The attached patch (part of the GSS-API effort) allows DirAclAuthz
configuration to specify to read the ACLs from a different entry (it
is currently hard-coded).
Thanks,
Fraser
From aadb84720bde84db39c80ea2886b66efdd089111 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale
Date: Fri, 13 Jan 2017 12:25:26 +1000
Subject: [PATCH] Allow DirAclAuthz to be configured to read alternative entry
Add the `searchBase' parameter for DirAclAuthz instances. If
specified, it prepends the searchBase to the baseDN. This allows
reusing an existing LDAP connection config (e.g. "internaldb")
whilst changing where the instances loads the ACLs from.
Part of: https://fedorahosted.org/pki/ticket/1359
---
.../netscape/cms/authorization/DirAclAuthz.java| 26 +++---
1 file changed, 23 insertions(+), 3 deletions(-)
diff --git
a/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java
b/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java
index
bcb81f3d0e390545fed2fbf530cf9b57e6bc48ea..3e2a1b36f1b7b8126542afc688a3d3610c7ce630
100644
--- a/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java
+++ b/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java
@@ -53,11 +53,20 @@ public class DirAclAuthz extends AAclAuthz
// members
protected static final String PROP_BASEDN = "basedn";
+protected static final String PROP_SEARCHBASE = "searchBase";
private ILdapConnFactory mLdapConnFactory = null;
private String mBaseDN = null;
private static boolean needsFlush = false;
+/**
+ * If configured, this is an LDAP RDN sequence to be
+ * prepended to the LDAP base DN, as the base of the
+ * search. If non-null, the search filter also changes
+ * from (cn=aclResources) to (objectclass=CertACLS).
+ */
+private String searchBase = null;
+
static {
mExtendedPluginInfo.add("ldap.ldapconn.host;string,required;" +
"LDAP host to connect to");
@@ -106,6 +115,8 @@ public class DirAclAuthz extends AAclAuthz
throws EBaseException {
super.init(name, implName, config);
+searchBase = config.getString(PROP_SEARCHBASE, null);
+
// initialize LDAP connection factory
IConfigStore ldapConfig = config.getSubStore("ldap");
@@ -134,11 +145,20 @@ public class DirAclAuthz extends AAclAuthz
// into memory
LDAPConnection conn = null;
-CMS.debug("DirAclAuthz: about to ldap search aclResources");
+String basedn = mBaseDN;
+String filter = "cn=aclResources";
+if (searchBase != null) {
+basedn = String.join(",", searchBase, basedn);
+filter = "objectclass=CertACLs";
+}
+
+CMS.debug(
+"DirAclAuthz: about to ldap search "
++ basedn + " (" + filter + ")");
try {
conn = getConn();
-LDAPSearchResults res = conn.search(mBaseDN, LDAPv2.SCOPE_SUB,
-"cn=aclResources", null, false);
+LDAPSearchResults res = conn.search(
+basedn, LDAPv2.SCOPE_SUB, filter, null, false);
returnConn(conn);
if (res.hasMoreElements()) {
--
2.9.3
___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel