[Fedora-directory-commits] adminserver/admserv/newinst/src ASDialogs.pm.in, 1.3, 1.4 AdminServer.pm.in, 1.1, 1.2 AdminUtil.pm.in, 1.2, 1.3 ConfigDSDialogs.pm, 1.3, 1.4 setup-ds-admin.pl.in, 1.3, 1.4 setup-ds-admin.res.in, 1.3, 1.4
Richard Allen Megginson (rmeggins)
fedora-directory-commits at redhat.com
Wed Jun 20 16:35:05 UTC 2007
Author: rmeggins
Update of /cvs/dirsec/adminserver/admserv/newinst/src
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv22394/adminserver/admserv/newinst/src
Modified Files:
ASDialogs.pm.in AdminServer.pm.in AdminUtil.pm.in
ConfigDSDialogs.pm setup-ds-admin.pl.in setup-ds-admin.res.in
Log Message:
Resolves: bug 237356
Bug Description: Move DS Admin Code into Admin Server - support cacert for configds, fix permissions.
Reviewed by: nkinder (Thanks!)
Fix Description: If the Config DS is set up to use TLS/SSL, we should allow the admin to setup a new admin server to use TLS/SSL with the Config DS. The user may supply either a cacert file in ascii/pem format, or just set the CACertificate param in the .inf file to the actual ascii value. This latter option allows you to have a single .inf file that you can carry around to all of your servers that you want to set up, instead of having to have an additional file for the cacert.
However, it only works for the initial setup. It should probably detect if the cacert already exists and just use it if so.
File permissions need to be set correctly. The code that deals with file and directory creation should ensure that permissions are set properly. This mostly applies to the configdir, so that the config files needed to be read and written by the admin server have the correct permissions and ownership.
Also fixed a minor bug about changing the admin server port, and with detecting if there is an existing config ds to use or not.
Platforms tested: RHEL4
Flag Day: no
Doc impact: no
Index: ASDialogs.pm.in
===================================================================
RCS file: /cvs/dirsec/adminserver/admserv/newinst/src/ASDialogs.pm.in,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- ASDialogs.pm.in 19 Jun 2007 18:32:28 -0000 1.3
+++ ASDialogs.pm.in 20 Jun 2007 16:35:02 -0000 1.4
@@ -75,6 +75,7 @@
my $port = $self->{manager}->{inf}->{admin}->{Port};
if (!defined($port)) {
$port = @admservport@;
+ $self->{manager}->{setup}->{asorigport} = $port;
}
if (!$self->{manager}->{setup}->{reconfigas}) {
if (!portAvailable($port)) {
Index: AdminServer.pm.in
===================================================================
RCS file: /cvs/dirsec/adminserver/admserv/newinst/src/AdminServer.pm.in,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- AdminServer.pm.in 19 Jun 2007 18:32:28 -0000 1.1
+++ AdminServer.pm.in 20 Jun 2007 16:35:02 -0000 1.2
@@ -156,6 +156,36 @@
return 0;
}
+ # chown and chmod other files appropriately
+ for (glob("$configdir/*")) {
+ # these are owned by root
+ next if (/httpd.conf$/);
+ next if (/nss.conf$/);
+ next if (/admserv.conf$/);
+ # these should have been handled above
+ next if (/adm.conf$/);
+ next if (/admpw$/);
+ next if (/local.conf$/);
+ next if (! -f $_); # should never happen
+ # all other files should be owned by SysUser
+ $! = 0; # clear errno
+ chown $uid, -1, $_;
+ if ($!) {
+ $setup->msg($FATAL, 'error_chowning_file', $_,
+ $setup->{inf}->{admin}->{SysUser}, $!);
+ return 0;
+ }
+ # the files should be writable
+ $! = 0; # clear errno
+ my ($ignore, $ignore, $mode, @rest) = stat $_;
+ $mode &= 0700; # disallow access to non-owner
+ chmod $mode, $_;
+ if ($!) {
+ $setup->msg($FATAL, 'error_chmoding_file', $_, $!);
+ return 0;
+ }
+ }
+
return 1;
}
@@ -270,7 +300,7 @@
my $user = $admConf->{sysuser};
my $cmd = "@cgibindir@/config op=set configuration.nsSuiteSpotUser=\"$user\"";
- if ($origport && ($port != $origport)) {
+ if ($port != $origport) { # need to change the port number
$cmd .= " configuration.nsServerPort=\"$port\"";
}
if ($serverAddress) {
Index: AdminUtil.pm.in
===================================================================
RCS file: /cvs/dirsec/adminserver/admserv/newinst/src/AdminUtil.pm.in,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- AdminUtil.pm.in 19 Jun 2007 18:32:28 -0000 1.2
+++ AdminUtil.pm.in 20 Jun 2007 16:35:02 -0000 1.3
@@ -39,8 +39,10 @@
package AdminUtil;
require Exporter;
@ISA = qw(Exporter);
- at EXPORT = qw(getAdmConf getConfigDSConn createConfigDS updateAdmConf updateAdmpw updateLocalConf);
- at EXPORT_OK = qw(getAdmConf getConfigDSConn createConfigDS updateAdmConf updateAdmpw updateLocalConf);
+ at EXPORT = qw(getAdmConf getConfigDSConn createConfigDS updateAdmConf
+ updateAdmpw updateLocalConf importCACert);
+ at EXPORT_OK = qw(getAdmConf getConfigDSConn createConfigDS updateAdmConf
+ updateAdmpw updateLocalConf importCACert);
# load perldap
use Mozilla::LDAP::Conn;
@@ -166,7 +168,7 @@
# first try anon bind
# 3 is LDAPv3 - 1 means use nspr
my $conn = new Mozilla::LDAP::Conn($h->{host}, $h->{port}, "", "",
- $certdir, 0, 3, 1);
+ $certdir);
my $errstr = "Success";
if ($conn) {
@@ -393,3 +395,54 @@
return 1;
}
+
+sub importCACert {
+ my $securitydir = shift;
+ my $cacert = shift; # may be a file or the actual cert in ascii/pem format
+ my @errs = (); # return
+
+ if (! -d $securitydir) {
+ @errs = ('securitydir_not_exist', $securitydir);
+ return @errs;
+ }
+
+ if (! -w $securitydir) {
+ @errs = ('securitydir_not_writable', $securitydir);
+ return @errs;
+ }
+
+ # see if "CA certificate" already exists
+ my $output = `certutil -L -d \"$securitydir\" 2>&1`;
+ if ($output =~ /CA certificate/) {
+ @errs = ('cacert_already_exists', $securitydir);
+ return @errs;
+ }
+
+ if ($cacert =~ /^-----BEGIN CERTIFICATE-----/) {
+ $! = 0;
+ $? = 0; # clear error indicators
+ if (!open(CERTUTIL, "|certutil -A -d \"$securitydir\" -a -t CT,, -n \"CA certificate\"")) {
+ @errs = ("error_running_certutil", $!);
+ return @errs;
+ }
+ print CERTUTIL $cacert, "\n";
+ close(CERTUTIL);
+ if ($?) {
+ @errs = ('error_return_certutil', $?, $!);
+ return @errs;
+ }
+ } elsif (! -f $cacert) {
+ @errs = ('cacertfile_not_found', $cacert);
+ return @errs;
+ } else {
+ $! = 0;
+ $? = 0; # clear error indicators
+ $output = `certutil -A -d \"$securitydir\" -a -t CT,, -n \"CA certificate\" -i \"$cacert\" 2>&1`;
+ if ($?) {
+ @errs = ('error_return2_certutil', $?, $!, $output);
+ return @errs;
+ }
+ }
+
+ return @errs;
+}
Index: ConfigDSDialogs.pm
===================================================================
RCS file: /cvs/dirsec/adminserver/admserv/newinst/src/ConfigDSDialogs.pm,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- ConfigDSDialogs.pm 19 Jun 2007 23:06:43 -0000 1.3
+++ ConfigDSDialogs.pm 20 Jun 2007 16:35:02 -0000 1.4
@@ -46,6 +46,8 @@
use Dialog;
use Util;
+use Mozilla::LDAP::API qw(ldap_explode_dn);
+
sub verifyConfigDSInfo {
my $self = shift;
my $url = $self->{manager}->{inf}->{General}->{ConfigDirectoryLdapURL};
@@ -57,7 +59,7 @@
return ('dialog_configdsinfo_nocacert');
}
if (!$self->{manager}->{inf}->{General}->{certdb}) {
- (@errs) = AdminUtil::importCACert($self->{manager}->{setup}->{configdir},
+ (@errs) = AdminUtil::importCACert($self->{manager}->{setup}->{configdir} . "/admin-serv",
$self->{manager}->{inf}->{General}->{CACertificate});
if (@errs) {
return @errs;
@@ -116,7 +118,9 @@
return $admindomain;
} else { # the CA cert
my $url = $self->{manager}->{inf}->{General}->{ConfigDirectoryLdapURL};
- if (($url !~ /^ldaps/) or $self->{manager}->{inf}->{General}->{certdb}) {
+ my $cert = $self->{manager}->{inf}->{General}->{CACertificate};
+ if (($url !~ /^ldaps/) or $self->{manager}->{inf}->{General}->{certdb} or
+ ($cert =~ /^-----BEGIN CERTIFICATE-----/)) {
# not using LDAPS, or already have a certdb - hide CA prompt
$self->{prompts}->[4]->[2] = 1;
} else {
@@ -159,7 +163,8 @@
$self->{manager}->{inf}->{General}->{AdminDomain} = $ans;
$res = $DialogManager::NEXT;
} else { # CA cert filename
- if ($ans && length($ans) && ! -f $ans) {
+ if ($ans && length($ans) &&
+ ($ans !~ /^-----BEGIN CERTIFICATE-----/) && ! -f $ans) {
$self->{manager}->alert("dialog_configdsinfo_ca_error", $ans);
} else {
$self->{manager}->{inf}->{General}->{CACertificate} = $ans;
@@ -192,7 +197,10 @@
if ($index == 0) { # return undef for password defaults
$id = $self->{manager}->{inf}->{General}->{ConfigDirectoryAdminID};
if (!defined($id)) {
- $id = "admin"
+ $id = "admin";
+ } elsif (isValidDN($id)) { # must be a uid for this dialog
+ my @rdns = ldap_explode_dn($id, 1);
+ $id = $rdns[0];
}
}
return $id;
@@ -271,15 +279,19 @@
my $yes = $self->{"manager"}->getText("yes");
my $nno = $self->{"manager"}->getText("no");
my $ret = 0;
- if (!defined($self->{manager}->{inf}->{slapd}->{SlapdConfigForMC}) and
- !defined($self->{manager}->{inf}->{slapd}->{UseExistingMC})) {
- $ret = 0; # implicitly create the config ds
- } elsif (($yes =~ /^$self->{manager}->{inf}->{slapd}->{SlapdConfigForMC}/i) or
- !$self->{manager}->{inf}->{slapd}->{UseExistingMC}) {
+ if ((defined($self->{manager}->{inf}->{slapd}->{SlapdConfigForMC}) and
+ ($yes =~ /^$self->{manager}->{inf}->{slapd}->{SlapdConfigForMC}/i)) or
+ (defined($self->{manager}->{inf}->{slapd}->{UseExistingMC}) and
+ !$self->{manager}->{inf}->{slapd}->{UseExistingMC})) {
# we have to set up the directory server as the config ds
$self->{manager}->{inf}->{slapd}->{SlapdConfigForMC} = "yes";
$self->{manager}->{inf}->{slapd}->{UseExistingMC} = 0;
$ret = 0; # explicitly create the config ds
+ } elsif (defined($self->{manager}->{inf}->{General}->{ConfigDirectoryLdapURL})) {
+ $ret = 1; # use an existing config ds and register the servers with that one
+ } elsif (!defined($self->{manager}->{inf}->{slapd}->{SlapdConfigForMC}) and
+ !defined($self->{manager}->{inf}->{slapd}->{UseExistingMC})) {
+ $ret = 0; # implicitly create the config ds
} else {
$ret = 1; # use an existing config ds and register the servers with that one
if (exists($self->{manager}->{inf}->{slapd}->{SlapdConfigForMC})) {
Index: setup-ds-admin.pl.in
===================================================================
RCS file: /cvs/dirsec/adminserver/admserv/newinst/src/setup-ds-admin.pl.in,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- setup-ds-admin.pl.in 19 Jun 2007 18:32:28 -0000 1.3
+++ setup-ds-admin.pl.in 20 Jun 2007 16:35:02 -0000 1.4
@@ -128,14 +128,18 @@
}
}
-if (!$setup->{inf}->{slapd}->{UseExistingMC} or
- ($setup->{inf}->{slapd}->{SlapdConfigForMC} =~ /^yes/i)) {
- if (!$setup->{inf}->{General}->{ConfigDirectoryLdapURL}) {
- $setup->{inf}->{General}->{ConfigDirectoryLdapURL} =
- "ldap://" . $setup->{inf}->{General}->{FullMachineName} .
- ":" . $setup->{inf}->{slapd}->{ServerPort} .
- "/o=NetscapeRoot";
- }
+my $createconfigds;
+if ((defined($setup->{inf}->{slapd}->{SlapdConfigForMC}) and
+ ("yes" =~ /^$setup->{inf}->{slapd}->{SlapdConfigForMC}/i)) or
+ (defined($setup->{inf}->{slapd}->{UseExistingMC}) and
+ !$setup->{inf}->{slapd}->{UseExistingMC})) {
+ # if user has chosen to create the config ds, we must set
+ # the url appropriately, before writing the inf for ds_newinst
+ $setup->{inf}->{General}->{ConfigDirectoryLdapURL} =
+ "ldap://" . $setup->{inf}->{General}->{FullMachineName} .
+ ":" . $setup->{inf}->{slapd}->{ServerPort} .
+ "/o=NetscapeRoot";
+ $createconfigds = 1;
}
$setup->{inf}->write();
@@ -149,7 +153,7 @@
}
# setup directory server instance to be the configuration DS
-if ($setup->{inf}->{slapd}->{SlapdConfigForMC} =~ /yes/i) {
+if ($createconfigds) {
my @errs = ();
$setup->msg('create_configds');
if (!createConfigDS($setup->{inf}, \@errs)) {
Index: setup-ds-admin.res.in
===================================================================
RCS file: /cvs/dirsec/adminserver/admserv/newinst/src/setup-ds-admin.res.in,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- setup-ds-admin.res.in 19 Jun 2007 18:32:28 -0000 1.3
+++ setup-ds-admin.res.in 20 Jun 2007 16:35:02 -0000 1.4
@@ -94,6 +94,8 @@
error_create_adminserver = Failed to create and configure the admin server\n
error_creating_directory = Could not create admin server directory '%s'. Error: %s\n
error_chowning_directory = Could not change ownership of directory '%s' to userid '%s': Error: %s\n
+error_chowning_file = Could not change ownership of file '%s' to userid '%s': Error: %s\n
+error_chmoding_file = Could not change permissions of file '%s': Error: %s\n
error_chgrping_directory = Could not change group of directory '%s' to group '%s': Error: %s\n
updating_admconf = Updating adm.conf . . .\n
error_updating_admconf = Could not update adm.conf. Error: %s\n
@@ -121,3 +123,11 @@
registering_dirserver = Registering directory server with the configuration directory server . . .\n
error_creating_dirserver_maptbl = Could not create the map table for registering the directory server with the configuration directory server.\n
error_reconfig_adminserver = Could not reconfigure the admin server.\n
+
+securitydir_not_exist = The security file directory '%s' does not exist.\n
+securitydir_not_writable = The security file directory '%s' is not writable.\n
+cacertfile_not_found = The CA certificate file '%s' was not found.\n
+error_running_certutil = Could not run the certutil program to add the CA certificate. Error: %s\n
+error_return_certutil = The certutil program returned error code '%s' from attempting to add the CA certificate. Error: %s
+error_return2_certutil = The certutil program returned error code '%s' from attempting to add the CA certificate. Error: %s\nHere is the output of the command: %s
+cacert_already_exists = The certificate database in '%s' already contains a CA certificate. Please remove it first, or use the certutil program to add the CA certificate with a different name.\n
More information about the Fedora-directory-commits
mailing list