Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / phosphor-user-manager / 3b4d06a1812566d4095524f2242e272e0b9f449f^! / . / phosphor-ldap-config / ldap_configuration.cpp
commit3b4d06a1812566d4095524f2242e272e0b9f449f[log] [tgz]
authorNagaraju Goruganti <ngorugan@in.ibm.com>Thu Nov 08 03:13:38 2018 -0600
committerBrad Bishop <bradleyb@fuzziesquirrel.com>Mon Nov 19 21:37:57 2018 -0500
treeee0ab69d90b48a2a67251019fb6c39eab1d21719
parentd514e5dc3de8dcd305328783ae11ee8e56b27d9a [diff] [blame]
phosphor-ldap-conf: update nslcd.conf file with tls_cacertfile info

tls_cacertfile specifies the path to the X.509 certificate for
peer authentication.

Also updated the file with "tls_reqcert hard", to force the
behavior: if no certificate is provided, or a bad certificate
is provided, the session is immediately terminated.

Tested: tested using below given commands
1.curl -c cjar -b cjar -k -H "Content-Type: application/json" -X  POST -d \
  '{"data":[true,"ldaps://<host_ip>/","cn=<user-id>,dc=Corp,dc=ibm,dc=com",\
  "cn=Users,dc=Corp,dc=ibm,dc=com",  "<password>",\
  "xyz.openbmc_project.User.Ldap.Create.SearchScope.sub",\
  "xyz.openbmc_project.User.Ldap.Create.Type.ActiveDirectory"] \
}' https://$BMC_IP//xyz/openbmc_project/user/ldap/action/CreateConfig

2.curl -b cjar -k -H "Content-Type: application/json" -X PUT -d '{"data":true}'\
  https://$BMC_IP/xyz/openbmc_project/user/ldap/config/attr/SecureLDAP

3.curl -b cjar -k -H "Content-Type: application/json" -X PUT -d \
  '{"data":"ldap://<host_ip>/"}' \
  https://$BMC_IP/xyz/openbmc_project/ldap/config/attr/LDAPServerURI

when "/etc/ssl/certs/Root-CA.pem" doesn't exist on target, we get below
given exception(if we try to set SecureLDAP is true):
"DBusException: xyz.openbmc_project.Common.Error.NoCACertificate: \
Server's CA certificate has not been provided."

Change-Id: I56ffe8b08bb71307b4f2bfe9cf935b6113e4579a
Signed-off-by: Nagaraju Goruganti <ngorugan@in.ibm.com>
Signed-off-by: Deepak Kodihalli <dkodihal@in.ibm.com>
Signed-off-by: Nagaraju Goruganti <ngorugan@in.ibm.com>

diff --git a/phosphor-ldap-config/ldap_configuration.cpp b/phosphor-ldap-config/ldap_configuration.cpp
index 31e4e75..be6c1cc 100644
--- a/phosphor-ldap-config/ldap_configuration.cpp
+++ b/phosphor-ldap-config/ldap_configuration.cpp

@@ -24,13 +24,13 @@
 using ConfigInfo = std::map<Key, Val>;
 
 Config::Config(sdbusplus::bus::bus& bus, const char* path, const char* filePath,
-               bool secureLDAP, std::string lDAPServerURI,
-               std::string lDAPBindDN, std::string lDAPBaseDN,
-               std::string&& lDAPBindDNPassword,
+               const char* caCertFile, bool secureLDAP,
+               std::string lDAPServerURI, std::string lDAPBindDN,
+               std::string lDAPBaseDN, std::string&& lDAPBindDNPassword,
                ldap_base::Config::SearchScope lDAPSearchScope,
                ldap_base::Config::Type lDAPType, ConfigMgr& parent) :
     ConfigIface(bus, path, true),
-    secureLDAP(secureLDAP), configFilePath(filePath),
+    secureLDAP(secureLDAP), configFilePath(filePath), tlsCacertFile(caCertFile),
     lDAPBindDNPassword(std::move(lDAPBindDNPassword)), bus(bus), parent(parent)
 {
     ConfigIface::lDAPServerURI(lDAPServerURI);
@@ -106,8 +106,8 @@
     if (secureLDAP == true)
     {
         confData << "ssl on\n";
-        confData << "tls_reqcert allow\n";
-        confData << "tls_cert /etc/nslcd/certs/cert.pem\n";
+        confData << "tls_reqcert hard\n";
+        confData << "tls_cacertFile " << tlsCacertFile.c_str() << "\n";
     }
     else
     {
@@ -192,6 +192,13 @@
             elog<InvalidArgument>(Argument::ARGUMENT_NAME("lDAPServerURI"),
                                   Argument::ARGUMENT_VALUE(value.c_str()));
         }
+
+        if (secureLDAP && !fs::exists(tlsCacertFile.c_str()))
+        {
+            log<level::ERR>("LDAP server's CA certificate not provided",
+                            entry("TLSCACERTFILE=%s", tlsCacertFile.c_str()));
+            elog<NoCACertificate>();
+        }
         val = ConfigIface::lDAPServerURI(value);
         writeConfig();
         parent.restartService(nslcdService);
@@ -204,6 +211,10 @@
     {
         throw;
     }
+    catch (const NoCACertificate& e)
+    {
+        throw;
+    }
     catch (const std::exception& e)
     {
         log<level::ERR>(e.what());
@@ -405,6 +416,13 @@
                               Argument::ARGUMENT_VALUE(lDAPServerURI.c_str()));
     }
 
+    if (secureLDAP && !fs::exists(tlsCacertFile.c_str()))
+    {
+        log<level::ERR>("LDAP server's CA certificate not provided",
+                        entry("TLSCACERTFILE=%s", tlsCacertFile.c_str()));
+        elog<NoCACertificate>();
+    }
+
     if (lDAPBindDN.empty())
     {
         log<level::ERR>("Not a valid LDAP BINDDN",
@@ -438,8 +456,9 @@
 
     auto objPath = std::string(LDAP_CONFIG_DBUS_OBJ_PATH);
     configPtr = std::make_unique<Config>(
-        bus, objPath.c_str(), configFilePath.c_str(), secureLDAP, lDAPServerURI,
-        lDAPBindDN, lDAPBaseDN, std::move(lDAPBindDNPassword),
+        bus, objPath.c_str(), configFilePath.c_str(), tlsCacertFile.c_str(),
+        secureLDAP, lDAPServerURI, lDAPBindDN, lDAPBaseDN,
+        std::move(lDAPBindDNPassword),
         static_cast<ldap_base::Config::SearchScope>(lDAPSearchScope),
         static_cast<ldap_base::Config::Type>(lDAPType), *this);
 
@@ -571,6 +590,12 @@
         // object upon finding empty values in config, as
         // this can be a default config.
     }
+    catch (const NoCACertificate& e)
+    {
+        // Don't throw - we don't want to create a D-Bus
+        // object upon finding "ssl on" without having tls_cacertFile in place,
+        // as this can be a default config.
+    }
     catch (const InternalFailure& e)
     {
         throw;