[Fedora-directory-commits] adminserver/admserv/newinst/src AdminServer.pm.in, 1.13, 1.14

Richard Allen Megginson (rmeggins) fedora-directory-commits at redhat.com
Mon Jul 14 20:00:05 UTC 2008

Author: rmeggins

Update of /cvs/dirsec/adminserver/admserv/newinst/src
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv26918/adminserver/admserv/newinst/src

Modified Files:
Log Message:
Reviewed by: nkinder (Thanks!)
Branch: HEAD
Fix Description: I changed security to get the security file directory for the directory server from cn=config from that directory server.  Unfortunately, I didn't take into consideration that the CGI might have to use LDAPS to connect.  If you have checked the Use SSL for Console button in the console when configuring that directory server for SSL, the CGIs will attempt to use LDAPS.  In this case, there were several problems:
1) NSS was not initialized - need to use the admin server key/cert db to talk LDAPS to the directory server
2) When I did do the NSS init, it failed because the admin server key/cert db did not exist, and the directory was not writable.
3) I needed to shutdown NSS so that the key/cert db for the directory server itself could be opened in order to get its contents
The consequences of this are that now, when you attempt to use NSS for the first time, if the key/cert databases do not exist, they will be created empty.  If the user sets up the directory server for SSL, and tells the console to use SSL with this directory server, the user will have to install the CA certificate in the admin server key/cert db, so that the console and admin CGIs can talk to that directory server using LDAPS.
I changed all of the admin server CGIs to properly initialize NSS in case they too needed to speak LDAPS for some reason.  I also cleaned up several compiler warnings in the admin server CGIs.
I believe this is also the same problem as https://bugzilla.redhat.com/show_bug.cgi?id=430499
Platforms tested: RHEL5, Fedora 8, Fedora 9
Flag Day: no
Doc impact: no
QA impact: Will need to test various console interactions with SSL with admin server and directory server.
New Tests integrated into TET: none

Index: AdminServer.pm.in
RCS file: /cvs/dirsec/adminserver/admserv/newinst/src/AdminServer.pm.in,v
retrieving revision 1.13
retrieving revision 1.14
diff -u -r1.13 -r1.14
--- AdminServer.pm.in	14 Jul 2008 18:43:02 -0000	1.13
+++ AdminServer.pm.in	14 Jul 2008 20:00:03 -0000	1.14
@@ -66,6 +66,15 @@
     my $admConf = getAdmConf($configdir);
     my $uid = getpwnam $admConf->{sysuser};
+    # chown the config directory
+    $! = 0; # clear errno
+    chown $uid, -1, $configdir;
+    if ($!) {
+        $setup->msg($FATAL, 'error_chowning_file', $configdir,
+                    $admConf->{sysuser}, $!);
+        return 0;
+    }
     # chown and chmod other files appropriately
     for (glob("$configdir/*")) {
         # these are owned by root

More information about the Fedora-directory-commits mailing list