[Pki-devel] [PATCH] 0150 Allow DirAclAuthz to be configured to read alternative entry

[Fraser Tweedale]

The attached patch (part of the GSS-API effort) allows DirAclAuthz
configuration to specify to read the ACLs from a different entry (it
is currently hard-coded).

Thanks,
Fraser
-------------- next part --------------
From aadb84720bde84db39c80ea2886b66efdd089111 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Fri, 13 Jan 2017 12:25:26 +1000
Subject: [PATCH] Allow DirAclAuthz to be configured to read alternative entry

Add the `searchBase' parameter for DirAclAuthz instances.  If
specified, it prepends the searchBase to the baseDN.  This allows
reusing an existing LDAP connection config (e.g. "internaldb")
whilst changing where the instances loads the ACLs from.

Part of: https://fedorahosted.org/pki/ticket/1359
---
 .../netscape/cms/authorization/DirAclAuthz.java    | 26 +++++++++++++++++++---
 1 file changed, 23 insertions(+), 3 deletions(-)

diff --git a/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java b/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java
index bcb81f3d0e390545fed2fbf530cf9b57e6bc48ea..3e2a1b36f1b7b8126542afc688a3d3610c7ce630 100644
--- a/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java
+++ b/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java
@@ -53,11 +53,20 @@ public class DirAclAuthz extends AAclAuthz
     // members
 
     protected static final String PROP_BASEDN = "basedn";
+    protected static final String PROP_SEARCHBASE = "searchBase";
 
     private ILdapConnFactory mLdapConnFactory = null;
     private String mBaseDN = null;
     private static boolean needsFlush = false;
 
+    /**
+     * If configured, this is an LDAP RDN sequence to be
+     * prepended to the LDAP base DN, as the base of the
+     * search.  If non-null, the search filter also changes
+     * from (cn=aclResources) to (objectclass=CertACLS).
+     */
+    private String searchBase = null;
+
     static {
         mExtendedPluginInfo.add("ldap.ldapconn.host;string,required;" +
                 "LDAP host to connect to");
@@ -106,6 +115,8 @@ public class DirAclAuthz extends AAclAuthz
             throws EBaseException {
         super.init(name, implName, config);
 
+        searchBase = config.getString(PROP_SEARCHBASE, null);
+
         // initialize LDAP connection factory
         IConfigStore ldapConfig = config.getSubStore("ldap");
 
@@ -134,11 +145,20 @@ public class DirAclAuthz extends AAclAuthz
         // into memory
         LDAPConnection conn = null;
 
-        CMS.debug("DirAclAuthz: about to ldap search aclResources");
+        String basedn = mBaseDN;
+        String filter = "cn=aclResources";
+        if (searchBase != null) {
+            basedn = String.join(",", searchBase, basedn);
+            filter = "objectclass=CertACLs";
+        }
+
+        CMS.debug(
+            "DirAclAuthz: about to ldap search "
+            + basedn + " (" + filter + ")");
         try {
             conn = getConn();
-            LDAPSearchResults res = conn.search(mBaseDN, LDAPv2.SCOPE_SUB,
-                    "cn=aclResources", null, false);
+            LDAPSearchResults res = conn.search(
+                    basedn, LDAPv2.SCOPE_SUB, filter, null, false);
 
             returnConn(conn);
             if (res.hasMoreElements()) {
-- 
2.9.3