[Pkg-fedora-ds-maintainers] 389-admin: Changes to 'master'
Timo Aaltonen
tjaalton at moszumanska.debian.org
Wed May 27 21:28:05 UTC 2015
VERSION.sh | 2
admserv/cfgstuff/console.conf.in | 2
admserv/cgi-src40/admpw.c | 5
admserv/cgi-src40/ds_create.in | 12
admserv/cgi-src40/repl-monitor-cgi.pl.in | 11
admserv/cgi-src40/sec-activate.c | 111 ++-
admserv/cgi-src40/security.c | 8
admserv/cgi-src40/start_config_ds.c | 11
admserv/cgi-src40/viewdata.c | 135 +++
admserv/newinst/src/AdminServer.pm.in | 186 +++--
admserv/newinst/src/AdminUtil.pm.in | 13
admserv/newinst/src/ConfigDSDialogs.pm | 12
admserv/newinst/src/register-ds-admin.pl.in | 714 ++++++++++++++++-----
admserv/newinst/src/register-ds-admin.res.in | 36 -
admserv/newinst/src/register_param.map.in | 4
admserv/newinst/src/register_server.pl.in | 6
admserv/newinst/src/setup-ds-admin.pl.in | 6
admserv/newinst/src/setup-ds-admin.res.in | 17
debian/changelog | 6
debian/patches/fix-hyphen-used-as-minus-sign.patch | 26
debian/patches/fix-script-name-cgi.patch | 6
debian/patches/man_page_fixes | 28
lib/libadmin/httpcon.c | 3
lib/libdsa/dsalib_location.c | 10
lib/libdsa/dsalib_updown.c | 40 -
man/man8/register-ds-admin.pl.8 | 139 +++-
man/man8/remove-ds-admin.pl.8 | 10
mod_admserv/mod_admserv.c | 319 ++++++---
28 files changed, 1419 insertions(+), 459 deletions(-)
New commits:
commit fdbd1c7b67dcf74967bf85a69dba9c70bcf956bb
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Thu May 28 00:23:25 2015 +0300
releasing package 389-admin version 1.1.38-1
diff --git a/debian/changelog b/debian/changelog
index cbfa0f8..6731386 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-389-admin (1.1.38-1) UNRELEASED; urgency=medium
+389-admin (1.1.38-1) unstable; urgency=medium
* New upstream release.
* Refresh patches.
@@ -6,7 +6,7 @@
* control: Bump policy to 3.9.6, no changes.
* control: Drop build-dep on apache2-mpm-worker. (Closes: #785706)
- -- Timo Aaltonen <tjaalton at debian.org> Thu, 07 May 2015 12:42:16 +0300
+ -- Timo Aaltonen <tjaalton at debian.org> Thu, 28 May 2015 00:23:17 +0300
389-admin (1.1.35-4) unstable; urgency=medium
commit ee06e24e1bebe288874f2b29d347b23a75a0cb28
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Thu May 28 00:22:38 2015 +0300
new upstream, refresh patches
diff --git a/debian/changelog b/debian/changelog
index e17d93d..cbfa0f8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,7 @@
-389-admin (1.1.35-5) UNRELEASED; urgency=medium
+389-admin (1.1.38-1) UNRELEASED; urgency=medium
+ * New upstream release.
+ * Refresh patches.
* rules: Support reproducible builds, thanks Chris Lamb. (Closes: #776806)
* control: Bump policy to 3.9.6, no changes.
* control: Drop build-dep on apache2-mpm-worker. (Closes: #785706)
diff --git a/debian/patches/fix-hyphen-used-as-minus-sign.patch b/debian/patches/fix-hyphen-used-as-minus-sign.patch
index 6a4b519..8d70aed 100644
--- a/debian/patches/fix-hyphen-used-as-minus-sign.patch
+++ b/debian/patches/fix-hyphen-used-as-minus-sign.patch
@@ -27,28 +27,32 @@ Author: Benjamin Drung <benjamin.drung at profitbricks.com>
.PP
--- a/man/man8/register-ds-admin.pl.8
+++ b/man/man8/register-ds-admin.pl.8
-@@ -19,13 +19,13 @@
+@@ -19,16 +19,16 @@
register\-ds\-admin.pl \- Registers Directory Server instances with an Admin Server
.SH SYNOPSIS
.B register-ds-admin.pl
-[\fI--options\fR] \fI-- \fR[\fIargs\fR]
-+[\fI\-\-options\fR] \fI\-\- \fR[\fIargs\fR]
++[\fI\-\-options\fR] \fI-\- \fR[\fIargs\fR]
.SH DESCRIPTION
- Registers existing Directory Server instances with an existing Admin Server.
- This command does the set up necessary for the use of the Console to manage
- the Directory Server instances you are registering.
+ Registers existing Directory Server instances with an existing Admin Server.
+ This command does the set up necessary for the use of the Console to manage
+ the Directory Server instances you are registering. You can register remote
+ Directory Server instances to a local Admin Server, as well as register local
+-Directory Server instances with a remote Admin Server - this allows a single
++Directory Server instances with a remote Admin Server \- this allows a single
+ console/Admin Server to manage all your Directory Servers on your network.
--Use this command with the \fB--update\fR option after an upgrade to refresh the server information (version, build number, etc.) in the Console.
-+Use this command with the \fB\-\-update\fR option after an upgrade to refresh the server information (version, build number, etc.) in the Console.
+-Use this command with the \fB--update\fR option after an upgrade to refresh
++Use this command with the \fB\-\-update\fR option after an upgrade to refresh
+ the server information (version, build number, etc.) in the Console.
Can be run in interactive mode with different levels of verbosity, or
- in silent mode with parameters supplied in a .inf format file or
-@@ -62,7 +62,7 @@
+@@ -66,7 +66,7 @@ Log setup messages to this file \- other
Update an existing installation (e.g. after upgrading packages)
.TP
.B \fB\-\-continue
-(update only) keep going despite errors (also --force)
+(update only) keep going despite errors (also \-\-force)
.PP
- For all options, you can also use the short name e.g. \fB\-h\fR, \fB\-d\fR, etc. For the \fB\-d\fR argument,
- specifying it more than once will increase the debug level e.g. \fB\-ddddd\fR
+ For all options, you can also use the short name e.g. \fB\-h\fR, \fB\-d\fR, etc.
+ For the \fB\-d\fR argument, specifying it more than once will increase the debug
diff --git a/debian/patches/fix-script-name-cgi.patch b/debian/patches/fix-script-name-cgi.patch
index f677b71..1cd7dcc 100644
--- a/debian/patches/fix-script-name-cgi.patch
+++ b/debian/patches/fix-script-name-cgi.patch
@@ -3,13 +3,11 @@ Date: Wed Feb 29 19:39:45 2012 +0200
fix-script-name-cgi.patch: Use the correct name for repl-monitor perl script
-diff --git a/admserv/cgi-src40/repl-monitor-cgi.pl.in b/admserv/cgi-src40/repl-monitor-cgi.pl.in
-index 5529454..ffc8f18 100755
--- a/admserv/cgi-src40/repl-monitor-cgi.pl.in
+++ b/admserv/cgi-src40/repl-monitor-cgi.pl.in
-@@ -76,4 +76,4 @@ if ( $query->url_param('servport') ne "" ) {
- }
+@@ -69,4 +69,4 @@ if ( $query->url_param('servport') ne ""
# Now the real work
+ print "Content-Type: text/html\n\n";
-require "@bindir@/repl-monitor.pl";
+require "@bindir@/repl-monitor";
diff --git a/debian/patches/man_page_fixes b/debian/patches/man_page_fixes
index 8948ec0..4370d1e 100644
--- a/debian/patches/man_page_fixes
+++ b/debian/patches/man_page_fixes
@@ -1,11 +1,9 @@
Author: Michele Baldessari
Description: Hyphenation fixes
-Index: 389-admin-1.1.11.a2/man/man8/remove-ds-admin.pl.8
-===================================================================
---- 389-admin-1.1.11.a2.orig/man/man8/remove-ds-admin.pl.8 2010-02-27 00:10:26.000000000 +0100
-+++ 389-admin-1.1.11.a2/man/man8/remove-ds-admin.pl.8 2010-05-24 17:29:47.000000000 +0200
-@@ -30,7 +30,7 @@
+--- a/man/man8/remove-ds-admin.pl.8
++++ b/man/man8/remove-ds-admin.pl.8
+@@ -30,7 +30,7 @@ will contain the retained certificate da
It will remove all of the data and configuration
of all directory servers and admin servers, with
no chance of recovery. Therefore, in order to actually
@@ -14,7 +12,7 @@ Index: 389-admin-1.1.11.a2/man/man8/remove-ds-admin.pl.8
.PP
.\" TeX users may be more comfortable with the \fB<whatever>\fP and
.\" \fI<whatever>\fP escape sequences to invode bold face and italics,
-@@ -39,13 +39,13 @@
+@@ -39,13 +39,13 @@ do this, you must give the -y option. \
A summary of options is included below:
.TP
.B \fB\-f\fR
@@ -26,16 +24,14 @@ Index: 389-admin-1.1.11.a2/man/man8/remove-ds-admin.pl.8
+Enable debugging \- adding more \-d will make output more verbose
.TP
.B \fB\-y\fR
--Do the actual processing. Since the command is very destructive, you must provide the -y argument in order for the operation to proceed. \fBUse with extreme caution!\fR
-+Do the actual processing. Since the command is very destructive, you must provide the \-y argument in order for the operation to proceed. \fBUse with extreme caution!\fR
- .br
- .SH AUTHOR
- remove-ds-admin.pl was written by the 389 Project.
-Index: 389-admin-1.1.11.a2/man/man8/migrate-ds-admin.pl.8
-===================================================================
---- 389-admin-1.1.11.a2.orig/man/man8/migrate-ds-admin.pl.8 2010-05-24 17:30:03.000000000 +0200
-+++ 389-admin-1.1.11.a2/man/man8/migrate-ds-admin.pl.8 2010-05-24 17:30:11.000000000 +0200
-@@ -93,7 +93,7 @@
+-Do the actual processing. Since the command is very destructive, you must provide the -y argument
++Do the actual processing. Since the command is very destructive, you must provide the \-y argument
+ in order for the operation to proceed. \fBUse with extreme caution!\fR Note, the security/certificate
+ files are preserved for future setups.
+ .TP
+--- a/man/man8/migrate-ds-admin.pl.8
++++ b/man/man8/migrate-ds-admin.pl.8
+@@ -93,7 +93,7 @@ given with the \fB\-f\fR argument. The
.IP
migrate-ds-admin.pl General.ConfigDirectoryAdminPwd=thepassword
.PP
commit a9ef0d23aeed21729f2acab9408274f295f729ce
Author: Noriko Hosoi <nhosoi at redhat.com>
Date: Tue Feb 3 13:54:45 2015 -0800
bump version to 1.1.38
diff --git a/VERSION.sh b/VERSION.sh
index 366bcab..6440fa1 100644
--- a/VERSION.sh
+++ b/VERSION.sh
@@ -11,7 +11,7 @@ vendorurl=http://port389.org
# PACKAGE_VERSION is constructed from these
VERSION_MAJOR=1
VERSION_MINOR=1
-VERSION_MAINT=37
+VERSION_MAINT=38
# if this is a PRERELEASE, set VERSION_PREREL
# otherwise, comment it out
# be sure to include the dot prefix in the prerel
commit f733c904293bb50ac2c5bcfc441b527fcec30e19
Author: Noriko Hosoi <nhosoi at redhat.com>
Date: Fri Jan 30 14:53:53 2015 -0800
Ticket #48024 - repl-monitor invoked from adminserver cgi fails
Description: A generated file by a cgi script requires the "Content-
Type: text/html" at the top. This patch adds it. Also, removing
the old default config file path, e.g., /etc/dirsrv/eplmon.conf,
which we don't include any more.
https://fedorahosted.org/389/ticket/48024
Reviewed by rmeggins at redhat.com (Thank you, Rich!!)
diff --git a/admserv/cgi-src40/repl-monitor-cgi.pl.in b/admserv/cgi-src40/repl-monitor-cgi.pl.in
index 5529454..3a7cc05 100755
--- a/admserv/cgi-src40/repl-monitor-cgi.pl.in
+++ b/admserv/cgi-src40/repl-monitor-cgi.pl.in
@@ -43,15 +43,7 @@ use CGI;
my $query = CGI->new;
@ARGV = (); # clear it out
-if ( $query->url_param('configfile') eq "" ) {
- my $configfile;
- if ($ENV{DS_CONFIG_DIR} and -d $ENV{DS_CONFIG_DIR}) {
- $configfile = "$ENV{DS_CONFIG_DIR}/@instancename@/replmon.conf";
- } elsif ("@instconfigdir@" and -d "@instconfigdir@") {
- $configfile = "@instconfigdir@/replmon.conf";
- }
- push @ARGV, '-f', $configfile;
-} else {
+if ( $query->url_param('configfile') ne "" ) {
push @ARGV, '-f', $query->url_param('configfile');
}
@@ -76,4 +68,5 @@ if ( $query->url_param('servport') ne "" ) {
}
# Now the real work
+print "Content-Type: text/html\n\n";
require "@bindir@/repl-monitor.pl";
commit 963909573337291e400ce25964bf42fdf9134713
Author: Noriko Hosoi <nhosoi at redhat.com>
Date: Tue Jan 20 13:36:36 2015 -0800
bump version to 1.1.37
diff --git a/VERSION.sh b/VERSION.sh
index 2942ec3..366bcab 100644
--- a/VERSION.sh
+++ b/VERSION.sh
@@ -11,7 +11,7 @@ vendorurl=http://port389.org
# PACKAGE_VERSION is constructed from these
VERSION_MAJOR=1
VERSION_MINOR=1
-VERSION_MAINT=36
+VERSION_MAINT=37
# if this is a PRERELEASE, set VERSION_PREREL
# otherwise, comment it out
# be sure to include the dot prefix in the prerel
commit 9ea342d2e63ca060bf6a7f195610815c29b99550
Author: Noriko Hosoi <nhosoi at redhat.com>
Date: Tue Jan 20 13:56:31 2015 -0800
Ticket #47995 - Admin Server: source code cleaning
Description: Removing unnecessary full path. Note: it's in the
DEBUG_TRACE which is not enabled.
https://fedorahosted.org/389/ticket/47995
diff --git a/lib/libadmin/httpcon.c b/lib/libadmin/httpcon.c
index 4bc5abe..24a39e1 100644
--- a/lib/libadmin/httpcon.c
+++ b/lib/libadmin/httpcon.c
@@ -69,7 +69,8 @@ extern void SEC_Init(void);
#ifdef DEBUG_TRACE
FILE *dbf = NULL;
int numconns = 0;
-char *dbd = "/tmp/http_trace.%d";
+/* Replace '/path/to' with a real path when DEBUG_TRACE is enabled. */
+char *dbd = "/path/to/http_trace.%d";
char dbp[256];
#endif
commit 894e5b9a64c2edaea6f1a1ef089015a1920169df
Author: Noriko Hosoi <nhosoi at redhat.com>
Date: Tue Jan 20 13:18:59 2015 -0800
Ticket 47891 - Admin Server reconfig breaks SSL config
Description:
1) Use mkdtemp to reduce the risk to disclose the sec file backup
location that is in the same file system as the original files
exist.
2) reconfig_backup_secfiles and reconfig_restore_secfiles expect
the admin config dir, e.g., "/etc/dirsrv/admin-serv" or the dir
specified by the environment variable.
3) Update (--update) did not call reconfig_restore_secfiles in which
restores and delete the backup dir.
4) If creating or accessing the sec backup dir fails, it issues a
fatal error and quits the reconfiguration.
https://fedorahosted.org/389/ticket/47891
Reviewed by rmeggins at redhat.com (Thank you, Rich!!)
diff --git a/admserv/newinst/src/AdminServer.pm.in b/admserv/newinst/src/AdminServer.pm.in
index a189c66..0c98a6e 100644
--- a/admserv/newinst/src/AdminServer.pm.in
+++ b/admserv/newinst/src/AdminServer.pm.in
@@ -30,8 +30,11 @@ require Exporter;
use File::Path;
use File::Copy;
+use File::Basename;
+use File::Temp;
-my $secfile_backup_dir = "/tmp/adm-sec-files." . $$;
+my $template_backup_dir = "tmpdirXXXX";
+my $secfile_backup_dir = "";
# tempfiles
use File::Temp qw(tempfile tempdir);
@@ -515,8 +518,12 @@ sub reconfig_backup_secfiles
#
my $configdir = shift;
+ my $dirname = dirname $configdir;
+ my $my_template_backup_dir = $dirname . "/" . $template_backup_dir;
+ $secfile_backup_dir = mkdtemp($my_template_backup_dir);
if ( ! -d $secfile_backup_dir){
- mkdir ($secfile_backup_dir, 0755);
+ $setup->msg($FATAL, 'error_creating_secfile_backup', $secfile_backup_dir, $!);
+ return 0;
}
foreach my $savefile (@reconfigsavefiles) {
if ( -e "$configdir/$savefile"){
@@ -527,6 +534,7 @@ sub reconfig_backup_secfiles
}
}
}
+ return 1;
}
sub reconfig_restore_secfiles
@@ -536,11 +544,16 @@ sub reconfig_restore_secfiles
#
my $configdir = shift;
+ if ( ! -d $secfile_backup_dir){
+ $setup->msg($FATAL, 'error_accessing_secfile_backup', $secfile_backup_dir);
+ return 0;
+ }
foreach my $savefile (@reconfigsavefiles) {
move ("$secfile_backup_dir/$savefile" ,"$configdir/$savefile");
debug(1, "Restoring $configdir/$savefile with $secfile_backup_dir/$savefile\n");
}
rmdir ($secfile_backup_dir);
+ return 1;
}
sub createAdminServer {
@@ -548,13 +561,6 @@ sub createAdminServer {
my $reconfig = shift;
# setup has inf, res, and log
- if ($reconfig) {
- $setup->msg('begin_reconfig_adminserver');
- reconfig_backup_secfiles($setup->{inf}->{admin}->{config_dir});
- } else {
- $setup->msg('begin_create_adminserver');
- }
-
if (!setDefaults($setup)) {
return 0;
}
@@ -578,6 +584,15 @@ sub createAdminServer {
$ENV{ADMSERV_PID_DIR} ||
"@piddir@";
+ if ($reconfig) {
+ $setup->msg('begin_reconfig_adminserver');
+ if (!reconfig_backup_secfiles($configdir)) {
+ return 0;
+ }
+ } else {
+ $setup->msg('begin_create_adminserver');
+ }
+
# if we're just doing the update, just register and return
if ($setup->{update}) {
if (!registerASWithConfigDS($setup, $configdir)) {
@@ -587,6 +602,13 @@ sub createAdminServer {
# Update SELinux policy if needed
updateSelinuxPolicy($setup, $configdir, $securitydir, $logdir, $rundir);
+ # Restore the security files before we start the server
+ if ($reconfig) {
+ if (!reconfig_restore_secfiles($configdir)) {
+ return 0;
+ }
+ }
+
return 1;
}
@@ -619,7 +641,9 @@ sub createAdminServer {
# Restore the security files before we start the server
if ($reconfig) {
- reconfig_restore_secfiles($setup->{inf}->{admin}->{config_dir});
+ if (!reconfig_restore_secfiles($configdir)) {
+ return 0;
+ }
}
if (!startAdminServer($setup, $configdir, $logdir, $rundir)) {
diff --git a/admserv/newinst/src/setup-ds-admin.res.in b/admserv/newinst/src/setup-ds-admin.res.in
index e83d045..b03bc0c 100644
--- a/admserv/newinst/src/setup-ds-admin.res.in
+++ b/admserv/newinst/src/setup-ds-admin.res.in
@@ -161,3 +161,5 @@ error_removing_port_label = Error: could not remove selinux label from port '%s'
error_product_already_exists = Error: the product %s already exists.\
If you want to delete this entry and force the conversion of the older\
product, run this program again with the --force option.\n\n
+error_creating_secfile_backup = Could not create temporary directory %s to backup security files. Error: %s\n
+error_accessing_secfile_backup = Could not access temporary directory %s to restore security files.\n
commit 2524f08c540ea4eee514950b58cab498b6634b55
Author: Noriko Hosoi <nhosoi at redhat.com>
Date: Mon Dec 8 17:21:24 2014 -0800
bump version to 1.1.36
diff --git a/VERSION.sh b/VERSION.sh
index de6b8d0..2942ec3 100644
--- a/VERSION.sh
+++ b/VERSION.sh
@@ -11,7 +11,7 @@ vendorurl=http://port389.org
# PACKAGE_VERSION is constructed from these
VERSION_MAJOR=1
VERSION_MINOR=1
-VERSION_MAINT=35
+VERSION_MAINT=36
# if this is a PRERELEASE, set VERSION_PREREL
# otherwise, comment it out
# be sure to include the dot prefix in the prerel
commit dbf1a2e74952e0a36d15b674293fc3071eaf16a7
Author: Mark Reynolds <mreynolds at redhat.com>
Date: Wed Oct 29 13:54:56 2014 -0400
Ticket 47929 - Admin Server - disable SSLv3 by default
Bug Description: SSLv3 is no longer safe to use.
Fix Description: Set the NSS protocol to TLSv1.1 by default, and also
properly set the SSL min/max version range(which can
also be customized in adm.conf). Also made sure the
new range is properly set and initialized.
https://fedorahosted.org/389/ticket/47929
Reviewed by: nhosoi(Thanks!)
diff --git a/admserv/cfgstuff/console.conf.in b/admserv/cfgstuff/console.conf.in
index 5f22439..0b7f106 100644
--- a/admserv/cfgstuff/console.conf.in
+++ b/admserv/cfgstuff/console.conf.in
@@ -108,7 +108,7 @@ NSSCertificateDatabase @securitydir@
# SSL 3 ciphers. SSL 2 is disabled by default.
NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
-NSSProtocol SSLv3,TLSv1
+NSSProtocol TLSv1.1
# Client Authentication (Type):
# Client certificate verification type. Types are none, optional and
diff --git a/mod_admserv/mod_admserv.c b/mod_admserv/mod_admserv.c
index 3fc19ff..2ffc1fb 100644
--- a/mod_admserv/mod_admserv.c
+++ b/mod_admserv/mod_admserv.c
@@ -145,9 +145,11 @@ module AP_MODULE_DECLARE_DATA admserv_module;
static int sync_task_sie_data(const char *name, char *query, void *arg, request_rec *r);
static int change_sie_password(const char *name, char *query, void* arg, request_rec *r);
static int create_auth_users_cache_entry(char *user, char *userDN, const char *userPW, char *ldapURL);
-
+static int sslinit(AdmldapInfo info, const char *configdir);
static int admserv_check_user_id(request_rec *r);
+static int NSS_inited = 0;
+
/* per-process config structure */
typedef struct {
int nInitCount;
@@ -513,6 +515,13 @@ openLDAPConnection(LdapServerData *data)
{
LDAP *server;
+ if(data->secure && !NSS_inited){
+ AdmldapInfo info;
+ int error = 0;
+
+ info = admldapBuildInfo(configdir, &error);
+ sslinit(info, configdir);
+ }
if (!(server = util_ldap_init(data->securitydir, NULL,
data->host, data->port, data->secure, 1, NULL))) {
ap_log_error(APLOG_MARK, APLOG_CRIT, 0 /* status */, NULL,
@@ -779,23 +788,17 @@ extractLdapServerData(LdapServerData *data, char *ldapURL, const server_rec *s)
static int
sslinit(AdmldapInfo info, const char *configdir)
{
- if (!NSS_IsInitialized()) {
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0 /* status */, NULL,
- "sslinit: doing NSS initialization");
- /* mod_nss is used when we are a TLS/SSL server - mod_nss starts up before we do
- and will set up all of the TLS/SSL stuff */
- /* if we are acting as simply a TLS/SSL client to the directory server,
- we still have to perform our own TLS/SSL client init */
+ if(!NSS_inited){
if (ADMSSL_Init(info, (char *)configdir, 0)) {
ap_log_error(APLOG_MARK, APLOG_CRIT, 0 /* status */, NULL,
- "sslinit: NSS is required to use LDAPS, but security initialization failed [%d:%s]. Cannot start server",
+ "sslinit: NSS is required to use LDAPS, but security initialization failed [%d:%s].",
PR_GetError(), SSL_Strerror(PR_GetError()));
exit(1);
}
- } else {
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0 /* status */, NULL,
- "sslinit: mod_nss has been started and initialized");
+ NSS_inited = 1;
}
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0 /* status */, NULL,
+ "sslinit: mod_nss has been started and initialized");
return 1;
}
commit 5af417033e9cf532856a105a6113825a4d20bbfa
Author: Mark Reynolds <mreynolds at redhat.com>
Date: Tue Oct 14 14:11:23 2014 -0400
Ticket 201 - nCipher HSM cannot be configured via the console
Bug Description: Attempting to add the HSM security module libcknfast.so
results in a not found error, but using modutil works.
Fix Description: First new modules must be located in the server instance
security directory (symlinks work best). The next issue
is that the admin server needs to use the absolute path
to the library in the generated modutil command.
https://fedorahosted.org/389/ticket/201
Reviewed by: nhosoi(Thanks!)
diff --git a/admserv/cgi-src40/security.c b/admserv/cgi-src40/security.c
index 3664d70..8575d56 100644
--- a/admserv/cgi-src40/security.c
+++ b/admserv/cgi-src40/security.c
@@ -1992,10 +1992,16 @@ static void moduleOperation(char* op) {
install_dir,
securitydir);
else if (!PORT_Strcmp(filetype, "dll"))
- PR_snprintf(cmd, sizeof(cmd), "%s -dbdir %s -add \"%s\" -libfile %s -force -nocertdb 2>&1",
+ /*
+ * Since console requires new modules to be located in the security dir,
+ * and be presented as just a filename(no path), we must append the
+ * securitydir to the filename as modutil needs the absolute path.
+ */
+ PR_snprintf(cmd, sizeof(cmd), "%s -dbdir %s -add \"%s\" -libfile %s/%s -force -nocertdb 2>&1",
binary,
securitydir,
dllname,
+ securitydir,
filename);
else {
commit c9b6de5743e2fd7c965a1b8e99c3942b6734aed7
Author: Noriko Hosoi <nhosoi at redhat.com>
Date: Sat Oct 4 21:53:29 2014 -0700
Ticket #47493 - Configuration Tab does not work with FIPS mode enabled
Bug Description: Admin Server CGI sec-activate retrieves attribute
values of
dn: cn=encryption,cn=configuration,cn=admin-serv-ID,cn=389 Administration
Server,cn=Server Group,cn=FQDN,ou=DOMAIN,o=NetscapeRoot
and return them to the client such as Console. The CGI sec-activate
was supposed to get the knowledge if the FIPS mode is enabled or not,
and return ciphers FIPS compliant, but the code was missing.
In this patch, the code is added to check if it is FIPS mode or not
and if it is, return just FIPS friendly ciphers in this patch.
Plus unnecessary temp buffer and copies from temp to temp_return were
removed.
https://fedorahosted.org/389/ticket/47493
Reviewed by mreynolds at redhat.com (Thank you, Mark!!)
diff --git a/admserv/cgi-src40/admpw.c b/admserv/cgi-src40/admpw.c
index e695881..1e24423 100644
--- a/admserv/cgi-src40/admpw.c
+++ b/admserv/cgi-src40/admpw.c
@@ -50,11 +50,6 @@
#include <pk11pqg.h>
#include <base64.h>
-/* NSS - for password hashing */
-#include <pk11func.h>
-#include <pk11pqg.h>
-#include <base64.h>
-
#include "libadminutil/resource.h"
#include "libadminutil/admutil.h"
#include "libadminutil/distadm.h"
diff --git a/admserv/cgi-src40/sec-activate.c b/admserv/cgi-src40/sec-activate.c
index 6ae70ed..08568ca 100644
--- a/admserv/cgi-src40/sec-activate.c
+++ b/admserv/cgi-src40/sec-activate.c
@@ -38,6 +38,10 @@
extern "C" {
#endif
+#include <string.h>
+#include "nspr.h"
+#include "pk11func.h"
+
#include "cert.h"
#include "key.h"
#include "certdb.h"
@@ -213,18 +217,46 @@ int get_cert_nickname(char *buf, size_t bufsize) {
}
return -1;
}
+
+void
+drop_non_fips(char *val)
+{
+ char *p = NULL;
+ char *endp = NULL;
+ if (!val) {
+ return;
+ }
+ p = PL_strchr(val, '+');
+ while (p) {
+ endp = PL_strchr(p, ',');
+ if (endp) {
+ *endp = '\0';
+ /* E.g., p = "+rsa_rc2_40_md5" or p = "+fips_3des_sha" */
+ if (!PL_strcasestr(p, "fips")) {
+ *p = '-';
+ }
+ *endp = ',';
+ p = PL_strchr(endp+1, '+');
+ } else {
+ break;
+ }
+ }
+}
+
/*
* int GetSSLFamilyAttributes
* Reads all LDAP entries relating to cipher family information.
* Returns return_string, a string of all information found, and
* 0 on success, -1 on failure.
*/
-int GetSSLFamilyAttributes(PsetHndl pset, char **return_string) {
-
+int
+GetSSLFamilyAttributes(PsetHndl pset, char **return_string)
+{
AttrNameList family_list;
int errorCode;
char temp_return[5000];
- char temp[1000];
+ char *tmpp = NULL;
+ size_t tmplen = 0;
char **family;
char family_attribute[1024];
@@ -233,6 +265,7 @@ int GetSSLFamilyAttributes(PsetHndl pset, char **return_string) {
char *val;
char *family_name;
+ PRBool isfips = PR_FALSE;
*return_string = NULL;
strcpy(temp_return, "");
@@ -240,11 +273,9 @@ int GetSSLFamilyAttributes(PsetHndl pset, char **return_string) {
val = psetGetAttrSingleValue(pset,
"configuration.nsServerSecurity",
&errorCode);
- if(val)
- PR_snprintf(temp, sizeof(temp), "security=%s\n", val);
- else
- PR_snprintf(temp, sizeof(temp), "security=off\n");
- PL_strcatn(temp_return, sizeof(temp_return), temp);
+ tmplen = strlen(temp_return);
+ tmpp = temp_return + tmplen;
+ PR_snprintf(tmpp, sizeof(temp_return) - tmplen, "security=%s\n", val?val:"off");
if((family_list = psetGetChildren(pset, "configuration.Encryption", &errorCode))) {
@@ -276,67 +307,75 @@ int GetSSLFamilyAttributes(PsetHndl pset, char **return_string) {
family_name = strrchr(*family, '.');
family_name++;
- PR_snprintf(temp, sizeof(temp), "familyList=%s\n", family_name);
- PL_strcatn(temp_return, sizeof(temp_return), temp);
+ tmplen = strlen(temp_return);
+ tmpp = temp_return + tmplen;
+ PR_snprintf(tmpp, sizeof(temp_return) - tmplen, "familyList=%s\n", family_name);
- PR_snprintf(temp, sizeof(temp), "%s-activated=%s\n", family_name, val);
- PL_strcatn(temp_return, sizeof(temp_return), temp);
+ tmplen = strlen(temp_return);
+ tmpp = temp_return + tmplen;
+ PR_snprintf(tmpp, sizeof(temp_return) - tmplen, "%s-activated=%s\n", family_name, val);
- PR_snprintf(temp, sizeof(temp), "%s-token=%s\n", family_name, token);
- PL_strcatn(temp_return, sizeof(temp_return), temp);
+ tmplen = strlen(temp_return);
+ tmpp = temp_return + tmplen;
+ PR_snprintf(tmpp, sizeof(temp_return) - tmplen, "%s-token=%s\n", family_name, token);
- PR_snprintf(temp, sizeof(temp), "%s-cert=%s\n", family_name, personality);
- PL_strcatn(temp_return, sizeof(temp_return), temp);
+ tmplen = strlen(temp_return);
+ tmpp = temp_return + tmplen;
+ PR_snprintf(tmpp, sizeof(temp_return) - tmplen, "%s-cert=%s\n", family_name, personality);
}
}
PL_strcatn(temp_return, sizeof(temp_return), "familyList=NULL\n");
/* get cipher preferences */
+ isfips = PK11_IsFIPS();
val = NULL;
val = psetGetAttrSingleValue(pset,
"configuration.encryption.nsSSL2",
&errorCode);
- PL_strcatn(temp_return, sizeof(temp_return), "ssl2-activated=");
- if(val)
- PL_strcatn(temp_return, sizeof(temp_return), val);
- PL_strcatn(temp_return, sizeof(temp_return), "\n");
+ tmplen = strlen(temp_return);
+ tmpp = temp_return + tmplen;
+ PR_snprintf(tmpp, sizeof(temp_return) - tmplen, "ssl2-activated=%s\n", val?val:"");
val = NULL;
val = psetGetAttrSingleValue(pset,
"configuration.encryption.nsSSL2Ciphers",
&errorCode);
- PL_strcatn(temp_return, sizeof(temp_return), "ssl2=");
- if(val)
- PL_strcatn(temp_return, sizeof(temp_return), val);
- PL_strcatn(temp_return, sizeof(temp_return), "\n");
+ /* If is fips, don't allow ciphers without "fips" */
+ if (isfips) {
+ drop_non_fips(val);
+ }
+ tmplen = strlen(temp_return);
+ tmpp = temp_return + tmplen;
+ PR_snprintf(tmpp, sizeof(temp_return) - tmplen, "ssl2=%s\n", val?val:"");
val = NULL;
val = psetGetAttrSingleValue(pset,
"configuration.encryption.nsSSL3",
&errorCode);
- PL_strcatn(temp_return, sizeof(temp_return), "ssl3-activated=");
- if(val)
- PL_strcatn(temp_return, sizeof(temp_return), val);
- PL_strcatn(temp_return, sizeof(temp_return), "\n");
+ tmplen = strlen(temp_return);
+ tmpp = temp_return + tmplen;
+ PR_snprintf(tmpp, sizeof(temp_return) - tmplen, "ssl3-activated=%s\n", val?val:"");
val = NULL;
val = psetGetAttrSingleValue(pset,
"configuration.encryption.nsSSL3Ciphers",
&errorCode);
- PL_strcatn(temp_return, sizeof(temp_return), "ssl3=");
- if(val)
- PL_strcatn(temp_return, sizeof(temp_return), val);
- PL_strcatn(temp_return, sizeof(temp_return), "\n");
+ /* If is fips, don't allow ciphers without "fips" */
+ if (isfips) {
+ drop_non_fips(val);
+ }
+ tmplen = strlen(temp_return);
+ tmpp = temp_return + tmplen;
+ PR_snprintf(tmpp, sizeof(temp_return) - tmplen, "ssl3=%s\n", val?val:"");
val = NULL;
val = psetGetAttrSingleValue(pset,
"configuration.encryption.nsSSLClientAuth",
&errorCode);
- PL_strcatn(temp_return, sizeof(temp_return), "clientauth=");
- if(val)
- PL_strcatn(temp_return, sizeof(temp_return), val);
- PL_strcatn(temp_return, sizeof(temp_return), "\n");
+ tmplen = strlen(temp_return);
+ tmpp = temp_return + tmplen;
+ PR_snprintf(tmpp, sizeof(temp_return) - tmplen, "clientauth=%s\n", val?val:"");
*return_string = PORT_Strdup(temp_return);
return 0;
commit d077f9a3b04998c28d0071b7656c34ca7f07e532
Author: Mark Reynolds <mreynolds at redhat.com>
Date: Mon Sep 15 12:19:12 2014 -0400
Ticket 47697 - Resource leak in lib/libdsa/dsalib_updown.c
Bug Description: Windows resource leak in StartNetscapeProgram() where
the FILE handle is not closed.
Fix Description: Close FILE handle.
https://fedorahosted.org/389/ticket/47697
Reviewed by: rmeggins(Thanks!)
diff --git a/lib/libdsa/dsalib_updown.c b/lib/libdsa/dsalib_updown.c
index 0bef3ab..f83719b 100644
--- a/lib/libdsa/dsalib_updown.c
+++ b/lib/libdsa/dsalib_updown.c
@@ -526,10 +526,9 @@ StartNetscapeProgram()
{
char line[BIG_LINE], cmd[BIG_LINE];
char *tmp = ds_get_instance_dir();
-
- CHAR ErrorString[512];
- STARTUPINFO siStartInfo;
- PROCESS_INFORMATION piProcInfo;
+ CHAR ErrorString[512];
+ STARTUPINFO siStartInfo;
+ PROCESS_INFORMATION piProcInfo;
FILE *CmdFile;
ZeroMemory(line, sizeof(line));
@@ -538,7 +537,7 @@ StartNetscapeProgram()
CmdFile = fopen(line, "r");
if (!CmdFile)
- {
+ {
PR_snprintf(ErrorString, sizeof(ErrorString), "Error:Tried to start server %s "
": Could not open the startup script %s :Error %d. Please "
"run startsrv.bat from the server's root directory.",
@@ -549,34 +548,39 @@ StartNetscapeProgram()
ZeroMemory(cmd, sizeof(cmd));
if (!fread(cmd, 1, BIG_LINE, CmdFile))
- {
+ {
PR_snprintf(ErrorString, sizeof(ErrorString), "Error:Tried to start server %s "
": Could not read the startup script %s :Error %d. Please "
"run startsrv.bat from the server's root directory.",
ds_get_server_name(), line, errno);
ds_send_error(ErrorString, 0);
+ fclose(CmdFile);
return(DS_SERVER_DOWN);
}
- ZeroMemory(&siStartInfo, sizeof(STARTUPINFO));
- siStartInfo.cb = sizeof(STARTUPINFO);
- siStartInfo.lpReserved = siStartInfo.lpReserved2 = NULL;
- siStartInfo.cbReserved2 = 0;
- siStartInfo.lpDesktop = NULL;
-
- if (!CreateProcess(NULL, cmd, NULL, NULL, FALSE,
- 0, NULL, NULL, &siStartInfo, &piProcInfo))
- {
+ /* We're done with the file handle, close it */
+ fclose(CmdFile);
+
+ ZeroMemory(&siStartInfo, sizeof(STARTUPINFO));
+ siStartInfo.cb = sizeof(STARTUPINFO);
+ siStartInfo.lpReserved = siStartInfo.lpReserved2 = NULL;
+ siStartInfo.cbReserved2 = 0;
+ siStartInfo.lpDesktop = NULL;
+
+ if (!CreateProcess(NULL, cmd, NULL, NULL, FALSE,
+ 0, NULL, NULL, &siStartInfo, &piProcInfo))
+ {
PR_snprintf(ErrorString, sizeof(ErrorString), "Error:Tried to start server %s "
": Could not start up the startup script %s :Error %d. Please "
"run startsrv.bat from the server's root directory.",
ds_get_server_name(), line, GetLastError());
ds_send_error(ErrorString, 0);
return(DS_SERVER_DOWN);
- }
+ }
+
+ CloseHandle(piProcInfo.hProcess);
+ CloseHandle(piProcInfo.hThread);
- CloseHandle(piProcInfo.hProcess);
- CloseHandle(piProcInfo.hThread);
return(DS_SERVER_UP);
}
commit 5923c77db0adeb62123e7208c8bd4695f8092e32
Author: Mark Reynolds <mreynolds at redhat.com>
Date: Wed Sep 10 17:21:53 2014 -0400
Ticket 47860 - register-ds-admin.pl problem when following steps to replicate o=netscaperoot
Bug Description: When following the documented steps the script gets stuck in
a loop when it fails to add "o=netscaperoot". It's failing
because it already exists.
Fix Description: Break out of the loop when the update operation fails.
https://fedorahosted.org/389/ticket/47860
Reviewed by: nhosoi(Thanks!)
diff --git a/admserv/newinst/src/register-ds-admin.pl.in b/admserv/newinst/src/register-ds-admin.pl.in
index cd0f745..08c7108 100644
--- a/admserv/newinst/src/register-ds-admin.pl.in
+++ b/admserv/newinst/src/register-ds-admin.pl.in
@@ -613,12 +613,14 @@ if ( ($#admConfKeys >= 0 && ($orig_confdsid ne $new_confdsid)) ||
@errs = ();
# First, let's register the Configuration Directory itself
- $setup->{inf}->{slapd}->{RootDNPwd} = $localrootpw;
+ if(!$setup->{inf}->{slapd}->{RootDNPwd}){
+ $setup->{inf}->{slapd}->{RootDNPwd} = $localrootpw;
+ }
while (!createConfigDS($setup->{inf}, \@errs))
{
foreach my $err (@errs)
{
- if ( $err eq "suffix_already_exists" )
+ if ( $err eq "suffix_already_exists" || $err eq "error_creating_suffix_backend")
{
goto out;
}
commit d675f8137534ee7f0aba2a0897e5bf0034d993e1
Author: Mark Reynolds <mreynolds at redhat.com>
Date: Wed Sep 10 09:36:50 2014 -0400
Ticket 47548 - register-ds-admin does not register into remote config ds
Bug Description: regsiter-ds-admin.pl can not register remote servers. This
means you can only administer one system with the 389-console.
Fix Description: Added ablility to register with a remote admin server, or to
register a remote server with the local configuration server.
Also added the "silent" install functionality to the script,
which was stated in the man page that it could do, but in
reality it could not. Updated man page to fully describe
how to use the silent install feature.
https://fedorahosted.org/389/ticket/47548
Reviewed by: nhosoi(Thanks!)
diff --git a/admserv/newinst/src/register-ds-admin.pl.in b/admserv/newinst/src/register-ds-admin.pl.in
index 2f92411..cd0f745 100644
--- a/admserv/newinst/src/register-ds-admin.pl.in
+++ b/admserv/newinst/src/register-ds-admin.pl.in
@@ -77,11 +77,11 @@ sub reg_get_passwd
$setup->msg(0, $key);
}
system("stty -echo");
- my $ans = <STDIN>;
More information about the Pkg-fedora-ds-maintainers
mailing list