Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 311321 Details for
Bug 446685
LDAP publisher doesn't store the bind password properly
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
this fix will allow publishing to different ldap server other than internaldb
ldapPublishPwdFix-dogtag.diff2 (text/plain), 15.16 KB, created by
Christina Fu
on 2008-07-08 22:18:58 UTC
(
hide
)
Description:
this fix will allow publishing to different ldap server other than internaldb
Filename:
MIME Type:
Creator:
Christina Fu
Created:
2008-07-08 22:18:58 UTC
Size:
15.16 KB
patch
obsolete
>Index: src/com/netscape/cms/servlet/admin/PublisherAdminServlet.java >=================================================================== >--- src/com/netscape/cms/servlet/admin/PublisherAdminServlet.java (revision 64) >+++ src/com/netscape/cms/servlet/admin/PublisherAdminServlet.java (working copy) >@@ -41,6 +41,7 @@ > import com.netscape.certsrv.ca.*; > import com.netscape.certsrv.ldap.*; > import com.netscape.certsrv.publish.*; >+import com.netscape.cmsutil.password.*; > > > /** >@@ -499,13 +500,43 @@ > > commit(true); > >- /* Do a "PUT" of the new pw to the watchdog" */ >+ /* Do a "PUT" of the new pw to the watchdog" >+ ** do not remove - cfu > if (pwd != null) > CMS.putPasswordCache(PW_TAG_CA_LDAP_PUBLISHING, pwd); >+ */ > >+ // support publishing dirsrv with different pwd than internaldb >+ // update passwordFile >+ String prompt = ldap.getString(Constants.PR_BINDPWD_PROMPT); >+ IPasswordStore pwdStore = CMS.getPasswordStore(); >+ CMS.debug("PublisherAdminServlet: setLDAPDest(): saving password for "+ prompt + " to password file"); >+ pwdStore.putPassword(prompt, pwd); >+ pwdStore.commit(); >+ CMS.debug("PublisherAdminServlet: setLDAPDest(): password saved"); >+ >+/* we'll shut down and restart the PublisherProcessor instead >+ // what a hack to do this without require restart server >+// ILdapAuthInfo authInfo = CMS.getLdapAuthInfo(); >+ ILdapConnModule connModule = mProcessor.getLdapConnModule(); >+ ILdapAuthInfo authInfo = null; >+ if (connModule != null) { >+ authInfo = connModule.getLdapAuthInfo(); >+ } >+ >+// authInfo.addPassword(PW_TAG_CA_LDAP_PUBLISHING, pwd); >+ if (authInfo != null) { >+ CMS.debug("PublisherAdminServlet: setLDAPDest(): adding password to memory cache"); >+ authInfo.addPassword(prompt, pwd); >+ } else >+ CMS.debug("PublisherAdminServlet: setLDAPDest(): authInfo null"); >+*/ >+ > try { >+ CMS.debug("PublisherAdminServlet: setLDAPDest(): restarting publishing processor"); > mProcessor.shutdown(); > mProcessor.startup(); >+ CMS.debug("PublisherAdminServlet: setLDAPDest(): publishing processor restarted"); > } catch (Exception ex) { > // force to save the config even there is error > // ignore any exception >@@ -756,12 +787,37 @@ > if (ldapcfg.getBoolean(IPublisherProcessor.PROP_ENABLE) && > pwd != null) { > >- /* Do a "PUT" of the new pw to the watchdog" */ >+ /* Do a "PUT" of the new pw to the watchdog" >+ ** do not remove - cfu > CMS.putPasswordCache(PW_TAG_CA_LDAP_PUBLISHING, pwd); >- // what a hack to do this without require restart server >- ILdapAuthInfo authInfo = CMS.getLdapAuthInfo(); >+ */ > >- authInfo.addPassword(PW_TAG_CA_LDAP_PUBLISHING, pwd); >+ // support publishing dirsrv with different pwd than internaldb >+ // update passwordFile >+ String prompt = ldap.getString(Constants.PR_BINDPWD_PROMPT); >+ IPasswordStore pwdStore = CMS.getPasswordStore(); >+ CMS.debug("PublisherAdminServlet: testSetLDAPDest(): saving password for "+ >+ prompt + " to password file"); >+ pwdStore.putPassword(prompt, pwd); >+ pwdStore.commit(); >+ CMS.debug("PublisherAdminServlet: testSetLDAPDest(): password saved"); >+/* we'll shut down and restart the PublisherProcessor instead >+ // what a hack to do this without require restart server >+// ILdapAuthInfo authInfo = CMS.getLdapAuthInfo(); >+ ILdapConnModule connModule = mProcessor.getLdapConnModule(); >+ ILdapAuthInfo authInfo = null; >+ if (connModule != null) { >+ authInfo = connModule.getLdapAuthInfo(); >+ } else >+ CMS.debug("PublisherAdminServlet: testSetLDAPDest(): connModule null"); >+ >+// authInfo.addPassword(PW_TAG_CA_LDAP_PUBLISHING, pwd); >+ if (authInfo != null) { >+ CMS.debug("PublisherAdminServlet: testSetLDAPDest(): adding password to memory cache"); >+ authInfo.addPassword(prompt, pwd); >+ } else >+ CMS.debug("PublisherAdminServlet: testSetLDAPDest(): authInfo null"); >+*/ > } > //params.add(Constants.PR_SAVE_OK, > // "\n \nConfiguration changes are now committed."); >Index: src/com/netscape/cmscore/ldap/LdapConnModule.java >=================================================================== >--- src/com/netscape/cmscore/ldap/LdapConnModule.java (revision 64) >+++ src/com/netscape/cmscore/ldap/LdapConnModule.java (working copy) >@@ -66,15 +66,43 @@ > public void init(ISubsystem p, > IConfigStore config) > throws EBaseException { >- if (mInited) >- return; > >+ CMS.debug("LdapConnModule: init called"); >+ if (mInited) { >+ CMS.debug("LdapConnModule: already initialized. return."); >+ return; >+ } >+ CMS.debug("LdapConnModule: init begins"); >+ > mPubProcessor = p; > mConfig = config; >+ /* > mLdapConnFactory = new LdapBoundConnFactory(); > mLdapConnFactory.init(mConfig.getSubStore("ldap")); >+ */ >+ >+ // support publishing dirsrv with different pwd than internaldb >+ IConfigStore ldap = mConfig.getSubStore("ldap"); >+ >+ IConfigStore ldapconn = ldap.getSubStore( >+ ILdapBoundConnFactory.PROP_LDAPCONNINFO); >+ IConfigStore authinfo = ldap.getSubStore( >+ ILdapBoundConnFactory.PROP_LDAPAUTHINFO); >+ ILdapConnInfo connInfo = >+ CMS.getLdapConnInfo(ldapconn); >+ LdapAuthInfo authInfo = >+ new LdapAuthInfo(authinfo, ldapconn.getString("host"), >+ ldapconn.getInteger("port"), false); >+ >+ int minConns = mConfig.getInteger(ILdapBoundConnFactory.PROP_MINCONNS, 3); >+ int maxConns = mConfig.getInteger(ILdapBoundConnFactory.PROP_MAXCONNS, 15); >+ // must get authInfo from the config, don't default to internaldb!!! >+ mLdapConnFactory = >+ new LdapBoundConnFactory(minConns, maxConns, (LdapConnInfo)connInfo, authInfo); >+ > mInited = true; > >+ CMS.debug("LdapConnModule: init ends"); > } > > /** >Index: src/com/netscape/cmscore/ldap/PublisherProcessor.java >=================================================================== >--- src/com/netscape/cmscore/ldap/PublisherProcessor.java (revision 64) >+++ src/com/netscape/cmscore/ldap/PublisherProcessor.java (working copy) >@@ -399,8 +399,10 @@ > } > > public void startup() throws EBaseException { >+ CMS.debug("PublisherProcessor: startup()"); > mLdapConfig = mConfig.getSubStore(PROP_LDAP_PUBLISH_SUBSTORE); > if (mLdapConfig.getBoolean(PROP_ENABLE, false)) { >+ CMS.debug("PublisherProcessor: about to initLdapConn"); > initLdapConn(mLdapConfig); > } else { > CMS.debug("No LdapPublishing enabled"); >Index: src/com/netscape/cmscore/ldapconn/LdapAuthInfo.java >=================================================================== >--- src/com/netscape/cmscore/ldapconn/LdapAuthInfo.java (revision 64) >+++ src/com/netscape/cmscore/ldapconn/LdapAuthInfo.java (working copy) >@@ -29,6 +29,7 @@ > import com.netscape.certsrv.base.*; > import com.netscape.certsrv.ldap.*; > import com.netscape.cmscore.base.*; >+import com.netscape.cmsutil.password.*; > > > /** >@@ -65,6 +66,43 @@ > init(config, host, port, secure); > } > >+ public String getPasswordFromStore (String prompt) { >+ String pwd = null; >+ CMS.debug("LdapAuthInfo: getPasswordFromStore: try to get it from password store"); >+ >+// hey - should use password store interface to allow different implementations >+// but the problem is, other parts of the system just go directly to the file >+// so calling CMS.getPasswordStore() will give you an outdated one >+/* >+ IConfigStore mainConfig = CMS.getConfigStore(); >+ String pwdFile = mainConfig.getString("passwordFile"); >+ FileConfigStore pstore = new FileConfigStore(pwdFile); >+*/ >+ IPasswordStore pwdStore = CMS.getPasswordStore(); >+ CMS.debug("LdapAuthInfo: getPasswordFromStore: about to get from passwored store: "+prompt); >+ >+ // support publishing dirsrv with different pwd than internaldb >+ >+ // Finally, interactively obtain the password from the user >+ if (pwdStore != null) { >+ CMS.debug("LdapAuthInfo: getPasswordFromStore: password store available"); >+ pwd = pwdStore.getPassword(prompt); >+// pwd = pstore.getString(prompt); >+ if ( pwd == null) { >+ CMS.debug("LdapAuthInfo: getPasswordFromStore: password for "+prompt+ >+ " not found, trying internaldb"); >+ >+// pwd = pstore.getString("internaldb"); >+ >+ pwd = pwdStore.getPassword("internaldb"); // last resort >+ } else >+ CMS.debug("LdapAuthInfo: getPasswordFromStore: password found for prompt in password store"); >+ } else >+ CMS.debug("LdapAuthInfo: getPasswordFromStore: password store not available: pwdStore is null"); >+ >+ return pwd; >+ } >+ > /** > * initialize this class from the config store. > */ >@@ -82,12 +120,19 @@ > */ > public void init(IConfigStore config, String host, int port, boolean secure) > throws EBaseException { >- if (mInited) >- return; // XXX throw exception here ? > >+ CMS.debug("LdapAuthInfo: init()"); >+ if (mInited) { >+ CMS.debug("LdapAuthInfo: already initialized"); >+ return; // XXX throw exception here ? >+ } >+ CMS.debug("LdapAuthInfo: init begins"); >+ > String authTypeStr = config.getString(PROP_LDAPAUTHTYPE); > > if (authTypeStr.equals(LDAP_BASICAUTH_STR)) { >+ // is the password found in memory? >+ boolean inMem = false; > mType = LDAP_AUTHTYPE_BASICAUTH; > mParms = new String[2]; > mParms[0] = config.getString(PROP_BINDDN); >@@ -101,27 +146,53 @@ > > if (prompt == null) { > prompt = "LDAP Authentication"; >- } >+ CMS.debug("LdapAuthInfo: init: prompt is null, change to "+prompt); >+ } else >+ CMS.debug("LdapAuthInfo: init: prompt is "+prompt); >+ > if (mParms[1] == null) { >+ CMS.debug("LdapAuthInfo: init: try getting from memory cache"); > mParms[1] = (String) passwords.get(prompt); >- } >+if (mParms[1] != null) { >+ inMem = true; >+CMS.debug("LdapAuthInfo: init: got password from memory"); >+} else >+CMS.debug("LdapAuthInfo: init: password not in memory"); >+ } else >+CMS.debug("LdapAuthInfo: init: found password from config"); > >- // Finally, interactively obtain the password from the user > if (mParms[1] == null) { >- IConfigStore mainConfig = CMS.getConfigStore(); >- String pwdFile = mainConfig.getString("passwordFile"); >- FileConfigStore pstore = new FileConfigStore(pwdFile); >- mParms[1] = pstore.getString("internaldb"); >+ mParms[1] = getPasswordFromStore(prompt); >+ } else { >+ CMS.debug("LdapAuthInfo: init: password found for prompt."); >+ } > >- // verify the password >- if ((!mParms[1].equals("")) && (host == null || >- authInfoOK(host, port, secure, mParms[0], mParms[1]))) { >- // The password is OK or uncheckable >- passwords.put(prompt, mParms[1]); >- } else { >- pstore.remove("internaldb"); >+ // verify the password >+ if ((mParms[1]!= null) && (!mParms[1].equals("")) && (host == null || >+ authInfoOK(host, port, secure, mParms[0], mParms[1]))) { >+ // The password is OK or uncheckable >+ CMS.debug("LdapAuthInfo: password ok: store in memory cache"); >+ passwords.put(prompt, mParms[1]); >+ } else { >+ if (mParms[1] == null) >+ CMS.debug("LdapAuthInfo: password not found"); >+ else { >+ CMS.debug("LdapAuthInfo: password does not work"); >+/* what do you know? Our IPasswordStore does not have a remove function. >+ pstore.remove("internaldb"); >+*/ >+ if (inMem) { >+ // this is for the case when admin changes pwd >+ // from console >+ mParms[1] = getPasswordFromStore(prompt); >+ if(authInfoOK(host, port, secure, mParms[0], mParms[1])) { >+ CMS.debug("LdapAuthInfo: password ok: store in memory cache"); >+ passwords.put(prompt, mParms[1]); >+ } >+ } > } > } >+ > } else if (authTypeStr.equals(LDAP_SSLCLIENTAUTH_STR)) { > mType = LDAP_AUTHTYPE_SSLCLIENTAUTH; > mParms = new String[1]; >@@ -131,6 +202,7 @@ > "Unknown Ldap authentication type " + authTypeStr); > } > mInited = true; >+ CMS.debug("LdapAuthInfo: init ends"); > } > > public void reset() { >Index: src/com/netscape/cmscore/apps/CMSEngine.java >=================================================================== >--- src/com/netscape/cmscore/apps/CMSEngine.java (revision 64) >+++ src/com/netscape/cmscore/apps/CMSEngine.java (working copy) >@@ -211,7 +211,32 @@ > } > > public IPasswordStore getPasswordStore() { >- return mPasswordStore; >+ // initialize the PasswordReader and PasswordWriter >+ try { >+ String pwdPath = mConfig.getString("passwordFile"); >+ if (mPasswordStore == null) { >+ CMS.debug("CMSEngine: getPasswordStore(): password store not initialized before."); >+ String pwdClass = mConfig.getString("passwordClass"); >+ >+ if (pwdClass != null) { >+ try { >+ mPasswordStore = (IPasswordStore)Class.forName(pwdClass).newInstance(); >+ } catch (Exception e) { >+ CMS.debug("CMSEngine: getPasswordStore(): password store initialization failure:" + e.toString()); >+ } >+ } >+ } else { >+ CMS.debug("CMSEngine: getPasswordStore(): password store initialized before."); >+ } >+ >+ // have to initialize it because other places don't always >+ mPasswordStore.init(pwdPath); >+ CMS.debug("CMSEngine: getPasswordStore(): password store initialized."); >+ } catch (Exception e) { >+ CMS.debug("CMSEngine: getPasswordStore(): failure:" + e.toString()); >+ } >+ >+ return mPasswordStore; > } > > /** >@@ -246,6 +271,8 @@ > try { > mPasswordStore = (IPasswordStore)Class.forName(pwdClass).newInstance(); > mPasswordStore.init(pwdPath); >+ CMS.debug("CMSEngine: init(): password store initialized for "+ >+ pwdClass); > } catch (Exception e) { > } > }
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=311321">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 446685
:
310301
| 311321 |
311398