From 7c30dbb5403772b323df3ad907d9ed15d23b5aee Mon Sep 17 00:00:00 2001
From: ludovicp <ludovicp@localhost>
Date: Thu, 29 Apr 2010 20:35:40 +0000
Subject: [PATCH] Last batch of changes for this week. This adds support for the IETF based Password Policy for LDAP as SubEntry. Also resolves the following issues : - 4544 : initializeBackend() should not set JE env config params directly. - 4478 : ECL in draft compat mode / search lastchangenumber can be very long - 4538 : Virtual attributes not retrieved when entry cache configured - 4547 : Search Filter Matching differ for cn=Directory Manager and plain user. - 4514 : Logs shows unexpected message with replication monitoring data missing (Partial fix) - 4534 : Replication using security does not work after server restart - 4516 : SEVERE_ERROR: servers (...) have the same ServerId In addition, they also improve reliability and performance in various areas including CollectiveAttributes, Virtual Attributes and Subentries management, Schema loading, Replication...
---
opends/tests/staf-tests/shared/functions/security.xml | 509 +++++++++++++++++++++++++++++++++++++++++++++++++++++++-
1 files changed, 497 insertions(+), 12 deletions(-)
diff --git a/opends/tests/staf-tests/shared/functions/security.xml b/opends/tests/staf-tests/shared/functions/security.xml
index aafce6c..b1f2178 100755
--- a/opends/tests/staf-tests/shared/functions/security.xml
+++ b/opends/tests/staf-tests/shared/functions/security.xml
@@ -23,7 +23,7 @@
!
! CDDL HEADER END
!
- ! Copyright 2007-2008 Sun Microsystems, Inc.
+ ! Copyright 2007-2010 Sun Microsystems, Inc.
! -->
<stax>
<!-- **************************************************** -->
@@ -331,6 +331,97 @@
<!-- **************************************************** -->
+ <!-- Add certificate to an attribute -->
+ <!-- **************************************************** -->
+ <function name="addCertificate">
+ <function-prolog>
+ This function add certificate to an user attribute
+ </function-prolog>
+ <function-map-args>
+ <function-arg-def name="location" type="optional" default="STAF_REMOTE_HOSTNAME">
+ <function-arg-description>
+ Location of target host
+ </function-arg-description>
+ </function-arg-def>
+ <function-arg-def name="user_cert_file_rfc" type="required" default="''">
+ <function-arg-description>
+ Path to certificate RFC file
+ </function-arg-description>
+ </function-arg-def>
+ <function-arg-def name="userdn" type="optional" default="''">
+ <function-arg-description>
+ User DN to modify
+ </function-arg-description>
+ </function-arg-def>
+ <function-arg-def name="ldif_path" type="required" default="''">
+ <function-arg-description>
+ Path to the ldif file
+ </function-arg-description>
+ </function-arg-def>
+ </function-map-args>
+ <sequence>
+
+ <call function="'getFile'">
+ {
+ 'location' : STAF_REMOTE_HOSTNAME,
+ 'filename' : user_cert_file_rfc
+ }
+ </call>
+
+ <message>
+ 'Certificate contents:\n %s' % cmdResult
+ </message>
+
+ <!-- Extract BEGIN CERTIFICATE and END CERTIFICATE -->
+ <script>
+ certList=STAXResult[1].split('\n')
+ ret_str = ""
+ for line in certList:
+ index_cert = line.find("CERTIFICATE")
+ if index_cert == -1:
+ ret_str+=line.strip()
+ </script>
+
+ <script>
+ listAttr = []
+ listAttr.append('dn: %s' %userdn)
+ listAttr.append('changetype: modify')
+ listAttr.append('add: objectclass')
+ listAttr.append('objectclass:ds-certificate-user')
+ listAttr.append('-')
+ listAttr.append('add: userCertificate;binary')
+ listAttr.append('userCertificate;binary:: %s' % ret_str)
+ </script>
+
+ <!-- Write out the ldif -->
+ <script>
+ addCertificateldif='%s' % (ldif_path)
+ outfile = open(addCertificateldif,"w")
+ for line in listAttr:
+ outfile.write("%s\n" % line)
+ outfile.close()
+ </script>
+
+ <call function="'modifyEntry'">
+ {
+ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD,
+ 'entryToBeModified' : addCertificateldif,
+ 'expectedRC' : 0
+ }
+ </call>
+ </sequence>
+ </function>
+
+
+
+
+
+
+
+ <!-- **************************************************** -->
<!-- get MD5 and SHA1 values -->
<!-- **************************************************** -->
<function name="getFingerprint">
@@ -445,6 +536,12 @@
</function-arg-description>
<function-arg-property name="type" value="string"/>
</function-arg-def>
+ <function-arg-def name="keystoreFile" type="optional" default="'config/keystore'">
+ <function-arg-description>
+ Keystore File
+ </function-arg-description>
+ <function-arg-property name="type" value="string"/>
+ </function-arg-def>
<function-arg-def name="keystoreType" type="optional" default="'JKS'">
<function-arg-description>
Keystore type : JKS or PKCS12
@@ -494,7 +591,7 @@
'subcommand' : 'create-key-manager-provider' ,
'objectType' : 'provider-name' ,
'objectName' : customKeyMgr ,
- 'optionsString' : '--type file-based --set enabled:true --set key-store-file:config/keystore --set key-store-pin:%s --set key-store-type:JKS' % keystorePin,
+ 'optionsString' : '--type file-based --set enabled:true --set key-store-file:%s --set key-store-pin:%s --set key-store-type:JKS' % (keystoreFile,keystorePin),
'expectedRC' : 0
}
</call>
@@ -643,6 +740,18 @@
</function-arg-description>
<function-arg-property name="type" value="string"/>
</function-arg-def>
+ <function-arg-def name="keystoreFile" type="optional" default="'config/keystore'">
+ <function-arg-description>
+ Keystore file path
+ </function-arg-description>
+ <function-arg-property name="type" value="string"/>
+ </function-arg-def>
+ <function-arg-def name="customKeyMgr" type="optional" default="''">
+ <function-arg-description>
+ Name for a new key manager
+ </function-arg-description>
+ <function-arg-property name="type" value="string"/>
+ </function-arg-def>
<function-arg-def name="certAlias" type="optional" default="'server-cert'">
<function-arg-description>
Alias certificate
@@ -666,8 +775,24 @@
<message>
'Configure Key Manager Provider'
</message>
-
- <call function="'dsconfig'">
+
+ <if expr="len(customKeyMgr.strip()) != 0">
+ <call function="'dsconfig'">
+ { 'location' : location ,
+ 'dsPath' : dsPath ,
+ 'dsInstanceHost' : dsInstanceHost ,
+ 'dsInstanceAdminPort' : dsInstanceAdminPort ,
+ 'dsInstanceDn' : dsInstanceDn ,
+ 'dsInstancePswd' : dsInstancePswd ,
+ 'subcommand' : 'create-key-manager-provider' ,
+ 'objectType' : 'provider-name' ,
+ 'objectName' : customKeyMgr ,
+ 'optionsString' : '--type file-based --set enabled:true --set key-store-file:%s --set key-store-pin:%s --set key-store-type:JKS' % (keystoreFile,keystorePin),
+ 'expectedRC' : 0
+ }
+ </call>
+ <else>
+ <call function="'dsconfig'">
{ 'location' : location,
'dsPath' : dsPath,
'dsInstanceHost' : dsInstanceHost,
@@ -677,10 +802,12 @@
'subcommand' : 'set-key-manager-provider-prop',
'objectType' : 'provider-name',
'objectName' : keystoreType,
- 'optionsString' : '--set key-store-file:config/keystore --reset key-store-pin-file --set key-store-pin:%s --set enabled:true' % keystorePin,
+ 'optionsString' : '--set key-store-file:%s --reset key-store-pin-file --set key-store-pin:%s --set enabled:true' % (keystoreFile,keystorePin),
'expectedRC' : 0
}
- </call>
+ </call>
+ </else>
+ </if>
<!--- configure Trust Manager Provider -->
<message>
@@ -711,9 +838,12 @@
<script>
option1='--set ssl-cert-nickname:%s' % certAlias
option2='--set trust-manager-provider:"Blind Trust" '
- option3='--set key-manager-provider:"%s"' % (keystoreType)
- option4='--set allow-start-tls:true'
- optionsString='%s %s %s %s' % (option1,option2,option3,option4)
+ if customKeyMgr:
+ option3='--set key-manager-provider:"%s"' % (customKeyMgr)
+ else:
+ option3='--set key-manager-provider:"%s"' % (keystoreType)
+ option4='--set allow-start-tls:true'
+ optionsString='%s %s %s %s' % (option1,option2,option3,option4)
</script>
<call function="'dsconfig'">
@@ -734,6 +864,322 @@
</function>
+ <!-- ################################################## -->
+ <!-- configure SASL-->
+ <!-- ################################################## -->
+ <function name="configureSASL">
+ <function-prolog>
+ This function makes the configuration changes for SASL
+ </function-prolog>
+ <function-map-args>
+ <function-arg-def name="location" type="optional" default="STAF_REMOTE_HOSTNAME">
+ <function-arg-description>
+ Location of target host
+ </function-arg-description>
+ <function-arg-property name="type" value="hostname"/>
+ </function-arg-def>
+ <function-arg-def name="dsPath" type="optional" default="'%s/%s' % (DIRECTORY_INSTANCE_DIR,OPENDSNAME)">
+ <function-arg-description>
+ Pathname to installation root
+ </function-arg-description>
+ <function-arg-property name="type" value="filepath"/>
+ </function-arg-def>
+ <function-arg-def name="dsInstanceHost" type="optional">
+ <function-arg-description>
+ Directory server hostname or IP address
+ </function-arg-description>
+ <function-arg-property name="type" value="hostname"/>
+ </function-arg-def>
+ <function-arg-def name="dsInstanceAdminPort" type="optional" default="'%s' % DIRECTORY_INSTANCE_ADMIN_PORT">
+ <function-arg-description>
+ Directory server admin port number
+ </function-arg-description>
+ <function-arg-property name="type" value="Port number"/>
+ </function-arg-def>
+ <function-arg-def name="dsInstanceDn" type="optional">
+ <function-arg-description>
+ Bind DN
+ </function-arg-description>
+ </function-arg-def>
+ <function-arg-def name="certAlias" type="optional" default="''">
+ <function-arg-description>
+ Alias certificate
+ </function-arg-description>
+ <function-arg-property name="type" value="DN"/>
+ </function-arg-def>
+ <function-arg-def name="dsInstancePswd" type="optional">
+ <function-arg-description>
+ Bind password
+ </function-arg-description>
+ <function-arg-property name="type" value="string"/>
+ </function-arg-def>
+ <function-arg-def name="keystoreFile" type="optional" default="'config/keystore'">
+ <function-arg-description>
+ Keystore File
+ </function-arg-description>
+ <function-arg-property name="type" value="string"/>
+ </function-arg-def>
+ <function-arg-def name="keystorePin" type="optional" default="'keystorepass'">
+ <function-arg-description>
+ Keystore pin
+ </function-arg-description>
+ <function-arg-property name="type" value="string"/>
+ </function-arg-def>
+ <function-arg-def name="keystoreType" type="optional" default="'JKS'">
+ <function-arg-description>
+ Keystore type : JKS or PKCS12
+ </function-arg-description>
+ <function-arg-property name="type" value="string"/>
+ </function-arg-def>
+ <function-arg-def name="createTrustMgr" type="optional" default="False">
+ <function-arg-description>
+ Create or enable custom key Manager.
+ </function-arg-description>
+ <function-arg-property name="type" value="enum">
+ <function-arg-property-description>
+ This argument can only have boolean values
+ </function-arg-property-description>
+ <function-arg-property-data type="choice" value="True"/>
+ <function-arg-property-data type="choice" value="False"/>
+ </function-arg-property>
+ </function-arg-def>
+ <function-arg-def name="createKeyMgr" type="optional" default="False">
+ <function-arg-description>
+ Create or enable custom key Manager.
+ </function-arg-description>
+ <function-arg-property name="type" value="enum">
+ <function-arg-property-description>
+ This argument can only have boolean values
+ </function-arg-property-description>
+ <function-arg-property-data type="choice" value="True"/>
+ <function-arg-property-data type="choice" value="False"/>
+ </function-arg-property>
+ </function-arg-def>
+ <function-arg-def name="KeyMgr" type="optional" default="''">
+ <function-arg-description>
+ Name for a new key manager
+ </function-arg-description>
+ <function-arg-property name="type" value="string"/>
+ </function-arg-def>
+ <function-arg-def name="trustMgr" type="optional" default="''">
+ <function-arg-description>
+ Name for a new trust manager
+ </function-arg-description>
+ <function-arg-property name="type" value="string"/>
+ </function-arg-def>
+ <function-arg-def name="truststoreFile" type="optional" default="'config/truststore'">
+ <function-arg-description>
+ Truststore File
+ </function-arg-description>
+ <function-arg-property name="type" value="string"/>
+ </function-arg-def>
+ <function-arg-def name="truststoreType" type="optional" default="'JKS'">
+ <function-arg-description>
+ Truststore type : JKS or PKCS12
+ </function-arg-description>
+ <function-arg-property name="type" value="string"/>
+ </function-arg-def>
+ <function-arg-def name="truststorePin" type="optional" default="'truststorepass'">
+ <function-arg-description>
+ Truststore pin
+ </function-arg-description>
+ <function-arg-property name="type" value="string"/>
+ </function-arg-def>
+ <function-arg-def name="certMapper" type="optional" default="'Subject Equals DN'">
+ <function-arg-description>
+ Certificate mapper name
+ </function-arg-description>
+ <function-arg-property name="type" value="string"/>
+ </function-arg-def>
+ <function-arg-def name="handlerName" type="optional" default="'EXTERNAL'">
+ <function-arg-description>
+ SASL mechanism handler name
+ </function-arg-description>
+ <function-arg-property name="type" value="string"/>
+ </function-arg-def>
+ <function-arg-def name="optionSaSL" type="optional" default="''">
+ <function-arg-description>
+ SASL mechanism handler options
+ </function-arg-description>
+ <function-arg-property name="type" value="string"/>
+ </function-arg-def>
+ <function-arg-def name="optionMapper" type="optional" default="''">
+ <function-arg-description>
+ Mapping options
+ </function-arg-description>
+ <function-arg-property name="type" value="string"/>
+ </function-arg-def>
+ <function-arg-def name="extraParams" type="optional">
+ <function-arg-description>
+ Optional extra parameters for specific test cases
+ </function-arg-description>
+ <function-arg-property name="type" value="string"/>
+ </function-arg-def>
+ </function-map-args>
+
+ <sequence>
+
+ <!--- configure Key Manager Provider -->
+ <message>
+ 'Configure Key Manager Provider'
+ </message>
+
+ <if expr="createKeyMgr == True">
+ <call function="'dsconfig'">
+ { 'location' : location ,
+ 'dsPath' : dsPath ,
+ 'dsInstanceHost' : dsInstanceHost ,
+ 'dsInstanceAdminPort' : dsInstanceAdminPort ,
+ 'dsInstanceDn' : dsInstanceDn ,
+ 'dsInstancePswd' : dsInstancePswd ,
+ 'subcommand' : 'create-key-manager-provider' ,
+ 'objectType' : 'provider-name' ,
+ 'objectName' : KeyMgr ,
+ 'optionsString' : '--set key-store-file:%s --set key-store-pin:%s --set key-store-type:%s --type file-based --set enabled:true --no-prompt ' % (keystoreFile,keystorePin,truststoreType),
+ 'expectedRC' : 0
+ }
+ </call>
+ <else>
+ <call function="'dsconfig'">
+ { 'location' : location ,
+ 'dsPath' : dsPath ,
+ 'dsInstanceHost' : dsInstanceHost ,
+ 'dsInstanceAdminPort' : dsInstanceAdminPort ,
+ 'dsInstanceDn' : dsInstanceDn ,
+ 'dsInstancePswd' : dsInstancePswd ,
+ 'subcommand' : 'set-key-manager-provider-prop' ,
+ 'objectType' : 'provider-name' ,
+ 'objectName' : KeyMgr,
+ 'optionsString' : '--set key-store-file:%s --reset key-store-pin-file --set key-store-pin:%s --set enabled:true' % (keystoreFile,keystorePin),
+ 'expectedRC' : 0
+ }
+ </call>
+ </else>
+ </if>
+
+ <!--- configure Trust Manager Provider -->
+ <message>
+ 'Configure Trust Manager Provider'
+ </message>
+
+ <if expr="len(trustMgr.strip()) != 0">
+ <if expr="createTrustMgr == True">
+ <call function="'dsconfig'">
+ { 'location' : location ,
+ 'dsPath' : dsPath ,
+ 'dsInstanceHost' : dsInstanceHost ,
+ 'dsInstanceAdminPort' : dsInstanceAdminPort ,
+ 'dsInstanceDn' : dsInstanceDn ,
+ 'dsInstancePswd' : dsInstancePswd ,
+ 'subcommand' : 'create-trust-manager-provider' ,
+ 'objectType' : 'provider-name' ,
+ 'objectName' : trustMgr ,
+ 'optionsString' : '--set trust-store-file:%s --set trust-store-pin:%s --type file-based --set trust-store-type:%s --set enabled:true ' %(truststoreFile,truststorePin,truststoreType),
+ 'expectedRC' : 0
+ }
+ </call>
+ <else>
+ <call function="'dsconfig'">
+ { 'location' : location ,
+ 'dsPath' : dsPath ,
+ 'dsInstanceHost' : dsInstanceHost ,
+ 'dsInstanceAdminPort' : dsInstanceAdminPort ,
+ 'dsInstanceDn' : dsInstanceDn ,
+ 'dsInstancePswd' : dsInstancePswd ,
+ 'subcommand' : 'set-trust-manager-provider-prop' ,
+ 'objectType' : 'provider-name' ,
+ 'objectName' : trustMgr ,
+ 'optionsString' : '--set trust-store-file:%s --set trust-store-pin:%s --set enabled:true' %(truststoreFile,truststorePin),
+ 'expectedRC' : 0
+ }
+ </call>
+ </else>
+ </if>
+ <else>
+ <call function="'dsconfig'">
+ { 'location' : location ,
+ 'dsPath' : dsPath ,
+ 'dsInstanceHost' : dsInstanceHost ,
+ 'dsInstanceAdminPort' : dsInstanceAdminPort ,
+ 'dsInstanceDn' : dsInstanceDn ,
+ 'dsInstancePswd' : dsInstancePswd ,
+ 'subcommand' : 'set-trust-manager-provider-prop' ,
+ 'objectType' : 'provider-name' ,
+ 'objectName' : 'Blind Trust',
+ 'optionsString' : '--set enabled:true' ,
+ 'expectedRC' : 0
+ }
+ </call>
+ </else>
+ </if>
+
+
+ <!--- Enable LDAPS Connection Handler -->
+ <message>
+ 'Enabling LDAPS Connection Handler - Keystore type'
+ </message>
+
+ <script>
+ option1='--set ssl-cert-nickname:%s' % certAlias
+ if trustMgr:
+ option2='--set trust-manager-provider:"%s"' % (trustMgr)
+ else:
+ option2='--set trust-manager-provider:"Blind Trust"'
+ option3='--set key-manager-provider:"%s"' % (KeyMgr)
+ option4='--set listen-port:%s' % DIRECTORY_INSTANCE_SSL_PORT
+ option5='--set enabled:true --set use-ssl:true --set ssl-client-auth-policy:required'
+ optionsString='%s %s %s %s %s' % (option1,option2,option3,option4,option5)
+ </script>
+
+ <call function="'dsconfig'">
+ { 'location' : location ,
+ 'dsPath' : dsPath ,
+ 'dsInstanceHost' : dsInstanceHost ,
+ 'dsInstanceAdminPort' : dsInstanceAdminPort ,
+ 'dsInstanceDn' : dsInstanceDn ,
+ 'dsInstancePswd' : dsInstancePswd ,
+ 'subcommand' : 'set-connection-handler-prop',
+ 'objectType' : 'handler-name' ,
+ 'objectName' : 'LDAPS Connection Handler',
+ 'optionsString' : optionsString,
+ 'expectedRC' : 0
+ }
+ </call>
+
+ <!--- Setting the mapper -->
+ <call function="'dsconfig'">
+ { 'location' : location ,
+ 'dsPath' : dsPath ,
+ 'dsInstanceHost' : dsInstanceHost ,
+ 'dsInstanceAdminPort' : dsInstanceAdminPort ,
+ 'dsInstanceDn' : dsInstanceDn ,
+ 'dsInstancePswd' : dsInstancePswd ,
+ 'subcommand' : 'set-certificate-mapper-prop',
+ 'objectType' : 'mapper-name' ,
+ 'objectName' : certMapper,
+ 'optionsString' : '--set enabled:true --no-prompt %s'%optionMapper,
+ 'expectedRC' : 0
+ }
+ </call>
+
+ <!--- Setting the sasl mechanism -->
+ <call function="'dsconfig'">
+ { 'location' : location ,
+ 'dsPath' : dsPath ,
+ 'dsInstanceHost' : dsInstanceHost ,
+ 'dsInstanceAdminPort' : dsInstanceAdminPort ,
+ 'dsInstanceDn' : dsInstanceDn ,
+ 'dsInstancePswd' : dsInstancePswd ,
+ 'subcommand' : 'set-sasl-mechanism-handler-prop',
+ 'objectType' : 'handler-name' ,
+ 'objectName' : handlerName,
+ 'optionsString' : '--set certificate-mapper:"%s" --set enabled:true --no-prompt %s'%(certMapper,optionSaSL),
+ 'expectedRC' : 0
+ }
+ </call>
+ </sequence>
+ </function>
+
<!-- ################################################## -->
<!-- configure SSL and TLS -->
<!-- ################################################## -->
@@ -1129,6 +1575,12 @@
</function-arg-description>
<function-arg-property name="type" value="string"/>
</function-arg-def>
+ <function-arg-def name="customKeyMgr" type="optional" default="''">
+ <function-arg-description>
+ Name for the key manager
+ </function-arg-description>
+ <function-arg-property name="type" value="string"/>
+ </function-arg-def>
<function-arg-def name="keystoreType" type="optional" default="'JKS'">
<function-arg-description>
Keystore type : JKS or PKCS12
@@ -1162,6 +1614,21 @@
'expectedRC' : 0
}
</call>
+
+ <call function="'dsconfig'">
+ { 'location' : location,
+ 'dsPath' : dsPath ,
+ 'dsInstanceHost' : dsInstanceHost,
+ 'dsInstanceAdminPort' : dsInstanceAdminPort ,
+ 'dsInstanceDn' : dsInstanceDn ,
+ 'dsInstancePswd' : dsInstancePswd ,
+ 'subcommand' : 'set-connection-handler-prop' ,
+ 'objectType' : 'handler-name' ,
+ 'objectName' : 'LDAP Connection Handler',
+ 'optionsString' : '--reset key-manager-provider --reset trust-manager-provider --reset ssl-cert-nickname',
+ 'expectedRC' : 0
+ }
+ </call>
<!--- Disable SSL Trust Manager Provider -->
<message>
@@ -1186,8 +1653,23 @@
<message>
'Disabling Key Manager Provider'
</message>
-
- <call function="'dsconfig'">
+
+ <if expr="len(customKeyMgr.strip()) != 0">
+ <call function="'dsconfig'">
+ { 'location' : location ,
+ 'dsPath' : dsPath ,
+ 'dsInstanceHost' : dsInstanceHost ,
+ 'dsInstanceAdminPort' : dsInstanceAdminPort ,
+ 'dsInstanceDn' : dsInstanceDn ,
+ 'dsInstancePswd' : dsInstancePswd ,
+ 'subcommand' : 'delete-key-manager-provider' ,
+ 'objectType' : 'provider-name' ,
+ 'objectName' : customKeyMgr ,
+ 'expectedRC' : 0
+ }
+ </call>
+ <else>
+ <call function="'dsconfig'">
{ 'location' : location,
'dsPath' : dsPath,
'dsInstanceHost' : dsInstanceHost,
@@ -1200,7 +1682,10 @@
'optionsString' : '--set enabled:false',
'expectedRC' : 0
}
- </call>
+ </call>
+ </else>
+ </if>
+
</sequence>
</function>
--
Gitblit v1.10.0