; > protected ILogger mLogger = CMS.getLogger(); > private boolean mInited = false; > >@@ -66,15 +67,42 @@ > public void init(ISubsystem p, > IConfigStore config) > throws EBaseException { >- if (mInited) >+ >+ CMS.debug("LdapConnModule: init called"); >+ if (mInited) { >+ CMS.debug("LdapConnModule: already initialized. return."); > return; >+ } >+ CMS.debug("LdapConnModule: init begins"); > > mPubProcessor = p; > mConfig = config; >+ /* > mLdapConnFactory = new LdapBoundConnFactory(); > mLdapConnFactory.init(mConfig.getSubStore("ldap")); >+ */ >+ // support publishing dirsrv with different pwd than internaldb >+ IConfigStore ldap = mConfig.getSubStore("ldap"); >+ >+ IConfigStore ldapconn = ldap.getSubStore( >+ ILdapBoundConnFactory.PROP_LDAPCONNINFO); >+ IConfigStore authinfo = ldap.getSubStore( >+ ILdapBoundConnFactory.PROP_LDAPAUTHINFO); >+ ILdapConnInfo connInfo = >+ CMS.getLdapConnInfo(ldapconn); >+ LdapAuthInfo authInfo = >+ new LdapAuthInfo(authinfo, ldapconn.getString("host"), >+ ldapconn.getInteger("port"), false); >+ >+ int minConns = mConfig.getInteger(ILdapBoundConnFactory.PROP_MINCONNS, 3); >+ int maxConns = mConfig.getInteger(ILdapBoundConnFactory.PROP_MAXCONNS, 15); >+ // must get authInfo from the config, don't default to internaldb!!! >+ mLdapConnFactory = >+ new LdapBoundConnFactory(minConns, maxConns, (LdapConnInfo)connInfo, authInfo); >+ > mInited = true; > >+ CMS.debug("LdapConnModule: init ends"); > } > > /** >@@ -94,6 +122,10 @@ > return mLdapConnFactory; > } > >+ public ILdapAuthInfo getLdapAuthInfo() { >+ return mLdapAuthInfo; >+ } >+ > public LDAPConnection getConn() throws ELdapException { > return mLdapConnFactory.getConn(); > } >Index: src/com/netscape/cmscore/ldap/PublisherProcessor.java >=================================================================== >--- src/com/netscape/cmscore/ldap/PublisherProcessor.java (revision 51) >+++ src/com/netscape/cmscore/ldap/PublisherProcessor.java (working copy) >@@ -1021,8 +1021,10 @@ > boolean error = false; > String errorRule = ""; > >+ CMS.debug("PublisherProcessor: publishCert() begins"); > if (!enabled()) > return; >+ CMS.debug("PublisherProcessor: publishCert() enabled."); > > // get mapper and publisher for cert type. > Enumeration rules = getRules("certs", req); >@@ -1035,7 +1037,7 @@ > LdapRule rule = (LdapRule) rules.nextElement(); > > try { >- log(ILogger.LL_INFO, >+ CMS.debug( > "publish certificate (with request) type=" + > "certs" + " rule=" + rule.getInstanceName() + > " publisher=" + rule.getPublisher()); >@@ -1047,7 +1049,7 @@ > m = getActiveMapperInstance(mapperName); > } > publishNow(m, p, req, cert); >- log(ILogger.LL_INFO, "published certificate using rule=" + >+ CMS.debug("published certificate using rule=" + > rule.getInstanceName()); > } catch (Exception e) { > // continue publishing even publisher has errors >@@ -1283,11 +1285,13 @@ > > private void publishNow(ILdapMapper mapper, ILdapPublisher publisher, > IRequest r, Object obj) throws ELdapException { >+ CMS.debug("PublisherProcessor: in publishNow()"); > if (!enabled()) > return; > LDAPConnection conn = null; > > try { >+ CMS.debug("PublisherProcessor: publishNow(): about to call publisher.publish()"); > String dirdn = null; > > if (mapper != null) { >@@ -1307,12 +1311,13 @@ > X509Certificate cert = (X509Certificate) obj; > > try { >+ CMS.debug("PublisherProcessor: publishNow(): about to call publisher.publish()"); > publisher.publish(conn, dirdn, cert); > } catch (Throwable e1) { > CMS.debug("Error publishing: publisher=" + publisher + " error=" + e1.toString()); > throw e1; > } >- log(ILogger.LL_INFO, "published certificate serial number: 0x" + >+ CMS.debug("published certificate serial number: 0x" + > cert.getSerialNumber().toString(16)); > } catch (ELdapException e) { > throw e; >Index: src/com/netscape/cmscore/ldapconn/LdapAuthInfo.java >=================================================================== >--- src/com/netscape/cmscore/ldapconn/LdapAuthInfo.java (revision 51) >+++ src/com/netscape/cmscore/ldapconn/LdapAuthInfo.java (working copy) >@@ -29,6 +29,7 @@ > import com.netscape.certsrv.base.*; > import com.netscape.certsrv.ldap.*; > import com.netscape.cmscore.base.*; >+import com.netscape.cmsutil.password.*; > > > /** >@@ -82,9 +83,14 @@ > */ > public void init(IConfigStore config, String host, int port, boolean secure) > throws EBaseException { >- if (mInited) >- return; // XXX throw exception here ? > >+ CMS.debug("LdapAuthInfo: init()"); >+ if (mInited) { >+ CMS.debug("LdapAuthInfo: already initialized"); >+ return; // XXX throw exception here ? >+ } >+ CMS.debug("LdapAuthInfo: init begins"); >+ > String authTypeStr = config.getString(PROP_LDAPAUTHTYPE); > > if (authTypeStr.equals(LDAP_BASICAUTH_STR)) { >@@ -101,25 +107,48 @@ > > if (prompt == null) { > prompt = "LDAP Authentication"; >- } >+ CMS.debug("LdapAuthInfo: init: prompt is null, change to "+prompt); >+ } else >+ CMS.debug("LdapAuthInfo: init: prompt is "+prompt); >+ >+/* in init(), there should not have been passwords in memory > if (mParms[1] == null) { > mParms[1] = (String) passwords.get(prompt); > } >+*/ > > // Finally, interactively obtain the password from the user > if (mParms[1] == null) { >+ CMS.debug("LdapAuthInfo: init: try to get it from password file"); >+/* hey - should use password store interface to allow different implementations > IConfigStore mainConfig = CMS.getConfigStore(); > String pwdFile = mainConfig.getString("passwordFile"); > FileConfigStore pstore = new FileConfigStore(pwdFile); > mParms[1] = pstore.getString("internaldb"); >+*/ >+//cfu >+ IPasswordStore pwdStore = CMS.getPasswordStore(); > >+// mParms[1] = pstore.getString(prompt); >+ >+ // support publishing dirsrv with different pwd than internaldb >+ mParms[1] = pwdStore.getPassword(prompt); >+ if ( mParms[1] == null) { >+ CMS.debug("LdapAuthInfo: password for "+prompt+ >+ " not found, trying internaldb"); >+ mParms[1] = pwdStore.getPassword("internaldb"); // last resort >+ } >+ > // verify the password > if ((!mParms[1].equals("")) && (host == null || > authInfoOK(host, port, secure, mParms[0], mParms[1]))) { > // The password is OK or uncheckable >+ CMS.debug("LdapAuthInfo: password ok: store in memory cache"); > passwords.put(prompt, mParms[1]); > } else { >+/* what do you know? Our IPasswordStore does not have a remove function. > pstore.remove("internaldb"); >+*/ > } > } > } else if (authTypeStr.equals(LDAP_SSLCLIENTAUTH_STR)) { >@@ -131,6 +160,7 @@ > "Unknown Ldap authentication type " + authTypeStr); > } > mInited = true; >+ CMS.debug("LdapAuthInfo: init ends"); > } > > public void reset() {
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=310301">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 446685
: 310301 |
311321
|
311398