Author: rmeggins
Update of /cvs/dirsec/adminserver/admserv/cgi-src40 In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv14602/adminserver/admserv/cgi-src40
Modified Files: ugdsconfig.c Log Message: Resolves: bug 426056 Bug Description: Unable to connect to admin express via SSL - firefox cipher issues? Reviewed by: nkinder, nhosoi (Thanks!) Fix Description: The admin server was defaulting to EXPORT instead of DOMESTIC so was not enabling the domestic ciphers by default. Then when the admin server SSL was configured, it would give it a list of old ciphers not currently supported by Firefox. Also, we are still being affected by Bug 151705 Processed: AS 6.2 Console cipher preferences bug, so when the list of ciphers pops up, you have to make sure all of the SSLv2 ciphers are disabled and the SSLv3 and TLS ciphers you want to use are enabled. I also discovered a problem with the ugdsconfig CGI program - it was being caught by the admldapBuildInfoSSL problem where it tries to use the SIEDN to bind. So I had to use the same hack used in mod_admserv and elsewhere to force it to use the correct bind dn and password. Finally, I updated the list of ciphers in console.conf to reflect the full list of ciphers supported by mod_nss. Platforms tested: RHEL5 x86_64 Flag Day: no Doc impact: no
Index: ugdsconfig.c =================================================================== RCS file: /cvs/dirsec/adminserver/admserv/cgi-src40/ugdsconfig.c,v retrieving revision 1.9 retrieving revision 1.10 diff -u -r1.9 -r1.10 --- ugdsconfig.c 18 Jul 2007 22:10:22 -0000 1.9 +++ ugdsconfig.c 18 Dec 2007 19:55:23 -0000 1.10 @@ -230,20 +230,15 @@ return 0; }
- -/* - * Return current U/G directory setting - */ -static void handle_getconfig(const char *configdir, const char *securitydir) +static AdmldapInfo +local_get_admldapinfo(const char *configdir, const char *securitydir) { - char *inforef=NULL, *globaldirurl=NULL, *dirurl=NULL, *binddn=NULL, *bindpw=NULL; AdmldapInfo adminfo; int rc;
- logMsg("In handle_getconfig\n"); - if(ADMSSL_InitSimple((char *)configdir, (char *)securitydir, 0)) { - rpt_err(SYSTEM_ERROR, i18nMsg(DBT_ADMSSL_INIT_FAILED,"Cannot initialize SSL"), NULL, NULL); + rpt_err(SYSTEM_ERROR, i18nMsg(DBT_ADMSSL_INIT_FAILED,"Cannot initialize SSL"), NULL, NULL); + return NULL; }
adminfo = admldapBuildInfo((char *)configdir, &rc); @@ -251,14 +246,57 @@ logMsg("admldapBuildInfo failed, rc=%d, admroot=%s\n", rc, nonull_value((char *)configdir)); PR_snprintf(error_info, sizeof(error_info), i18nMsg(DBT_BUILD_LDAPINFO,"Failed to build ldap info (err=%d)"), rc); rpt_err(SYSTEM_ERROR, error_info, NULL, NULL); + return NULL; }
if (admldapGetSecurity(adminfo)) { - if (!admldapBuildInfoSSL(adminfo, &rc)) { - logMsg("admldapBuildInfo failed, rc=%d, admroot=%s\n", rc, nonull_value((char *)configdir)); - PR_snprintf(error_info, sizeof(error_info), i18nMsg(DBT_BUILD_LDAPINFO,"Failed to build ldap info (err=%d)"), rc); + /* Temporarily override the siedn. This needs to be + * done to get a valid LDAP handle. + */ + char *siedn = NULL; + char *userdn = NULL; + char *siePasswd = NULL; + + /* returned value from ADM_Get... should NOT be freed */ + ADM_GetCurrentPassword(&rc, &siePasswd); /* via PIPE */ + /* if userdn is initialized, override the siedn to make bind succeed */ + ADM_GetUserDNString(&rc, &userdn); + if (strcasecmp(userdn, ADM_NOT_INITIALIZED)) { + siedn = admldapGetSIEDN(adminfo); + admldapSetSIEDN(adminfo, userdn); + admSetCachedSIEPWD(siePasswd); + } + + if (!admldapBuildInfoSSL(adminfo, &rc)) { + logMsg("admldapBuildInfo failed, rc=%d, admroot=%s\n", rc, nonull_value((char *)configdir)); + PR_snprintf(error_info, sizeof(error_info), i18nMsg(DBT_BUILD_LDAPINFO,"Failed to build ldap info (err=%d)"), rc); rpt_err(SYSTEM_ERROR, error_info, NULL, NULL); + return NULL; } + + /* reset if we changed it */ + if (siedn) { + admldapSetSIEDN(adminfo, siedn); + PL_strfree(siedn); + } + } + + return adminfo; +} + +/* + * Return current U/G directory setting + */ +static void handle_getconfig(const char *configdir, const char *securitydir) +{ + char *inforef=NULL, *globaldirurl=NULL, *dirurl=NULL, *binddn=NULL, *bindpw=NULL; + AdmldapInfo adminfo; + int rc; + + logMsg("In handle_getconfig\n"); + + if (!(adminfo = local_get_admldapinfo(configdir, securitydir))) { + return; }
if (!admldapGetDomainUserDirectory(adminfo, &globaldirurl, &binddn, &bindpw, &inforef, &rc)) { @@ -305,8 +343,8 @@
logMsg("In handle_setconfig\n");
- if(ADMSSL_InitSimple((char *)configdir, (char *)securitydir, 0)) { - rpt_err(SYSTEM_ERROR, i18nMsg(DBT_ADMSSL_INIT_FAILED,"Cannot initialize SSL"), NULL, NULL); + if (!(adminfo = local_get_admldapinfo(configdir, securitydir))) { + return; }
inforef = get_cgi_var( "ugdsconfig.inforef", NULL, NULL ); @@ -319,22 +357,6 @@ logMsg("binddn=%s\n", nonull_value(binddn)); logMsg("bindpw size=%d\n", strlen(nonull_value(bindpw)));
- - adminfo = admldapBuildInfo((char *)configdir, &rc); - if (adminfo == NULL) { - logMsg("admldapBuildInfo failed, rc=%d, admroot=%s\n", rc, nonull_value((char *)configdir)); - PR_snprintf(error_info, sizeof(error_info), i18nMsg(DBT_BUILD_LDAPINFO,"Failed to build ldap info (err=%d)"), rc); - rpt_err(SYSTEM_ERROR, error_info, NULL, NULL); - } - - if (admldapGetSecurity(adminfo)) { - if (!admldapBuildInfoSSL(adminfo, &rc)) { - logMsg("admldapBuildInfo failed, rc=%d, admroot=%s\n", rc, nonull_value((char *)configdir)); - PR_snprintf(error_info, sizeof(error_info), i18nMsg(DBT_BUILD_LDAPINFO,"Failed to build ldap info (err=%d)"), rc); - rpt_err(SYSTEM_ERROR, error_info, NULL, NULL); - } - } - if (inforef != NULL) { if (strcasecmp(inforef,"default")==0) { siedn = admldapGetSIEDN(adminfo);