[Fedora-directory-devel] Please Review: (247283) Multiple problems with CGIs used by Admin Server Console
Nathan Kinder
nkinder at redhat.com
Fri Jul 6 17:14:43 UTC 2007
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=247283
Resolves: bug 247283
Bug Description: While working on getting the Admin Server Console
to work with the new Admin Server, I ran into multiple problems
with various CGIs that the Console calls. I'll detail each of
the issues below.
Reviewed by: ???
Files: see diff
Branch: HEAD
Fix Description: The ReadLog CGI was changed to eliminate the
possibility of the caller
passing in the path to the log files. To get the path to the log
file, the CGI was
concatenating the logdir with the value of the configuration parameter
that says
where the requested log type is. The problem is that the config
parameters use
an absolute path, not just the file name. This was resulting in the
logdir
being listed twice, which is obviously wrong. In addition to the
logdir being
listed twice, the config parameter for the error log had the log file name
listed as "errors" instead of "error". This would cause the CGI to
not find the
logfile. The solution for these issues is to just use the config
value directly
without prepending the logdir, as well as fixing the logfile name for
the error log.
The config CGI is used to read and write Admin Server configuration
parameters.
This CGI was setting overriding the user DN and password with the sie
DN and
password. These is no need to use the sie DN, and doing so was
causing this CGI
to fail to read and set the config values. The solution is to just
use the
passed in user DN and password.
The sec-activate CGI is used to enable SSL for the Admin Server. When
using the
Console, I found that I could check the enable SSL checkbox, then
uncheck it and
click on save. This would call sec-activate to save the changes,
which would
result in an error about the cipher family setting not being present.
We should
only require a cipher family setting if we are turning SSL on. The
solution is
to first check if the setting being saved have SSL off, and only
require the
cipher family settings if SSL is set to on.
The last issue isn't actually a CGI issue, but instead is an issue in
mod_admserv when the "admin-serv/authenticate" URI is called. This URI is
supposed to return the user and group directory connection information
to the
caller. The problem is that the user and group directory info is set
at Admin
Server startup time. The Admin Server doesn't have the ability to
authenticate
to LDAP at startup since it has no credentials, so it always ends up
setting the
user and group directory to point to the config directory (it uses
"o=netscaperoot" as the base). This causes the users and groups tab
in Console
to search the wrong tree in the directory. The solution is to not set
the user
& group directory info at startup, but instead delay it until the
first time
that it is needed during an authentication. We can then pass that
authentication info through to get a valid LDAP handle which will
allow us to
search for the real user and group information.
Platforms tested: FC6
Flag Day: no
Doc impact: no
https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=158674&action=diff
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-devel/attachments/20070706/0750694d/attachment.bin>
More information about the Fedora-directory-devel
mailing list