diff options
| author | Nagaraju Goruganti <ngorugan@in.ibm.com> | 2018-11-08 03:13:38 -0600 |
|---|---|---|
| committer | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2018-11-19 21:37:57 -0500 |
| commit | 3b4d06a1812566d4095524f2242e272e0b9f449f (patch) | |
| tree | ee0ab69d90b48a2a67251019fb6c39eab1d21719 /phosphor-ldap-config/ldap_configuration.cpp | |
| parent | d514e5dc3de8dcd305328783ae11ee8e56b27d9a (diff) | |
| download | phosphor-user-manager-3b4d06a1812566d4095524f2242e272e0b9f449f.tar.gz phosphor-user-manager-3b4d06a1812566d4095524f2242e272e0b9f449f.zip | |
phosphor-ldap-conf: update nslcd.conf file with tls_cacertfile info
tls_cacertfile specifies the path to the X.509 certificate for
peer authentication.
Also updated the file with "tls_reqcert hard", to force the
behavior: if no certificate is provided, or a bad certificate
is provided, the session is immediately terminated.
Tested: tested using below given commands
1.curl -c cjar -b cjar -k -H "Content-Type: application/json" -X POST -d \
'{"data":[true,"ldaps://<host_ip>/","cn=<user-id>,dc=Corp,dc=ibm,dc=com",\
"cn=Users,dc=Corp,dc=ibm,dc=com", "<password>",\
"xyz.openbmc_project.User.Ldap.Create.SearchScope.sub",\
"xyz.openbmc_project.User.Ldap.Create.Type.ActiveDirectory"] \
}' https://$BMC_IP//xyz/openbmc_project/user/ldap/action/CreateConfig
2.curl -b cjar -k -H "Content-Type: application/json" -X PUT -d '{"data":true}'\
https://$BMC_IP/xyz/openbmc_project/user/ldap/config/attr/SecureLDAP
3.curl -b cjar -k -H "Content-Type: application/json" -X PUT -d \
'{"data":"ldap://<host_ip>/"}' \
https://$BMC_IP/xyz/openbmc_project/ldap/config/attr/LDAPServerURI
when "/etc/ssl/certs/Root-CA.pem" doesn't exist on target, we get below
given exception(if we try to set SecureLDAP is true):
"DBusException: xyz.openbmc_project.Common.Error.NoCACertificate: \
Server's CA certificate has not been provided."
Change-Id: I56ffe8b08bb71307b4f2bfe9cf935b6113e4579a
Signed-off-by: Nagaraju Goruganti <ngorugan@in.ibm.com>
Signed-off-by: Deepak Kodihalli <dkodihal@in.ibm.com>
Signed-off-by: Nagaraju Goruganti <ngorugan@in.ibm.com>
Diffstat (limited to 'phosphor-ldap-config/ldap_configuration.cpp')
| -rw-r--r-- | phosphor-ldap-config/ldap_configuration.cpp | 41 |
1 files changed, 33 insertions, 8 deletions
diff --git a/phosphor-ldap-config/ldap_configuration.cpp b/phosphor-ldap-config/ldap_configuration.cpp index 31e4e75..be6c1cc 100644 --- a/phosphor-ldap-config/ldap_configuration.cpp +++ b/phosphor-ldap-config/ldap_configuration.cpp @@ -24,13 +24,13 @@ using Val = std::string; using ConfigInfo = std::map<Key, Val>; Config::Config(sdbusplus::bus::bus& bus, const char* path, const char* filePath, - bool secureLDAP, std::string lDAPServerURI, - std::string lDAPBindDN, std::string lDAPBaseDN, - std::string&& lDAPBindDNPassword, + const char* caCertFile, bool secureLDAP, + std::string lDAPServerURI, std::string lDAPBindDN, + std::string lDAPBaseDN, std::string&& lDAPBindDNPassword, ldap_base::Config::SearchScope lDAPSearchScope, ldap_base::Config::Type lDAPType, ConfigMgr& parent) : ConfigIface(bus, path, true), - secureLDAP(secureLDAP), configFilePath(filePath), + secureLDAP(secureLDAP), configFilePath(filePath), tlsCacertFile(caCertFile), lDAPBindDNPassword(std::move(lDAPBindDNPassword)), bus(bus), parent(parent) { ConfigIface::lDAPServerURI(lDAPServerURI); @@ -106,8 +106,8 @@ void Config::writeConfig() if (secureLDAP == true) { confData << "ssl on\n"; - confData << "tls_reqcert allow\n"; - confData << "tls_cert /etc/nslcd/certs/cert.pem\n"; + confData << "tls_reqcert hard\n"; + confData << "tls_cacertFile " << tlsCacertFile.c_str() << "\n"; } else { @@ -192,6 +192,13 @@ std::string Config::lDAPServerURI(std::string value) elog<InvalidArgument>(Argument::ARGUMENT_NAME("lDAPServerURI"), Argument::ARGUMENT_VALUE(value.c_str())); } + + if (secureLDAP && !fs::exists(tlsCacertFile.c_str())) + { + log<level::ERR>("LDAP server's CA certificate not provided", + entry("TLSCACERTFILE=%s", tlsCacertFile.c_str())); + elog<NoCACertificate>(); + } val = ConfigIface::lDAPServerURI(value); writeConfig(); parent.restartService(nslcdService); @@ -204,6 +211,10 @@ std::string Config::lDAPServerURI(std::string value) { throw; } + catch (const NoCACertificate& e) + { + throw; + } catch (const std::exception& e) { log<level::ERR>(e.what()); @@ -405,6 +416,13 @@ std::string Argument::ARGUMENT_VALUE(lDAPServerURI.c_str())); } + if (secureLDAP && !fs::exists(tlsCacertFile.c_str())) + { + log<level::ERR>("LDAP server's CA certificate not provided", + entry("TLSCACERTFILE=%s", tlsCacertFile.c_str())); + elog<NoCACertificate>(); + } + if (lDAPBindDN.empty()) { log<level::ERR>("Not a valid LDAP BINDDN", @@ -438,8 +456,9 @@ std::string auto objPath = std::string(LDAP_CONFIG_DBUS_OBJ_PATH); configPtr = std::make_unique<Config>( - bus, objPath.c_str(), configFilePath.c_str(), secureLDAP, lDAPServerURI, - lDAPBindDN, lDAPBaseDN, std::move(lDAPBindDNPassword), + bus, objPath.c_str(), configFilePath.c_str(), tlsCacertFile.c_str(), + secureLDAP, lDAPServerURI, lDAPBindDN, lDAPBaseDN, + std::move(lDAPBindDNPassword), static_cast<ldap_base::Config::SearchScope>(lDAPSearchScope), static_cast<ldap_base::Config::Type>(lDAPType), *this); @@ -571,6 +590,12 @@ void ConfigMgr::restore(const char* filePath) // object upon finding empty values in config, as // this can be a default config. } + catch (const NoCACertificate& e) + { + // Don't throw - we don't want to create a D-Bus + // object upon finding "ssl on" without having tls_cacertFile in place, + // as this can be a default config. + } catch (const InternalFailure& e) { throw; |
