[Fedora-directory-devel] SELinux
by Arjen Heidinga
Hello,
Is there a SELinux ruleset somewhere? I read somewhere that if someone knows
how to set up a ruleset to inform you. (I assumed 'you' means 'developers').
I know how to set up a SeLinux ruleset thing. Thing is; this is a hell of a
job... IF there is something unfinisches oid from someone i might want to
use is. I could use a list or something with things that dont work with
SELinux enabled, should i search the bugreports or so?
Please CC to my personal mail couse i'm not on the list. Thanks
Arjen Heidinga
17 years, 10 months
[Fedora-directory-devel] Cert
by Neil Lane
HI All
I am in the process of writing a custom login module using LDAP.
I am attempting to use a cert (PKCS12 Cert) for the users "password".
I would like to load the cert from a keystore and validate it against the
LDAP entries userPKCS12 attribute.
Please can someone let me know if this is possible and then let me know how
this may be achieved.
Any assistance would be appreciated.
Thanks
Neil Lane
17 years, 10 months
[Fedora-directory-devel] hello a technical Q?
by ALI KATOUZIAN
Hello A;ll,
I have convdate on my system.
I cannot use it though!
how can I activate this command and get it running?
thank you regards,
Ali
Ali Katouzian
MSc, BEng, Dipl.-Ing.
---------------------------------
Yahoo! Autos. Looking for a sweet ride? Get pricing, reviews, & more on new and used cars.
17 years, 10 months
[Fedora-directory-devel] Please review: allow admin server to build without java
by Rich Megginson
It's a little bit tricky. The base package is a dependency of both the
main admin server package and the directory server package. However, it
works if you just create a zero length .zip file for the base archive -
you get a warning when running setup, but everything installs
correctly. While it's not perfect (it will be addressed for the next
major release) it will at least allow those developers who do not want
to use java at all to build and install.
You must use "make NOJAVA=1 ..." to build and package admin server
without java.
adminserver/Makefile
adminserver/admserv/Makefile
adminserver/admserv/pkgadmin.mk
adminserver/base/Makefile
Index: adminserver/Makefile
===================================================================
RCS file: /cvs/dirsec/adminserver/Makefile,v
retrieving revision 1.16
diff -u -8 -r1.16 Makefile
--- adminserver/Makefile 3 Nov 2005 23:20:38 -0000 1.16
+++ adminserver/Makefile 18 Jan 2006 17:18:38 -0000
@@ -25,34 +25,44 @@
# Makefile for AdminServer
#
BUILD_ROOT=.
include nsconfig.mk
include components.mk
+PACKAGEDEPS = start_time
+
+ifndef NOJAVA
+PACKAGEDEPS += ldapjdk nmcjdk jsssdk jsslib
+endif
+
+PACKAGEDEPS += pkgBase pkgAdmin pkgMcc end_time
+
all: buildAndPkgAdmin
buildAndPkgAdmin: buildOxygen pkgOxygen
help:
@echo
@echo The following are build targets that you can choose from:
@echo
- @echo " gmake buildAndPkgAdmin (the default if no targets are given)"
- @echo " gmake buildAdmin"
- @echo " gmake buildOxygen"
- @echo " gmake buildConsole"
- @echo " gmake pkgAdmin"
- @echo " gmake pkgOxygen"
- @echo " gmake pkgConsole"
- @echo " gmake pkgL10NOxygen"
- @echo " gmake docConsole"
- @echo " gmake acceptAdmin"
+ @echo " $(MAKE) buildAndPkgAdmin (the default if no targets are given)"
+ @echo " $(MAKE) buildAdmin"
+ @echo " $(MAKE) buildOxygen"
+ @echo " $(MAKE) buildConsole"
+ @echo " $(MAKE) pkgAdmin"
+ @echo " $(MAKE) pkgOxygen"
+ @echo " $(MAKE) pkgConsole"
+ @echo " $(MAKE) pkgL10NOxygen"
+ @echo " $(MAKE) docConsole"
+ @echo " $(MAKE) acceptAdmin"
+ @echo ""
+ @echo Use $(MAKE) NOJAVA=1 to skip building/packaging any Java (console or command line) code
pumpkin:
$(PERL) pumpkin.pl $(PUMPKIN_AGE) pumpkin.dat
start_time:
@echo " Starting SBCX IMPORT "
@date
@@ -206,17 +216,17 @@
@echo
@echo
@echo ==== Starting Win9x Console Package ==========
@echo
$(MAKE) -f win9xMakefile $(MFLAGS) BUILD_MODULE=WIN9X_CONSOLE package
@echo
@echo ============== Finished ============================
-pkgOxygen:start_time ldapjdk nmcjdk jsssdk jsslib pkgBase pkgAdmin pkgMcc end_time
+pkgOxygen: $(PACKAGEDEPS)
@echo
@echo
@echo
@echo ==== Finished Oxygen Package ==========
@echo
pkgMcc:
@echo
Index: adminserver/admserv/Makefile
===================================================================
RCS file: /cvs/dirsec/adminserver/admserv/Makefile,v
retrieving revision 1.6
diff -u -8 -r1.6 Makefile
--- adminserver/admserv/Makefile 29 Sep 2005 22:11:58 -0000 1.6
+++ adminserver/admserv/Makefile 18 Jan 2006 17:18:38 -0000
@@ -28,22 +28,31 @@
NOSTDSTRIP=true
include $(BUILD_ROOT)/nsconfig.mk
ifeq ($(ARCH), AIX)
MFLAGS :=
endif
+ALLTARGETS = do-src do-cgi-src do-html
+ifndef NOJAVA
+ALLTARGETS += do-console
+endif
+
+ALLTARGETS += do-cfg
+
ifeq ($(ARCH), WINNT)
-all: do-src do-cgi-src do-html do-console do-cfg do-viewurl do-inst do-ldap-stuffs do-icons
-else
-all: do-src do-cgi-src do-html do-console do-cfg do-inst do-ldap-stuffs do-icons
+ALLTARGETS += do-viewurl
endif
+ALLTARGETS += do-inst do-ldap-stuffs do-icons
+
+all: $(ALLTARGETS)
+
do-src:
# cd src; $(MAKE) BUILD_MODULE=HTTP_ADMIN $(MFLAGS)
mkdir -p $(OBJDIR)/admin-lib
do-cgi-src:
cd cgi-src40; $(MAKE) BUILD_MODULE=HTTP_ADMIN $(MFLAGS)
do-html:
Index: adminserver/admserv/pkgadmin.mk
===================================================================
RCS file: /cvs/dirsec/adminserver/admserv/pkgadmin.mk,v
retrieving revision 1.34
diff -u -8 -r1.34 pkgadmin.mk
--- adminserver/admserv/pkgadmin.mk 8 Dec 2005 02:37:25 -0000 1.34
+++ adminserver/admserv/pkgadmin.mk 18 Jan 2006 17:18:38 -0000
@@ -134,28 +134,33 @@
ifndef MOD_NSS_LIB_DIR
MOD_NSS_LIB_DIR=$(BUILD_ROOT)/../mod_nss/.libs
endif
ifndef MOD_NSS_BIN_DIR
MOD_NSS_BIN_DIR=$(BUILD_ROOT)/../mod_nss
endif
endif
+ifndef NOJAVA
+ALLTARGETS = pkguxClient
+endif
+ALLTARGETS += pkguxAdmin pkgSetup pkgSBC
+
ifneq ($(strip $(ADM_VERSION)),)
all:
-if [ ! -d $(PKGTOP) ]; then \
$(MKDIR) $(PKGTOP) ; \
fi
ifneq ($(ARCH), WINNT)
cd $(PKGTOP); find . -type f -exec chmod go-w {} \;
endif
cd $(PKGTOP); $(TAR) xf $(ADM_RELEASE)/admserv.tar
else
-all: pkguxClient pkguxAdmin pkgSetup pkgSBC
+all: $(ALLTARGETS)
endif
pkguxClient: pkguxConsole $(CLIENT_DIR)
echo "===== Packaging Admin Server client ======"
echo
rm -rf $(CLIENT_DIR)/*
-$(MKDIR) $(CLIENT_DIR)/java
@@ -180,18 +185,20 @@
pkguxAdmin: $(ADMIN_DIR) new-pkguxAdmin
new-pkguxAdmin:
# Note: need to create $(PKGDIR)/unzipped/admserv for backwards compat --MLM
# Note: need to do admin-nickname rather than admin-serv --MLM
-$(MKDIR) $(ADMIN_DIR)/dist
+ifndef NOJAVA
-$(MKDIR) $(ADMIN_DIR)/java/jars
-$(MKDIR) $(ADMIN_DIR)/java/html/en
+endif # NOJAVA
-$(MKDIR) $(ADMIN_DIR)/admin-serv
-$(MKDIR) $(ADMIN_DIR)/admin-serv/config
-$(MKDIR) $(ADMIN_DIR)/admin-serv/logs
-$(MKDIR) $(ADMIN_DIR)/admin-serv/ldif
-$(MKDIR) $(ADMIN_DIR)/bin/admin
-$(MKDIR) $(ADMIN_DIR)/bin/admin/lib
@@ -257,23 +264,25 @@
if [ -d $(ADMINUTIL_LIBPATH)/property ] ; then \
$(MKDIR) $(ADMIN_DIR)/bin/admin/lib/property ; \
cp -p $(ADMINUTIL_LIBPATH)/property/* $(ADMIN_DIR)/bin/admin/lib/property ; \
elif [ -d $(ADMINUTIL_LIBPATH)/adminutil-properties ] ; then \
$(MKDIR) $(ADMIN_DIR)/bin/admin/lib/adminutil-properties ; \
cp -p $(ADMINUTIL_LIBPATH)/adminutil-properties/* $(ADMIN_DIR)/bin/admin/lib/adminutil-properties ; \
fi
+ifndef NOJAVA
cd $(ADMSERV_OBJDIR)/cmdln; \
cp -p admconfig $(ADMIN_DIR)/bin/admin;
cd $(ADMIN_JARS)/.. ; \
find *.html *.gif *.jpg | $(CPIO) $(ADMIN_DIR)/java/html
cd $(ADMIN_JARS)/.. ; \
find *.html | $(CPIO) $(ADMIN_DIR)/java/html/en
+endif # NOJAVA
cp $(BUILD_ROOT)/lib/ldaputil/certmap.conf $(ADMIN_DIR)/shared/config
cp -p $(BUILD_ROOT)/admserv/cfgstuff/httpd.conf $(ADMIN_DIR)/shared/config/template/httpd.conf.tmpl
cp -p $(BUILD_ROOT)/admserv/cfgstuff/admserv.conf $(ADMIN_DIR)/shared/config/template/admserv.conf.tmpl
cp -p $(BUILD_ROOT)/admserv/cfgstuff/console.conf $(ADMIN_DIR)/shared/config/template/console.conf.tmpl
cp -p $(BUILD_ROOT)/admserv/cfgstuff/nss.conf $(ADMIN_DIR)/shared/config/template/nss.conf.tmpl
cp -p $(BUILD_ROOT)/admserv/cfgstuff/start-admin $(ADMIN_DIR)/shared/config/template/start-admin.tmpl
cp -p $(BUILD_ROOT)/admserv/cfgstuff/stop-admin $(ADMIN_DIR)/shared/config/template/stop-admin.tmpl
Index: adminserver/base/Makefile
===================================================================
RCS file: /cvs/dirsec/adminserver/base/Makefile,v
retrieving revision 1.16
diff -u -8 -r1.16 Makefile
--- adminserver/base/Makefile 18 Nov 2005 21:16:39 -0000 1.16
+++ adminserver/base/Makefile 18 Jan 2006 17:18:38 -0000
@@ -144,23 +144,24 @@
ifdef BUILD_SHIP
-mkdir -p $(RELTOP)
-rm $(RELTOP)/base.ex
echo "base/unzipped" > $(RELTOP)/base.ex
echo "svrcore/unzipped" >> $(RELTOP)/base.ex
cd $(PKGTOP); $(TAR) cvfX $(RELTOP)/base.tar $(RELTOP)/base.ex base
-rm $(RELTOP)/base.tar.gz $(RELTOP)/base.ex
cd $(RELTOP); gzip -f base.tar
-endif
+endif
pkguxClient:
rm -rf $(CLIENT_DIR)
rm -f $(BASEDIR)/ns$(BASE_CLIENT).zip
+ifndef NOJAVA
-$(MKDIR) $(CLIENT_DIR)/$(JAVA_DIR)
-$(MKDIR) $(CONSOLE_HELP)
-$(CHMOD) 0777 $(CLIENT_DIR)/$(JAVA_DIR)
#copy console help
ifdef ONLINEHELP_SOURCE_DIR
@cd $(ONLINEHELP_SOURCE_DIR)/console/html ; \
for dir in * ; do \
@@ -206,13 +207,18 @@
# -find $(BASEDIR) -type f \( -name '*.o' -o -name '.*' \) -exec rm {} \;
ifneq ($(ARCH), WINNT)
-find $(BASEDIR) -type f -exec chmod go-w {} \;
endif
cd $(CLIENT_DIR) ; \
$(IZIP) $(BASEDIR)/ns$(BASE_CLIENT).zip * ;
+else # NOJAVA
+ $(MKDIR) $(BASEDIR)
+ touch $(BASEDIR)/ns$(BASE_CLIENT).zip
+endif # NOJAVA
+
ifeq ($(ARCH), Linux)
$(PERL) fixPI.pl SETUP_BASE ../include/version.h ../$(NSPLATFORM_DIR)/buildnum.dat $(BUILD_SECURITY) base.inf $(BASEDIR)/base.inf
else
$(COMPONENTS_DIR)/perl5/$(ARCH)-perl5/perl fixPI.pl SETUP_BASE ../include/version.h ../$(NSPLATFORM_DIR)/buildnum.dat $(BUILD_SECURITY) base.inf $(BASEDIR)/base.inf
endif
17 years, 11 months
[Fedora-directory-devel] Please review: bug 175170: Directory Server Admin Server Dies after Secure Bind to Directory Server
by Rich Megginson
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=175170
Bug(s) fixed: 175170
Bug Description: Directory Server Admin Server Dies after Secure Bind to
Directory Server
Reviewed by: ???
Files: mod_admserv.c
Branch: HEAD
Fix Description: This fix makes the assumption that mod_nss will always
be used. It is possible to use mod_admserv without mod_nss - this would
mean that the admin server accepts http, but uses ldaps to communicate
with the DS. However, I don't forsee that happening, so in order to
simplify things, this fix makes mod_nss resposible for initializing NSS
and shutting it down properly.
Another problem was the memory and resource leaks. pset's have to be
disposed of after use. This appears to have been a problem in the old
NES libAdmservPlugin as well since most of the code was just
copied/pasted. There were also a couple of other memory leaks.
NOTE: This is only part of the total fix, which will involve changes to
mod_nss, ldap sdk, and admin server components.
Platforms tested: FC4
Flag Day: no
Doc impact: no
https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=123293
17 years, 11 months
Re: [Fedora-directory-devel] Re: Fedora-directory-devel Digest, Vol 7, Issue 2
by Peter Djalaliev
Hm,
I started from scratch, installing downloading, compiling and installing
everything on another machine. Here is exactly what I did:
I started from scratch on a machine with Ubuntu Linux, kernel 2.6. I
downloaded and installed OpenSSL 0.9.8. Then I download and installed
Apache 2.0.55 with SSL enabled. After that, I downloaded NSPR 4.6 (both the
source tree and the release) and NSS 3.10 (source tree). I copied the
nsprpub from the mozilla dir of the NSPR 4.6 source tree to the mozilla dir
of the NSS 3.10 source tree. After compiling NSS, I used this and the
compiled release of NSPR 4.6 to compile mod_nss, which I downloaded from the
Fedora Directory Server website.
After compiling mod_nss, I installed it and modified the nss.conf (in the
Apache conf dir) file as follows: put <IfDefine SSL> and </IfDefine> around
its contents, specified where NSS should be looking for its database and
changed the nickname of the certificate NSS should look for in the database.
At this point, I could run 'apachectl startssl', which would ask me for the
NSS database password and then start. I could establish the secure
connection through a browser - after being asked to accept the certificate
(which is the one I wanted NSS to use).
However, if I run 'httpd -X -k start' or 'httpd -X -k startssl', I get a
segmentation fault and a core dump. When I used GDB to analyze it,
everythig seems fine until at some point, when the httpd executable receives
a SIGSEGV signal for a segmentation fault.
Now, if I reinstall Apache 2.0.55 from the same source tree I used before
(after first deleting the directory of the installed Apache), I can run
'httpd -X -k start' with no problem. In the end, I generated a key and a
self-signed certificate and fired up Apache w/ mod_ssl with 'httpd -X -k
start -DSSL'. It worked alright.
So, it seems that when I try to use mod_nss, I get a segmentation fault when
I try to use debugging. When I revert back to mod_ssl, it works fine.
Where could things be going wrong?
Regards,
Peter
17 years, 11 months
Re: [Fedora-directory-devel] Re: Fedora-directory-devel Digest, Vol 7, Issue 2
by Peter Djalaliev
I used ulimit as you told me and Apache dumped a core file at the next
segmentation fault. I ran this with gdb (typed 'gdb httpd <core-file>' in
the Apache 'bin' directory)
For some reason, somewhere in libpthread.so.0, Apache is invoking
_PR_CreateThread from
../../../../mozilla/nsprpub/pr/src/pthreads/pthreads.c. This file, however,
is apparently not found, be cause I get
"../../../../mozilla/nsprpub/pr/src/pthreads/pthread.c: No such file or
directory." Similarly, it doesn't find sslsnce.c.
Now, from now on, the httpd process in GDB either exits normally, or
produces segmentation faults at different points of its execution.
I don't always get this segmentation fault almost immediately when I start
Apache. Sometimes it would produce output to the point that I starts
waiting for connections, but then when I connect to it through FF, the
browser would be waiting to receive the server_hello but it wouldn't come.
Sometimes, the TLS handshake continues even further.
In he meantime, I checked my database, it seems to be fine, even though
SSL_TRC still produces that -8174 error. I checked inside
nss_engine_init.c, NSS_Initialize() returns SECSuccess. I am not quite sure
this guarantees that the database is good.
Any suggestions?
Regards,
Peter
17 years, 11 months
Re: [Fedora-directory-devel] mod_nss-1.0 and apache-2.2.0
by Rob Crittenden
Wow, thanks for the patch!
The trick is going to be in making this compatible with both Apache
2.0.x and 2.2.x.
I can go ahead and replace the APR_STATUS_IS_SUCCESS calls as you have
since the macro has gone away.
It looks like the big change is with the new regex structure and its
defines and the renaming of http_method to http_scheme. I guess I can do
something with AP_SERVER_*VERSION_NUMBER to work around that.
Nice catch on the -avoid-version to libtool.
I'll see if I can't get this into the tip this week.
regards
rob
17 years, 11 months
[Fedora-directory-devel] Re: Fedora-directory-devel Digest, Vol 7, Issue 2
by Peter Djalaliev
>
> I haven't done tracing in mod_nss for a very long time but it did work
> early in the development of the module.
>
> I'm a little confused what you mean about Apache "debug" versus "normal"
> mode. Are you referring to the -X flag? I use that frequently myself.
>
> What problem are you trying to solve?
>
> I believe the error -8174 is a bad database error. This shouldn't cause
> a segfault. Are you seeing this when not doing debugging?
>
> Is it dropping a core file?
>
> thanks
>
> rob
Rob,
Yes, by the debug mode and normal mode I mean using -X as opposed to not
using it.
Yes, I see the -8174 error w/ or w/o debugging, but Apache with mod_nss was
working ok in normal mode (w/o -X) despite of the -8174 error, so I guess I
just ignored it. I'll rebuild my database I guess.
I don't find any core files in the 'bin' directory, where I run 'httpd -X -k
start -DSSL'. Should I be looking for them elsewhere?
What I am doing in essence is that I am extending the TLS/SSL3
implementation in the NSS package to incorporate an extension (as defined in
RFC3546). Then, I use this modified NSS in Firefox 1.5 and Apache 2.0.54 w/
mod_nss to test my modifications to the TLS handshake.
Inside NSS, I am using the SSL_TRC macros for debugging. It works fine with
Firefox, but I needed Apache to stay attached to the shell, so I can see the
SSL_TRC output. Alternatively, I am trying to get NSS to ouput the
debugging information to the Apache log files, but this might be more of a
hack than the right way to do it. Do you have any alternative suggestions
here?
So, just to confirm, you are using Apache 2 with mod_nss and the -X flag and
it works OK, right?
Thanks,
Peter
17 years, 11 months
