[Pki-devel] LDAP profiles progress update (and patch preview)
Fraser Tweedale
ftweedal at redhat.com
Tue Jul 15 07:03:47 UTC 2014
Hi all,
Drafts of my first two patches in for LDAP profiles are attached.
There are several more patches yet to come, including switching the
ProfileSubsystem from files to LDAP, which is almost complete.
I am not as far along in the implementation as I hoped for this
week, but not too far behind. My main stumbling blocks last week
were typos and other invalid things in my schema definition, and the
Dogtag SELinux doing that rounds that culminated in a Bugzilla
ticket for selinux-policy-targeted[1] and a blog post[2] about it.
Patch 0004 add the LDAP schema for profile profiles, and patch 0005
add an LDAPConfigStore class that profiles will use to load and save
their configuration to the database.
Feedback is most welcome.
Cheers,
Fraser
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1117673
[2] http://blog-ftweedal.rhcloud.com/2014/07/diagnosing-a-dogtag-selinux-issue/
-------------- next part --------------
>From 693bbdc19a1ee398dc2f8572fb64ab15cba89d92 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Mon, 7 Jul 2014 23:35:35 -0400
Subject: [PATCH] add schema for LDAP-based profiles
---
base/ca/shared/conf/db.ldif | 9 +++++++++
base/ca/shared/conf/schema.ldif | 30 ++++++++++++++++++++++++++++++
2 files changed, 39 insertions(+)
diff --git a/base/ca/shared/conf/db.ldif b/base/ca/shared/conf/db.ldif
index 00fa919b7df38ed97f0bc21b5616a9998845c7d4..b0f36b6d85f70900d0b2c5e0ee92d9fb8c1cb3e8 100644
--- a/base/ca/shared/conf/db.ldif
+++ b/base/ca/shared/conf/db.ldif
@@ -160,4 +160,13 @@ objectClass: top
objectClass: organizationalUnit
ou: certificateRepository
+dn: ou=certProfiles,{rootSuffix}
+objectClass: top
+objectClass: organizationalUnit
+ou: certProfiles
+dn: cn=certProfilesInfo,{rootSuffix}
+objectClass: top
+objectClass: certProfilesInfo
+cn: certProfilesInfo
+certProfilesLastModified: 197001010000Z
diff --git a/base/ca/shared/conf/schema.ldif b/base/ca/shared/conf/schema.ldif
index 70578e21ce4e102909a1b7b45fa84c184a997bdf..4f74869da1e46b39469dd17ddb2517e111300b43 100644
--- a/base/ca/shared/conf/schema.ldif
+++ b/base/ca/shared/conf/schema.ldif
@@ -487,3 +487,33 @@ dn: cn=schema
changetype: modify
add: objectClasses
objectClasses: ( securityDomainSessionEntry-oid NAME 'securityDomainSessionEntry' DESC 'CMS defined class' SUP top STRUCTURAL MUST ( cn $ host $ uid $ cmsUserGroup $ dateOfCreate ) X-ORIGIN 'user defined' )
+
+dn: cn=schema
+changetype: modify
+add: attributeTypes
+attributeTypes: ( classId-oid NAME 'classId' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' )
+
+dn: cn=schema
+changetype: modify
+add: attributeTypes
+attributeTypes: ( certProfileIsDefault-oid NAME 'certProfileIsDefault' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 X-ORIGIN 'user defined' )
+
+dn: cn=schema
+changetype: modify
+add: attributeTypes
+attributeTypes: ( certProfileConfig-oid NAME 'certProfileConfig' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'user defined' )
+
+dn: cn=schema
+changetype: modify
+add: objectClasses
+objectClasses: ( certProfile-oid NAME 'certProfile' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY ( classId $ certProfileIsDefault $ certProfileConfig ) X-ORIGIN 'user defined' )
+
+dn: cn=schema
+changetype: modify
+add: attributeTypes
+attributeTypes: ( certProfilesLastModified-oid NAME 'certProfilesLastModified' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 X-ORIGIN 'user defined' )
+
+dn: cn=schema
+changetype: modify
+add: objectClasses
+objectClasses: ( certProfilesInfo-oid NAME 'certProfilesInfo' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY certProfilesLastModified X-ORIGIN 'user defined' )
--
1.9.3
-------------- next part --------------
>From fc39af6f9d884ec3c1609c5ab249397e8b68a78a Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <frase at frase.id.au>
Date: Tue, 15 Jul 2014 02:48:35 -0400
Subject: [PATCH] add LDAPConfigStore class
The LDAPConfigStore class is an IConfigStore that reads and writes
its configuration to a given attribute and DN in an LDAP database.
---
.../com/netscape/cmscore/base/LDAPConfigStore.java | 114 +++++++++++++++++++++
1 file changed, 114 insertions(+)
create mode 100644 base/server/cmscore/src/com/netscape/cmscore/base/LDAPConfigStore.java
diff --git a/base/server/cmscore/src/com/netscape/cmscore/base/LDAPConfigStore.java b/base/server/cmscore/src/com/netscape/cmscore/base/LDAPConfigStore.java
new file mode 100644
index 0000000000000000000000000000000000000000..7d08fe9d3b75ceb954f3bd515eec5076d0af2db9
--- /dev/null
+++ b/base/server/cmscore/src/com/netscape/cmscore/base/LDAPConfigStore.java
@@ -0,0 +1,114 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007, 2014 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+package com.netscape.cmscore.base;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.InputStream;
+import java.io.IOException;
+import java.util.Map;
+
+import netscape.ldap.LDAPAttribute;
+import netscape.ldap.LDAPConnection;
+import netscape.ldap.LDAPEntry;
+import netscape.ldap.LDAPModification;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.ldap.ILdapConnFactory;
+import com.netscape.cmsutil.util.Utils;
+
+/**
+ * LDAPConfigStore:
+ * Extends PropConfigStore with methods to load/save from/to file for
+ * persistent storage. This is a configuration store agent who
+ * reads data from an LDAP entry.
+ * <P>
+ *
+ * @version $Revision$, $Date$
+ * @see PropConfigStore
+ */
+public class LDAPConfigStore extends PropConfigStore implements IConfigStore {
+
+ private ILdapConnFactory mDbFactory;
+ private String mDn;
+ private String mAttr;
+
+ /**
+ *
+ */
+ private static final long serialVersionUID = 3642124526598175633L;
+
+ /**
+ * Constructs a file configuration store.
+ * <P>
+ *
+ * @param dbFactory Database connection factory
+ * @param dn Distinguished name of record containing config store
+ * @param attr Name of attribute containing config store
+ *
+ * @exception EBaseException failed to create file configuration
+ */
+ public LDAPConfigStore(ILdapConnFactory dbFactory, String dn, String attr)
+ throws EBaseException {
+ super(null); // top-level store without a name
+
+ mDbFactory = dbFactory;
+ mDn = dn;
+ mAttr = attr;
+
+ LDAPConnection conn = mDbFactory.getConn();
+
+ String[] attrs = {mAttr};
+ LDAPEntry ldapEntry = conn.read(mDn, attrs);
+ InputStream data = new ByteArrayInputStream( (byte[])
+ ldapEntry.getAttribute(mAttr).getByteValues().nextElement());
+ load(data);
+
+ conn.disconnect();
+ }
+
+ /**
+ * The original config file is copied to
+ * <filename>.<current_time_in_milliseconds>.
+ * Commits the current properties to the configuration file.
+ * <P>
+ *
+ * @param backup
+ */
+ public void commit(boolean createBackup) throws EBaseException {
+ if (createBackup) {
+ // TODO back it up, perhaps to a user-specified attribute,
+ // or `mAttr + "_backup"`.
+ }
+
+ LDAPConnection conn = mDbFactory.getConn();
+
+ ByteArrayOutputStream data = new ByteArrayOutputStream();
+ save(data, null);
+
+ LDAPAttribute ldapAttr = new LDAPAttribute(mAttr, data.toByteArray());
+ LDAPModification ldapMod =
+ new LDAPModification(LDAPModification.REPLACE, ldapAttr);
+ conn.modify(mDn, ldapMod);
+
+ conn.disconnect();
+ }
+}
--
1.9.3
More information about the Pki-devel
mailing list