[Fedora-directory-commits] adminutil/lib/libadmsslutil admsslutil.c, 1.7, 1.8 psetcssl.c, 1.3, 1.4 srvutilssl.c, 1.4, 1.5
Richard Allen Megginson (rmeggins)
fedora-directory-commits at redhat.com
Tue May 8 19:13:28 UTC 2007
- Previous message (by thread): [Fedora-directory-commits] adminutil/include/libadminutil srvutil.h, 1.3, 1.4
- Next message (by thread): [Fedora-directory-commits] adminutil/tests nsroot.ldif, 1.1, 1.2 psetread.c, 1.1, 1.2 psetreadssl.c, 1.1, 1.2 psetwrite.c, 1.1, 1.2 retrieveSIEssl.c, 1.1, 1.2
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: rmeggins
Update of /cvs/dirsec/adminutil/lib/libadmsslutil
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv19482/adminutil/lib/libadmsslutil
Modified Files:
admsslutil.c psetcssl.c srvutilssl.c
Log Message:
Resolves: bug 239475
Bug Description: adminutil: Several admin server related bugs
Reviewed by: nhosoi (Thanks!)
Fix Description:
1) I needed a function to return the SIE DN given a server ID (e.g. return
cn=slapd-localhost, cn=..... given slapd-localhost). This is to avoid lots of
duplicate code in the admin server CGIs. There is an SSL version as well. Create non-ssl and ssl function to find the SIE DN given the SIE ID. Change pset code to use these new functions
2) Need to be able to force NSS initialization via ADMSSL_Init*. There were a couple of places where admin server would perform a SHA hash using homegrown code. This has been removed in favor of using NSS. ADMSSL_Init* would fail if
not configured for SSL, so we need to force it to initialize NSS even if SSL is
not configured. Change the ADMSSL_Init* routines to accept a force parameter. If this parameter is true, force NSS_Initialize even if the adminutil is not configured for SSL. Changed code that uses ADMSSL_Init* to use this new parameter.3) PSET attribute removal is just broken. It corrupts the internal tree structure used to hold the attr/values. The pset node removal code needed to set the node->left or ->right to NULL only after freeing it. Fortunately this function is hardly used at all. 4) small memory leak in form_post.c - not a big deal as this is only used by
CGIs which usually don't free() anyway but just exit() to release their memory. free memory after use
Resolves: bug 239475
Bug Description: adminutil: Several admin server related bugs
Reviewed by: nhosoi (Thanks!)
Fix Description:
1) I needed a function to return the SIE DN given a server ID (e.g. return
cn=slapd-localhost, cn=..... given slapd-localhost). This is to avoid lots of
duplicate code in the admin server CGIs. There is an SSL version as well. Create non-ssl and ssl function to find the SIE DN given the SIE ID. Change pset code to use these new functions
2) Need to be able to force NSS initialization via ADMSSL_Init*. There were a couple of places where admin server would perform a SHA hash using homegrown code. This has been removed in favor of using NSS. ADMSSL_Init* would fail if
not configured for SSL, so we need to force it to initialize NSS even if SSL is
not configured. Change the ADMSSL_Init* routines to accept a force parameter. If this parameter is true, force NSS_Initialize even if the adminutil is not configured for SSL. Changed code that uses ADMSSL_Init* to use this new parameter.3) PSET attribute removal is just broken. It corrupts the internal tree structure used to hold the attr/values. The pset node removal code needed to set the node->left or ->right to NULL only after freeing it. Fortunately this function is hardly used at all. 4) small memory leak in form_post.c - not a big deal as this is only used by
CGIs which usually don't free() anyway but just exit() to release their memory. free memory after use
Resolves: bug 239475
Bug Description: adminutil: Several admin server related bugs
Reviewed by: nhosoi (Thanks!)
Fix Description:
1) I needed a function to return the SIE DN given a server ID (e.g. return
cn=slapd-localhost, cn=..... given slapd-localhost). This is to avoid lots of
duplicate code in the admin server CGIs. There is an SSL version as well. Create non-ssl and ssl function to find the SIE DN given the SIE ID. Change pset code to use these new functions
2) Need to be able to force NSS initialization via ADMSSL_Init*. There were a couple of places where admin server would perform a SHA hash using homegrown code. This has been removed in favor of using NSS. ADMSSL_Init* would fail if
not configured for SSL, so we need to force it to initialize NSS even if SSL is
not configured. Change the ADMSSL_Init* routines to accept a force parameter. If this parameter is true, force NSS_Initialize even if the adminutil is not configured for SSL. Changed code that uses ADMSSL_Init* to use this new parameter.3) PSET attribute removal is just broken. It corrupts the internal tree structure used to hold the attr/values. The pset node removal code needed to set the node->left or ->right to NULL only after freeing it. Fortunately this function is hardly used at all. 4) small memory leak in form_post.c - not a big deal as this is only used by
CGIs which usually don't free() anyway but just exit() to release their memory. free memory after use
5) small memory error in the new code in resource.c - does not affect any
released code. Make sure the buffer is correctly null terminated. Also, clean up a small memory leak.
6) small memory leaks in various places in uginfo.c - also changed some code to
use PR_smprintf instead of fixed size buffers. Fixed memory leaks.
Platforms tested: RHEL4
Flag Day: no
Doc impact: no
Index: admsslutil.c
===================================================================
RCS file: /cvs/dirsec/adminutil/lib/libadmsslutil/admsslutil.c,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- admsslutil.c 4 Apr 2007 19:37:47 -0000 1.7
+++ admsslutil.c 8 May 2007 19:13:26 -0000 1.8
@@ -168,7 +168,7 @@
/*minPwdLen=*/8, /*pwdRequired=*/1);
/* init NSS */
- if (NSS_Initialize(securitydir, NULL, NULL, "secmod.db", flags)) {
+ if (NSS_Initialize(securitydir, NULL, NULL, SECMOD_DB, flags)) {
return -1;
}
@@ -198,16 +198,16 @@
PR_IMPLEMENT(int)
-ADMSSL_InitSimple(char* configdir, char *securitydir)
+ADMSSL_InitSimple(char* configdir, char *securitydir, int force)
{
AdmldapInfo admLdapInfo=NULL;
int error;
admLdapInfo = admldapBuildInfo(configdir, &error);
- if (!admLdapInfo) return -1;
+ if (!admLdapInfo && !force) return -1;
- if (admldapGetSecurity(admLdapInfo)) {
- error = ADMSSL_Init(admLdapInfo, securitydir);
+ if (force || admldapGetSecurity(admLdapInfo)) {
+ error = ADMSSL_Init(admLdapInfo, securitydir, force);
} else {
error = 0;
}
@@ -218,14 +218,18 @@
/* set minimum SSL stuff for LDAP/SSL to work */
PR_IMPLEMENT(int)
-ADMSSL_Init(AdmldapInfo info, char *securitydir)
+ADMSSL_Init(AdmldapInfo info, char *securitydir, int force)
{
- int secure;
+ int secure = 0;
char *dirURL, *bindDN, *bindPwd, *dirInfoRef;
int errCode;
int needfree = 0;
- secure = admldapGetSecurity(info);
+ if (force) {
+ secure = 1;
+ } else {
+ secure = admldapGetSecurity(info);
+ }
if (!secure) {
admldapGetLocalUserDirectory(info,
@@ -239,7 +243,7 @@
return 0;
}
- if (!securitydir) {
+ if (!securitydir && info) {
securitydir = admldapGetSecurityDir(info);
needfree = 1;
}
@@ -402,13 +406,11 @@
* Modify "security" in adm.conf and DS
*/
void set_security(PsetHndl pset,
- char *securitydir, /* where security files can be found */
- char *configdir, /* where config files can be found */
+ char *configdir, /* where config files can be found */
char *security /* security on/off */
)
{
int rv;
- AdmldapInfo admInfo = NULL;
/* set security attribute in DS */
if((pset) && (security) && (*security != '\0')) {
@@ -425,22 +427,6 @@
servssl_error("PSET attribute modification failed!");
}
}
-
- /* add/edit security fields in adm.conf */
- rv = 0;
- admInfo = admldapBuildInfoOnly(configdir, &rv);
- if (!admInfo || rv) {
- servssl_error("Can not open adm.conf for reading");
- }
-
- if (is_dir_ok(securitydir)) {
- admldapSetSecurityDir(admInfo, securitydir);
- }
-
- if (admldapWriteInfoFile(admInfo)) {
- servssl_error("Can not open adm.conf for writing");
- }
- destroyAdmldap(admInfo);
}
@@ -587,7 +573,7 @@
{
PRFileDesc *ssl_socket = NULL;
- if (ADMSSL_InitSimple((char *)configdir, (char *)securitydir) != 0) {
+ if (ADMSSL_InitSimple((char *)configdir, (char *)securitydir, 0) != 0) {
PR_Close(ssl_socket);
return NULL;
}
Index: psetcssl.c
===================================================================
RCS file: /cvs/dirsec/adminutil/lib/libadmsslutil/psetcssl.c,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- psetcssl.c 4 Apr 2007 19:37:47 -0000 1.3
+++ psetcssl.c 8 May 2007 19:13:26 -0000 1.4
@@ -27,6 +27,7 @@
#include "ldap_ssl.h"
#include "libadminutil/distadm.h"
#include "libadmsslutil/psetcssl.h"
+#include "libadmsslutil/srvutilssl.h"
#ifdef XP_WIN32
#define strcasecmp stricmp
@@ -153,11 +154,12 @@
psetCreateSSL(char* serverID, char* configRoot, char* user, char* passwd,
int* errorcode)
{
- PsetHndl pset;
+ PsetHndl pset = NULL;
AdmldapInfo ldapInfo= NULL;
- char *path = NULL, *ldapHost=NULL, *sieDN, *bindPasswd = NULL;
+ char *path = NULL, *ldapHost=NULL, *sieDN = NULL, *bindPasswd = NULL;
char *userDN = NULL;
int ldapPort = -1, secure = 0;
+ int useLocalConf = 1;
ldapInfo = admldapBuildInfo(configRoot, errorcode);
@@ -178,8 +180,21 @@
if (ldapPort < 0) ldapPort = 389;
}
- /* Get SIE and password */
- sieDN = admldapGetSIEDN(ldapInfo);
+ /* Get SIE */
+ /* if server is admin-serv, then the ldapInfo sieDN is the correct sieDN */
+ if (!serverID || !PL_strncasecmp(serverID, "admin-serv", strlen("admin-serv"))) {
+ sieDN = admldapGetSIEDN(ldapInfo);
+ } else { /* given other serverID */
+ sieDN = findSIEDNByIDSSL(ldapInfo, serverID);
+ if (!sieDN) {
+ *errorcode = PSET_ENTRY_NOT_EXIST;
+ goto done;
+ }
+ useLocalConf = 0; /* disallow local.conf creation - will overwrite admin server one */
+ /* use psetRealCreateSSL to pass in a conf file */
+ }
+
+ /* get user dn and password */
if (!user) {
ADM_GetUserDNString(errorcode, &user);
}
@@ -199,13 +214,15 @@
}
/* find local.conf file */
- if (!(path = find_file_in_paths("local.conf", configRoot))) {
+ if (useLocalConf &&
+ !(path = find_file_in_paths("local.conf", configRoot))) {
/* error - no valid file or dir could be found */
*errorcode = PSET_ENV_ERR;
}
pset = psetRealCreateSSL(ldapHost, ldapPort, secure, sieDN, userDN,
bindPasswd, path, errorcode);
+done:
destroyAdmldap(ldapInfo);
PR_Free(userDN);
PR_Free(ldapHost);
Index: srvutilssl.c
===================================================================
RCS file: /cvs/dirsec/adminutil/lib/libadmsslutil/srvutilssl.c,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- srvutilssl.c 4 Apr 2007 19:37:47 -0000 1.4
+++ srvutilssl.c 8 May 2007 19:13:26 -0000 1.5
@@ -145,3 +145,35 @@
}
+#define IS_A_DELIMITER(x) ((x == ',') || (x == ' ') || (x == '+') || (x == '\0'))
+
+PR_IMPLEMENT(char *)
+findSIEDNByIDSSL(AdmldapInfo info, const char *serverID)
+{
+ char *retval = NULL;
+ AttrNameList nl = getServerDNListSSL(info);
+
+ if (nl) {
+ size_t len = strlen(serverID);
+ AttrNameList nlptr = nl;
+ while (retval = *nlptr++) {
+ /* nl is a list of DNs like this:
+ cn=slapd-foo, ...
+ cn=slapd-bar,...
+ cn=admin-serv-localhost,
+ ...
+ serverID is the value of the cn - we have to look for the trailing
+ delimiter to distinguish between slapd-foo slapd-foo2
+ */
+ if ((len <= strlen(retval+3)) &&
+ !PL_strncasecmp(retval+3, serverID, len) &&
+ (IS_A_DELIMITER(retval[3+len]))) {
+ retval = PL_strdup(retval);
+ break;
+ }
+ }
+ deleteAttrNameList(nl);
+ }
+
+ return retval;
+}
- Previous message (by thread): [Fedora-directory-commits] adminutil/include/libadminutil srvutil.h, 1.3, 1.4
- Next message (by thread): [Fedora-directory-commits] adminutil/tests nsroot.ldif, 1.1, 1.2 psetread.c, 1.1, 1.2 psetreadssl.c, 1.1, 1.2 psetwrite.c, 1.1, 1.2 retrieveSIEssl.c, 1.1, 1.2
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the Fedora-directory-commits
mailing list