[Fedora-directory-commits] mod_admserv mod_admserv.c,1.22,1.23
Noriko Hosoi (nhosoi)
fedora-directory-commits at redhat.com
Thu May 11 23:53:54 UTC 2006
Author: nhosoi
Update of /cvs/dirsec/mod_admserv
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv17826
Modified Files:
mod_admserv.c
Log Message:
[161099] admin passwd in clear text in adm.conf
1) In the initialization (mod_admserv_post_config), check if ldap handle is
set or not in the admin ldap info structure (AdmldapInfo). If it is not
set, the Admin Server does not have an admin user password / SIE password,
and it has not connected to the Directory Server. In this case, gather
necessary info from the local cache.
Also, set the task StartConfigDS in the HashTable for the admin server to
start Config DS in case the server is down.
2) Where it expects sie password (from adm.conf), get it from PIPE that user
provided (if possible).
Index: mod_admserv.c
===================================================================
RCS file: /cvs/dirsec/mod_admserv/mod_admserv.c,v
retrieving revision 1.22
retrieving revision 1.23
diff -u -r1.22 -r1.23
--- mod_admserv.c 3 Mar 2006 20:16:38 -0000 1.22
+++ mod_admserv.c 11 May 2006 23:53:52 -0000 1.23
@@ -797,23 +797,33 @@
return FALSE;
}
}
-
+
userGroupServer.host = NULL;
userGroupServer.port = 0;
userGroupServer.secure = 0;
userGroupServer.baseDN = NULL;
- admldapGetLocalUserDirectory(info,
- &userGroupLdapURL,
- &userGroupBindDN,
- &userGroupBindPW,
- &dirInfoRef,
- &error);
-
- if (error != UG_OP_OK) {
- *errorInfo = (char*)"unable to set User/Group baseDN";
- destroyAdmldap(info);
- return FALSE;
+ if (NULL == admldapGetLDAPHndl(info)) {
+ /* LDAP is not available; gather info from the cache */
+ userGroupLdapURL = admldapGetDirectoryURL(info);
+ userGroupBindDN = admldapGetSIEDN(info);
+ userGroupBindPW = admldapGetSIEPWD(info);
+ if (NULL == userGroupBindPW) {
+ ADM_GetCurrentPassword(&error, &userGroupBindPW);
+ }
+ } else {
+ admldapGetLocalUserDirectory(info,
+ &userGroupLdapURL,
+ &userGroupBindDN,
+ &userGroupBindPW,
+ &dirInfoRef,
+ &error);
+
+ if (error != UG_OP_OK) {
+ *errorInfo = (char*)"unable to set User/Group baseDN";
+ destroyAdmldap(info);
+ return FALSE;
+ }
}
if (!extractLdapServerData(&userGroupServer, userGroupLdapURL, s)) {
@@ -1016,6 +1026,8 @@
PsetHndl tmp;
int servercnt, i;
char path[PATH_MAX];
+ UserCacheEntry *cache_entry = NULL;
+ char *passwd = NULL;
apr_snprintf(path, sizeof(path), "%s%cadmin-serv%cconfig",
serverroot, FILE_PATHSEP, FILE_PATHSEP);
@@ -1034,6 +1046,15 @@
task_register_server(ADMIN_SERVER_ID, admldapGetSIEDN(ldapInfo));
+ passwd = admldapGetSIEPWD(ldapInfo);
+ if (NULL == passwd) { /* use the passwd in cache if possible */
+ cache_entry = (UserCacheEntry*)HashTableFind(auth_users,
+ admldapGetUserDN(ldapInfo, NULL));
+ if (cache_entry) {
+ admSetCachedSIEPWD(cache_entry->userPW);
+ }
+ }
+
serverlist = getServerDNListSSL(ldapInfo);
servercnt=0;
if (serverlist) {
@@ -1067,10 +1088,10 @@
}
task_register_server(serverid, serverlist[i]);
- PL_strfree(serverid);
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL,
"sync_task_sie_data: registered server [%s] dn [%s]",
serverid, serverlist[i]);
+ PL_strfree(serverid);
}
else {
ap_log_error(APLOG_MARK, APLOG_CRIT, 0, NULL,
@@ -1167,9 +1188,9 @@
"admpw file [%s] is corrupted", filename);
return 0;
}
-
+
uid = inbuf; *col=0; pw=col+1;
-
+
if (!update_ds(path, newpw, r)) {
return 0;
}
@@ -1216,7 +1237,7 @@
fclose(f);
return 0;
}
-
+
fclose(f);
return 1;
}
@@ -1250,7 +1271,7 @@
} else {
lines[linecnt++] = strdup(inbuf);
}
- }
+ }
fclose(f);
if (!modified) {
@@ -1909,7 +1930,7 @@
}
}
}
-
+
if (accessAddresses && *accessAddresses) {
int matchflags = APR_FNM_PERIOD;
apr_status_t rc = admserv_match_list(apr_pstrdup(r->pool, accessAddresses), clientIP, matchflags);
@@ -2228,11 +2249,49 @@
} while (server != NULL && ++tries < 2);
if (error != LDAPU_SUCCESS) {
+ char startds[LINE_LENGTH];
+ char normStartds[LINE_LENGTH];
+ char *storage = startds;
+ char *uri = apr_pstrdup(module_pool, STARTDS_IDENTIFIER);
+ /* Although opening LDAPConnection failed, we can initialize
+ * Hosts/Addresses using the local cache.
+ */
+ TaskCacheEntry *cache_entry;
destroyAdmldap(info);
closeLDAPConnection(server);
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server,
"Unable to bind as LocalAdmin to populate LocalAdmin tasks into cache.");
- return OK;
+ /* Config DS is not up and running
+ * put startconfigds into the cache for bootstrap */
+ if (!build_full_DN(&storage, startds+LINE_LENGTH, uri,
+ registryServer.bindDN)) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
+ "mod_admserv_post_config: unable to build DN from URL - bad URL [%s]",
+ uri?uri:"none");
+ return OK;
+ }
+ convert_to_lower_case(startds);
+ adm_normalize_dn(startds, normStartds);
+ if (!(cache_entry = (TaskCacheEntry *)HashTableFind(auth_tasks, normStartds))) {
+ cache_entry = (TaskCacheEntry*)apr_pcalloc(module_pool, sizeof(TaskCacheEntry));
+ cache_entry->auth_userDNs = HashTableCreate();
+ HashTableInsert(auth_tasks, apr_pstrdup(module_pool, normStartds), cache_entry);
+ }
+
+ cache_entry->execRef = apr_pstrdup(module_pool, STARTDS_CGI);
+ cache_entry->execRefArgs = NULL;
+ cache_entry->logSuppress = 0;
+ HashTableInsert(cache_entry->auth_userDNs,
+ apr_pstrdup(module_pool, LOCAL_SUPER_NAME),
+ (char*)time(0));
+
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, base_server,
+ "Added StartConfigDs task entry [%s:%s:%s] for user [%s]",
+ normStartds,
+ cache_entry->execRef ? cache_entry->execRef : "",
+ cache_entry->execRefArgs ? cache_entry->execRefArgs : "",
+ LOCAL_SUPER_NAME);
+ return host_ip_init(p, plog, ptemp, base_server);
}
populate_task_cache_entries(LOCAL_SUPER_NAME, server);
More information about the Fedora-directory-commits
mailing list