Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / phosphor-user-manager / 5d00cf2560f387aa3ca4c58be5ec173fe289f0e5^! / .
commit5d00cf2560f387aa3ca4c58be5ec173fe289f0e5[log] [tgz]
authorZbigniew Kurzynski <zbigniew.kurzynski@intel.com>Thu Oct 03 12:10:20 2019 +0200
committerRatan Gupta <ratagupt@linux.vnet.ibm.com>Wed Nov 06 10:50:48 2019 +0000
tree5584b00ff7d27cde2df7f1da82fea3aa46326e2c
parent7c6e7cffaf061aabfe5489ef52442e2f7cbd0fb7 [diff]
Support uploading multiple certificates for ldap configuration

This code change regards replacing a path to CA file with directory
location holding multiple CA files within it.

Implementation assumes that one can still define TLS_CACERT_FILE as
either a single CA file or directory location.
Depending if the path points to a file or a directory a proper
value will be set in /etc/nslcd.conf

This code change depends on another change requests:
https://gerrit.openbmc-project.xyz/c/openbmc/meta-phosphor/+/25987
https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-certificate-manager/+/23348

Tested:
   Manually tested, all changes propagate properly to
   /etc/nslcd.conf file.
   Unit Tests are passing.

Signed-off-by: Zbigniew Kurzynski <zbigniew.kurzynski@intel.com>
Depends-On: Icd33723c1fc2580679aaaf54b3e99dfb09342402
Depends-On: Ia02c552eb27744e45ccfff3b3a1232d10e65da74
Change-Id: I85dabd4841018f04b0b9e9b58dca9579e7ff1999

diff --git a/configure.ac b/configure.ac
index baa84a4..7f487ca 100644
--- a/configure.ac
+++ b/configure.ac

@@ -67,9 +67,9 @@
 AS_IF([test "x$LDAP_CONFIG_FILE" == "x"], [LDAP_CONFIG_FILE="/etc/nslcd.conf"])
 AC_DEFINE_UNQUOTED([LDAP_CONFIG_FILE], ["$LDAP_CONFIG_FILE"], [Path of LDAP configuration file])
 
-AC_ARG_VAR(TLS_CACERT_FILE, [Path of LDAP server's CA certificate])
-AS_IF([test "x$TLS_CACERT_FILE" == "x"], [TLS_CACERT_FILE="/etc/ssl/certs/Root-CA.pem"])
-AC_DEFINE_UNQUOTED([TLS_CACERT_FILE], ["$TLS_CACERT_FILE"], [Path of LDAP server's CA certificate])
+AC_ARG_VAR(TLS_CACERT_PATH, [Path of LDAP server's CA certificate])
+AS_IF([test "x$TLS_CACERT_PATH" == "x"], [TLS_CACERT_PATH="/etc/ssl/certs/authority"])
+AC_DEFINE_UNQUOTED([TLS_CACERT_PATH], ["$TLS_CACERT_PATH"], [Path of LDAP server's CA certificate])
 
 AC_ARG_VAR(TLS_CERT_FILE, [Path of LDAP's client certificate])
 AS_IF([test "x$TLS_CERT_FILE" == "x"], [TLS_CERT_FILE="/etc/nslcd/certs/cert.pem"])

diff --git a/phosphor-ldap-config/ldap_config.cpp b/phosphor-ldap-config/ldap_config.cpp
index 1620d1d..913dae3 100644
--- a/phosphor-ldap-config/ldap_config.cpp
+++ b/phosphor-ldap-config/ldap_config.cpp

@@ -228,7 +228,14 @@
     {
         confData << "ssl on\n";
         confData << "tls_reqcert hard\n";
-        confData << "tls_cacertFile " << tlsCacertFile.c_str() << "\n";
+        if (fs::is_directory(tlsCacertFile.c_str()))
+        {
+            confData << "tls_cacertdir " << tlsCacertFile.c_str() << "\n";
+        }
+        else
+        {
+            confData << "tls_cacertfile " << tlsCacertFile.c_str() << "\n";
+        }
         if (fs::exists(tlsCertFile.c_str()))
         {
             confData << "tls_cert " << tlsCertFile.c_str() << "\n";

diff --git a/phosphor-ldap-config/main.cpp b/phosphor-ldap-config/main.cpp
index 31e0d46..7f5cdad 100644
--- a/phosphor-ldap-config/main.cpp
+++ b/phosphor-ldap-config/main.cpp

@@ -26,7 +26,7 @@
     sdbusplus::server::manager::manager objManager(bus, LDAP_CONFIG_ROOT);
 
     phosphor::ldap::ConfigMgr mgr(bus, LDAP_CONFIG_ROOT, LDAP_CONFIG_FILE,
-                                  LDAP_CONF_PERSIST_PATH, TLS_CACERT_FILE,
+                                  LDAP_CONF_PERSIST_PATH, TLS_CACERT_PATH,
                                   TLS_CERT_FILE);
     mgr.restore();
 

diff --git a/test/ldap_config_test.cpp b/test/ldap_config_test.cpp
index ddeaac6..635e1c0 100644
--- a/test/ldap_config_test.cpp
+++ b/test/ldap_config_test.cpp

@@ -41,7 +41,7 @@
         using namespace phosphor::ldap;
         char tmpldap[] = "/tmp/ldap_test.XXXXXX";
         dir = fs::path(mkdtemp(tmpldap));
-        fs::path tlsCacertFilePath{TLS_CACERT_FILE};
+        fs::path tlsCacertFilePath{TLS_CACERT_PATH};
         tlsCacertFile = tlsCacertFilePath.filename().c_str();
         fs::path tlsCertFilePath{TLS_CERT_FILE};
         tlsCertFile = tlsCertFilePath.filename().c_str();