summaryrefslogtreecommitdiffstats
path: root/phosphor-ldap-config/ldap_configuration.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'phosphor-ldap-config/ldap_configuration.cpp')
-rw-r--r--phosphor-ldap-config/ldap_configuration.cpp41
1 files changed, 33 insertions, 8 deletions
diff --git a/phosphor-ldap-config/ldap_configuration.cpp b/phosphor-ldap-config/ldap_configuration.cpp
index 31e4e75..be6c1cc 100644
--- a/phosphor-ldap-config/ldap_configuration.cpp
+++ b/phosphor-ldap-config/ldap_configuration.cpp
@@ -24,13 +24,13 @@ using Val = std::string;
using ConfigInfo = std::map<Key, Val>;
Config::Config(sdbusplus::bus::bus& bus, const char* path, const char* filePath,
- bool secureLDAP, std::string lDAPServerURI,
- std::string lDAPBindDN, std::string lDAPBaseDN,
- std::string&& lDAPBindDNPassword,
+ const char* caCertFile, bool secureLDAP,
+ std::string lDAPServerURI, std::string lDAPBindDN,
+ std::string lDAPBaseDN, std::string&& lDAPBindDNPassword,
ldap_base::Config::SearchScope lDAPSearchScope,
ldap_base::Config::Type lDAPType, ConfigMgr& parent) :
ConfigIface(bus, path, true),
- secureLDAP(secureLDAP), configFilePath(filePath),
+ secureLDAP(secureLDAP), configFilePath(filePath), tlsCacertFile(caCertFile),
lDAPBindDNPassword(std::move(lDAPBindDNPassword)), bus(bus), parent(parent)
{
ConfigIface::lDAPServerURI(lDAPServerURI);
@@ -106,8 +106,8 @@ void Config::writeConfig()
if (secureLDAP == true)
{
confData << "ssl on\n";
- confData << "tls_reqcert allow\n";
- confData << "tls_cert /etc/nslcd/certs/cert.pem\n";
+ confData << "tls_reqcert hard\n";
+ confData << "tls_cacertFile " << tlsCacertFile.c_str() << "\n";
}
else
{
@@ -192,6 +192,13 @@ std::string Config::lDAPServerURI(std::string value)
elog<InvalidArgument>(Argument::ARGUMENT_NAME("lDAPServerURI"),
Argument::ARGUMENT_VALUE(value.c_str()));
}
+
+ if (secureLDAP && !fs::exists(tlsCacertFile.c_str()))
+ {
+ log<level::ERR>("LDAP server's CA certificate not provided",
+ entry("TLSCACERTFILE=%s", tlsCacertFile.c_str()));
+ elog<NoCACertificate>();
+ }
val = ConfigIface::lDAPServerURI(value);
writeConfig();
parent.restartService(nslcdService);
@@ -204,6 +211,10 @@ std::string Config::lDAPServerURI(std::string value)
{
throw;
}
+ catch (const NoCACertificate& e)
+ {
+ throw;
+ }
catch (const std::exception& e)
{
log<level::ERR>(e.what());
@@ -405,6 +416,13 @@ std::string
Argument::ARGUMENT_VALUE(lDAPServerURI.c_str()));
}
+ if (secureLDAP && !fs::exists(tlsCacertFile.c_str()))
+ {
+ log<level::ERR>("LDAP server's CA certificate not provided",
+ entry("TLSCACERTFILE=%s", tlsCacertFile.c_str()));
+ elog<NoCACertificate>();
+ }
+
if (lDAPBindDN.empty())
{
log<level::ERR>("Not a valid LDAP BINDDN",
@@ -438,8 +456,9 @@ std::string
auto objPath = std::string(LDAP_CONFIG_DBUS_OBJ_PATH);
configPtr = std::make_unique<Config>(
- bus, objPath.c_str(), configFilePath.c_str(), secureLDAP, lDAPServerURI,
- lDAPBindDN, lDAPBaseDN, std::move(lDAPBindDNPassword),
+ bus, objPath.c_str(), configFilePath.c_str(), tlsCacertFile.c_str(),
+ secureLDAP, lDAPServerURI, lDAPBindDN, lDAPBaseDN,
+ std::move(lDAPBindDNPassword),
static_cast<ldap_base::Config::SearchScope>(lDAPSearchScope),
static_cast<ldap_base::Config::Type>(lDAPType), *this);
@@ -571,6 +590,12 @@ void ConfigMgr::restore(const char* filePath)
// object upon finding empty values in config, as
// this can be a default config.
}
+ catch (const NoCACertificate& e)
+ {
+ // Don't throw - we don't want to create a D-Bus
+ // object upon finding "ssl on" without having tls_cacertFile in place,
+ // as this can be a default config.
+ }
catch (const InternalFailure& e)
{
throw;
OpenPOWER on IntegriCloud