[Fedora-directory-commits] ldapserver/ldap/servers/slapd main.c, 1.7, 1.8

Richard Allen Megginson (rmeggins) fedora-directory-commits at redhat.com
Thu Nov 17 17:41:19 UTC 2005 

Author: rmeggins

Update of /cvs/dirsec/ldapserver/ldap/servers/slapd
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv17610/ldapserver/ldap/servers/slapd

Modified Files:
	main.c 
Log Message:
The DS console Configuration Encryption tab was giving an error.  The error was due to the security CGI not being able to read the ds key/cert db files.  They were owned by root instead of the server uid because they were being created by NSS_Initialize which was being called before the server did the setuid.
The fix is to move the NSS/SSL initialization code to just after the setuid call.



Index: main.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/main.c,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- main.c	19 Apr 2005 22:07:36 -0000	1.7
+++ main.c	17 Nov 2005 17:41:11 -0000	1.8
@@ -818,35 +818,6 @@
 	set_entry_points();
 
 	/*
-	 * Initialise NSS once for the whole slapd process, whether SSL
-	 * is enabled or not. We use NSS for random number generation and
-	 * other things even if we are not going to accept SSL connections.
-	 * We also need NSS for attribute encryption/decryption on import and export.
-	 */
-	init_ssl = ( (slapd_exemode == SLAPD_EXEMODE_SLAPD) || importexport_encrypt) 
-				&& config_get_security()
-				&& (0 != s_port) && (s_port <= LDAP_PORT_MAX);
-	/* As of DS 6.1, always do a full initialization so that other
-	 * modules can assume NSS is available
-     */
-	if ( slapd_nss_init((slapd_exemode == SLAPD_EXEMODE_SLAPD),
-			(slapd_exemode != SLAPD_EXEMODE_REFERRAL) /* have config? */ )) {
-		 LDAPDebug(LDAP_DEBUG_ANY,
-					"ERROR: NSS Initialization Failed.\n", 0, 0, 0);
-		 exit (1);
-	}
-
-	if (slapd_exemode == SLAPD_EXEMODE_SLAPD) {
-		client_auth_init();
-	}
-
-	if ( init_ssl && ( 0 != slapd_ssl_init())) {
-		LDAPDebug(LDAP_DEBUG_ANY,
-					"ERROR: SSL Initialization Failed.\n", 0, 0, 0 );
-		exit( 1 );
-	}
-
-	/*
 	 * if we were called upon to do special database stuff, do it and be
 	 * done.
 	 */
@@ -1006,6 +977,34 @@
 	}
 #endif
 
+	/*
+	 * Initialise NSS once for the whole slapd process, whether SSL
+	 * is enabled or not. We use NSS for random number generation and
+	 * other things even if we are not going to accept SSL connections.
+	 * We also need NSS for attribute encryption/decryption on import and export.
+	 */
+	init_ssl = ( (slapd_exemode == SLAPD_EXEMODE_SLAPD) || importexport_encrypt) 
+				&& config_get_security()
+				&& (0 != s_port) && (s_port <= LDAP_PORT_MAX);
+	/* As of DS 6.1, always do a full initialization so that other
+	 * modules can assume NSS is available
+     */
+	if ( slapd_nss_init((slapd_exemode == SLAPD_EXEMODE_SLAPD),
+			(slapd_exemode != SLAPD_EXEMODE_REFERRAL) /* have config? */ )) {
+		 LDAPDebug(LDAP_DEBUG_ANY,
+					"ERROR: NSS Initialization Failed.\n", 0, 0, 0);
+		 exit (1);
+	}
+
+	if (slapd_exemode == SLAPD_EXEMODE_SLAPD) {
+		client_auth_init();
+	}
+
+	if ( init_ssl && ( 0 != slapd_ssl_init())) {
+		LDAPDebug(LDAP_DEBUG_ANY,
+					"ERROR: SSL Initialization Failed.\n", 0, 0, 0 );
+		exit( 1 );
+	}
 
 	/* -sduloutre: compute_init() and entry_computed_attr_init() moved up */

More information about the 389-commits mailing list