Re: [Pki-devel] [PATCH] 0150 Allow DirAclAuthz to be configured to read alternative entry

[Fraser Tweedale]

On Tue, Jan 24, 2017 at 02:45:48PM +1000, Fraser Tweedale wrote:
> The attached patch (part of the GSS-API effort) allows DirAclAuthz
> configuration to specify to read the ACLs from a different entry (it
> is currently hard-coded).
> 
> Thanks,
> Fraser
>
ACKed by alee; pushed to master:
76266bbf9b48f0ff01e7bfc9cd114c7ced460256

Thanks,
Fraser

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 0150 Allow DirAclAuthz to be configured to read alternative entry

[Fraser Tweedale]

The attached patch (part of the GSS-API effort) allows DirAclAuthz
configuration to specify to read the ACLs from a different entry (it
is currently hard-coded).

Thanks,
Fraser
From aadb84720bde84db39c80ea2886b66efdd089111 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Fri, 13 Jan 2017 12:25:26 +1000
Subject: [PATCH] Allow DirAclAuthz to be configured to read alternative entry

Add the `searchBase' parameter for DirAclAuthz instances.  If
specified, it prepends the searchBase to the baseDN.  This allows
reusing an existing LDAP connection config (e.g. "internaldb")
whilst changing where the instances loads the ACLs from.

Part of: https://fedorahosted.org/pki/ticket/1359
---
 .../netscape/cms/authorization/DirAclAuthz.java| 26 +++---
 1 file changed, 23 insertions(+), 3 deletions(-)

diff --git 
a/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java 
b/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java
index 
bcb81f3d0e390545fed2fbf530cf9b57e6bc48ea..3e2a1b36f1b7b8126542afc688a3d3610c7ce630
 100644
--- a/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java
+++ b/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java
@@ -53,11 +53,20 @@ public class DirAclAuthz extends AAclAuthz
 // members
 
 protected static final String PROP_BASEDN = "basedn";
+protected static final String PROP_SEARCHBASE = "searchBase";
 
 private ILdapConnFactory mLdapConnFactory = null;
 private String mBaseDN = null;
 private static boolean needsFlush = false;
 
+/**
+ * If configured, this is an LDAP RDN sequence to be
+ * prepended to the LDAP base DN, as the base of the
+ * search.  If non-null, the search filter also changes
+ * from (cn=aclResources) to (objectclass=CertACLS).
+ */
+private String searchBase = null;
+
 static {
 mExtendedPluginInfo.add("ldap.ldapconn.host;string,required;" +
 "LDAP host to connect to");
@@ -106,6 +115,8 @@ public class DirAclAuthz extends AAclAuthz
 throws EBaseException {
 super.init(name, implName, config);
 
+searchBase = config.getString(PROP_SEARCHBASE, null);
+
 // initialize LDAP connection factory
 IConfigStore ldapConfig = config.getSubStore("ldap");
 
@@ -134,11 +145,20 @@ public class DirAclAuthz extends AAclAuthz
 // into memory
 LDAPConnection conn = null;
 
-CMS.debug("DirAclAuthz: about to ldap search aclResources");
+String basedn = mBaseDN;
+String filter = "cn=aclResources";
+if (searchBase != null) {
+basedn = String.join(",", searchBase, basedn);
+filter = "objectclass=CertACLs";
+}
+
+CMS.debug(
+"DirAclAuthz: about to ldap search "
++ basedn + " (" + filter + ")");
 try {
 conn = getConn();
-LDAPSearchResults res = conn.search(mBaseDN, LDAPv2.SCOPE_SUB,
-"cn=aclResources", null, false);
+LDAPSearchResults res = conn.search(
+basedn, LDAPv2.SCOPE_SUB, filter, null, false);
 
 returnConn(conn);
 if (res.hasMoreElements()) {
-- 
2.9.3

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel