[Fedora-directory-commits] adminserver/admserv/newinst/src AdminUtil.pm.in, 1.21, 1.22 register-ds-admin.pl.in, 1.4, 1.5 setup-ds-admin.res.in, 1.11, 1.12
Nathan Kinder
nkinder at fedoraproject.org
Fri Feb 27 17:34:23 UTC 2009
- Previous message (by thread): [Fedora-directory-commits] adminserver/admserv/schema/ldif 15dspta.mod.tmpl.in, NONE, 1.1 15dspta.ldif.tmpl.in, 1.2, NONE
- Next message (by thread): [Fedora-directory-commits] adminserver Makefile.am, 1.44, 1.45 Makefile.in, 1.52, 1.53 aclocal.m4, 1.45, 1.46 configure, 1.49, 1.50
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: nkinder
Update of /cvs/dirsec/adminserver/admserv/newinst/src
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv30030/admserv/newinst/src
Modified Files:
AdminUtil.pm.in register-ds-admin.pl.in setup-ds-admin.res.in
Log Message:
Resolves: bug 486402
Bug Description: Using setup-ds.pl and then registering the instance with
an admin server using register-ds-admin.pl does not add the proper ACI's
to allow admin to manage the instance.
Reviewed by: rmeggins (thanks!)
Files: see diff
Branch: HEAD
Fix Description: Add the appropriate aci's when running register-ds-admin.pl.
There were a few other issues to deal with in addition to the missing ACIs.
The PTA plug-in was not being configured since the LDIF template that was used
was an entire new PTA plug-in entry, which never gets added since it already
exists. I changed this to a LDIF mod template. We also only want to configure
PTA if it is not already configured, or if we are switching the config DS.
This will prevent overwriting any custom tweaks to the PTA plug-in, such as
using LDAPS to communicate with the config DS.
I found another issue during testing with the ldapStart parameter in adm.conf
getting set incorrectly after running register-ds-admin.pl. This parameter is
supposed to point to the start-slapd script of the config DS, but
register-ds-admin.pl was always changing this to the last instance that it
registered (which will never be the config DS if you have more than one
instance). We need to ensure that the slapd info in the inf is the config DS
before updating the Admin Server config files.
Platforms tested: F9
Flag Day: no
Doc impact: no
Index: AdminUtil.pm.in
===================================================================
RCS file: /cvs/dirsec/adminserver/admserv/newinst/src/AdminUtil.pm.in,v
retrieving revision 1.21
retrieving revision 1.22
diff -u -r1.21 -r1.22
--- AdminUtil.pm.in 27 Feb 2009 14:33:27 -0000 1.21
+++ AdminUtil.pm.in 27 Feb 2009 17:34:21 -0000 1.22
@@ -303,15 +303,29 @@
my $conn = shift;
my $inf = shift;
my $errs = shift;
+ my $force_pta = shift;
my @additionalLdifFiles = @_;
# add the o=NetscapeRoot tree using the mapper and ldif templates
my @ldiffiles = ('@ldifdir@/12dsconfig.mod.tmpl',
'@ldifdir@/13dsschema.mod.tmpl',
- '@ldifdir@/14dsmonitor.mod.tmpl',
- '@ldifdir@/15dspta.ldif.tmpl'
+ '@ldifdir@/14dsmonitor.mod.tmpl'
);
push @ldiffiles, @additionalLdifFiles;
+
+ # If PTA is not enabled yet, we need to enable and configure it
+ my $ent = $conn->search("cn=Pass Through Authentication,cn=plugins,cn=config", "base", "(objectclass=*)", 0, 'nsslapd-pluginenabled');
+ my $errstr = $conn->getErrorString();
+ if (!$ent or ($errstr ne "Success")) {
+ $conn->close();
+ @{$errs} = ('error_finding_pta', (($errstr eq "Success") ? 'unknown error' : $errstr));
+ return 0;
+ }
+
+ if (($ent->hasValue("nsslapd-pluginenabled", "off", 1)) || $force_pta == 1) {
+ push @ldiffiles, '@ldifdir@/15dspta.mod.tmpl';
+ }
+
my $setupinf = new Inf("@infdir@/setup.inf");
my $admininf = new Inf("@infdir@/admin.inf");
my $dsinf = new Inf("@infdir@/slapd.inf");
@@ -339,6 +353,7 @@
sub createSubDS {
my $inf = shift;
my $errs = shift;
+ my $force_pta = shift;
# open a connection to the directory server
my $conn = new Mozilla::LDAP::Conn($inf->{General}->{FullMachineName},
@@ -353,7 +368,7 @@
return 0;
}
- return internalCreateSubDS($conn, $inf, $errs, '@ldifdir@/16dssuffixadmin.mod.tmpl');
+ return internalCreateSubDS($conn, $inf, $errs, $force_pta, '@ldifdir@/16dssuffixadmin.mod.tmpl');
}
# same as createSubDS but works directly on the dse.ldif file itself
@@ -373,7 +388,7 @@
return 0;
}
- return internalCreateSubDS($conn, $inf, $errs);
+ return internalCreateSubDS($conn, $inf, $errs, 0);
}
sub addConfigACIsToSubDS {
Index: register-ds-admin.pl.in
===================================================================
RCS file: /cvs/dirsec/adminserver/admserv/newinst/src/register-ds-admin.pl.in,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- register-ds-admin.pl.in 23 Aug 2007 23:51:24 -0000 1.4
+++ register-ds-admin.pl.in 27 Feb 2009 17:34:21 -0000 1.5
@@ -459,13 +459,20 @@
}
else
{
+ # If we're switching the config DS, we want to force updating the
+ # PTA plug-in since it's configured for the old config DS.
+ my $force_pta = 0;
+ if ( $orig_confdsid ne $new_confdsid ) {
+ $force_pta = 1;
+ }
+
$setup->{inf}->{slapd} = $subinf->{slapd};
$setup->{inf}->{slapd}->{RootDNPwd} = $passwd;
push @{$subinstances{$subconfdir}}, $subinst;
$done = 0;
- while ( !$done && !createSubDS($setup->{inf}, \@errs) )
+ while ( !$done && !createSubDS($setup->{inf}, \@errs, $force_pta) )
{
- $setup->msg($FATAL, @errs);
+ $setup->msg($FATAL, @errs);
$passwd = reg_get_passwd($setup, 'input_rootdn_passwd_sub',
$subid, $subid);
if ( "" eq $passwd || !$passwd )
@@ -478,6 +485,13 @@
$setup->{inf}->{slapd}->{RootDNPwd} = $passwd;
}
}
+
+ # add the aci that allows the admin user to administer the server
+ @errs = ();
+ if (!addConfigACIsToSubDS($setup->{inf}, \@errs)) {
+ $setup->msg(@errs);
+ $setup->doExit(1);
+ }
}
}
}
@@ -494,9 +508,20 @@
}
}
-# configure and register the admin server instance
-# need these 3 values for ldapStart
-$setup->{inf}->{slapd}->{ServerIdentifier} = $new_confdsid;
+# Configure and register the admin server instance.
+# Generate a new inf for the config DS and override
+# the old slapd data from the last instance we registered.
+$new_confdir = $setup->{inf}->{slapd}->{config_dir};
+my $newinst = "slapd-$new_confdsid";
+my $inf = createInfFromConfig("$instconfigdir/$newinst", $newinst);
+if ( ! $inf )
+{
+ $setup->msg($FATAL, 'error_create_inf_from_config', "$instconfigdir/$newinst");
+ $setup->doExit(1);
+}
+$setup->{inf}->{slapd} = $inf->{slapd};
+
+# need these manually set these 2 parameters
$setup->{inf}->{slapd}->{UseExistingMC} = "yes";
$setup->{inf}->{slapd}->{SlapdConfigForMC} = "yes";
if ( !$setup->{reconfigas} )
Index: setup-ds-admin.res.in
===================================================================
RCS file: /cvs/dirsec/adminserver/admserv/newinst/src/setup-ds-admin.res.in,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- setup-ds-admin.res.in 27 Feb 2009 14:33:27 -0000 1.11
+++ setup-ds-admin.res.in 27 Feb 2009 17:34:21 -0000 1.12
@@ -138,3 +138,4 @@
cacert_already_exists = The certificate database in '%s' already contains a CA certificate. Please remove it first, or use the certutil program to add the CA certificate with a different name.\n
error_connection_failed = Error: failed to open an LDAP connection to host '%s' port '%s' as user '%s'. Error: %s.\n
registering_dirserver_instances = Registering the directory server instances with the configuration directory server . . .\n
+error_finding_pta = Unable to find Pass Through Authentication Plug-In config entry. Error: %s.\n
- Previous message (by thread): [Fedora-directory-commits] adminserver/admserv/schema/ldif 15dspta.mod.tmpl.in, NONE, 1.1 15dspta.ldif.tmpl.in, 1.2, NONE
- Next message (by thread): [Fedora-directory-commits] adminserver Makefile.am, 1.44, 1.45 Makefile.in, 1.52, 1.53 aclocal.m4, 1.45, 1.46 configure, 1.49, 1.50
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the Fedora-directory-commits
mailing list