You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by sm...@apache.org on 2014/10/23 20:22:02 UTC
git commit: More unbound removal tasks: convert generalized time
functions to use apache DateUtils. Add slapd access log connection config
settings to ldap pool.
Repository: directory-fortress-core
Updated Branches:
refs/heads/master 254f3bafe -> feb558975
More unbound removal tasks: convert generalized time functions to use apache DateUtils. Add slapd access log connection config settings to ldap pool.
Project: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/commit/feb55897
Tree: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/tree/feb55897
Diff: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/diff/feb55897
Branch: refs/heads/master
Commit: feb558975fc17915e4fd486b4b55f9cade4a60c3
Parents: 254f3ba
Author: Shawn <sm...@apache.org>
Authored: Thu Oct 23 13:21:45 2014 -0500
Committer: Shawn <sm...@apache.org>
Committed: Thu Oct 23 13:21:45 2014 -0500
----------------------------------------------------------------------
build.properties | 15 +++---
build.xml | 16 ++++---
config/bootstrap/fortress.properties.src | 8 +++-
config/fortress.properties.src | 13 +++++
ldap/setup/refreshLDAPData-src.xml | 4 --
.../core/ldap/ApacheDsDataProvider.java | 50 ++++++++++++++++----
.../fortress/core/util/attr/AttrHelper.java | 15 +++---
7 files changed, 84 insertions(+), 37 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/feb55897/build.properties
----------------------------------------------------------------------
diff --git a/build.properties b/build.properties
index cae71aa..7fe5dc6 100644
--- a/build.properties
+++ b/build.properties
@@ -134,18 +134,19 @@ user.max.conn=10
# 4. BEGIN OPENLDAP SERVER CONFIGURATION SECTION: (Ignore if using HTTP or ApacheDS):
####################################################################################
-# This speicifes the number of audit logging LDAP connections (used for audit logging operations only) to maintain in the pool:
-# Audit Pool:
-log.min.conn=1
-log.max.conn=3
-
#These are passwords used for LDAP audit log service accounts:
# Audit Pool:
-log.root.dn=cn=Manager,${log.suffix}
+log.admin.user=cn=Manager,${log.suffix}
# This OpenLDAP slapd logger password is bound for slapd.conf and was encrypted using 'slappasswd' command:
log.root.pw={SSHA}pSOV2TpCxj2NMACijkcMko4fGrFopctU
# This password is bound for slapd.conf file for slapd access log service account:
-cfg.log.root.pw=secret
+log.admin.pw=secret
+
+# This speicifes the number of audit logging LDAP connections (used for audit logging operations only) to maintain in the pool:
+# Audit Pool:
+min.log.conn=1
+max.log.conn=3
+
# More Audit Config:
log.suffix=cn=log
log.ops=logops bind writes compare
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/feb55897/build.xml
----------------------------------------------------------------------
diff --git a/build.xml b/build.xml
index 4160b27..98aead5 100644
--- a/build.xml
+++ b/build.xml
@@ -652,7 +652,7 @@
<replace file="${target.slapd.conf}" token="@LOGOPS@" value="${log.ops}"/>
<replace file="${target.slapd.conf}" token="@ROOT_DN@" value="${root.dn}"/>
<replace file="${target.slapd.conf}" token="@ROOT_PW@" value="${root.pw}"/>
- <replace file="${target.slapd.conf}" token="@LOG_ROOT_DN@" value="${log.root.dn}"/>
+ <replace file="${target.slapd.conf}" token="@LOG_ROOT_DN@" value="${log.admin.user}"/>
<replace file="${target.slapd.conf}" token="@LOG_ROOT_PW@" value="${log.root.pw}"/>
<replace file="${target.slapd.conf}" token="@LOG_SUFFIX@" value="${log.suffix}"/>
<replace file="${target.slapd.conf}" token="@LOG_DBNOSYNCH@" value="${log.dbnosynch}"/>
@@ -812,8 +812,10 @@
<replace file="${dst.bootstrap.conf}" token="@CFG_ROOT_PW@" value="${cfg.root.pw}"/>
<replace file="${dst.bootstrap.conf}" token="@ADM_MIN_CONN@" value="${admin.min.conn}"/>
<replace file="${dst.bootstrap.conf}" token="@ADM_MAX_CONN@" value="${admin.max.conn}"/>
- <replace file="${dst.bootstrap.conf}" token="@LOG_MIN_CONN@" value="${log.min.conn}"/>
- <replace file="${dst.bootstrap.conf}" token="@LOG_MAX_CONN@" value="${log.max.conn}"/>
+ <replace file="${dst.bootstrap.conf}" token="@LOG_ROOT_DN@" value="${log.admin.user}"/>
+ <replace file="${dst.bootstrap.conf}" token="@CFG_LOG_ROOT_PW@" value="${log.admin.pw}"/>
+ <replace file="${dst.bootstrap.conf}" token="@LOG_MIN_CONN@" value="${min.log.conn}"/>
+ <replace file="${dst.bootstrap.conf}" token="@LOG_MAX_CONN@" value="${max.log.conn}"/>
<replace file="${dst.bootstrap.conf}" token="@USR_MIN_CONN@" value="${user.min.conn}"/>
<replace file="${dst.bootstrap.conf}" token="@USR_MAX_CONN@" value="${user.max.conn}"/>
<replace file="${dst.bootstrap.conf}" token="@CFG_CRYPTO_PROP@" value="${crypto.prop}"/>
@@ -847,6 +849,10 @@
<replace file="${dst.remote.conf}" token="@CFG_ROOT_PW@" value="${cfg.root.pw}"/>
<replace file="${dst.remote.conf}" token="@ADM_MIN_CONN@" value="${admin.min.conn}"/>
<replace file="${dst.remote.conf}" token="@ADM_MAX_CONN@" value="${admin.max.conn}"/>
+ <replace file="${dst.remote.conf}" token="@LOG_ROOT_DN@" value="${log.admin.user}"/>
+ <replace file="${dst.remote.conf}" token="@CFG_LOG_ROOT_PW@" value="${log.admin.pw}"/>
+ <replace file="${dst.remote.conf}" token="@LOG_MIN_CONN@" value="${min.log.conn}"/>
+ <replace file="${dst.remote.conf}" token="@LOG_MAX_CONN@" value="${max.log.conn}"/>
<replace file="${dst.remote.conf}" token="@CFG_CRYPTO_PROP@" value="${crypto.prop}"/>
<replace file="${dst.remote.conf}" token="@ENABLE_REST@" value="${enable.mgr.impl.rest}"/>
<replace file="${dst.remote.conf}" token="@REST_HTTP_USER@" value="${http.user}"/>
@@ -869,10 +875,6 @@
<replace file="${dst.load.bootstrap.script}" token="@SUFFIX_DC@" value="${suffix.dc}"/>
<replace file="${dst.load.bootstrap.script}" token="@SUFFIX_DC2@" value="${suffix.dc2}"/>
<replace file="${dst.load.bootstrap.script}" token="@SUFFIX@" value="${suffix}"/>
- <replace file="${dst.load.bootstrap.script}" token="@LOG_ROOT_DN@" value="${log.root.dn}"/>
- <replace file="${dst.load.bootstrap.script}" token="@CFG_LOG_ROOT_PW@" value="${cfg.log.root.pw}"/>
- <replace file="${dst.load.bootstrap.script}" token="@LOG_MIN_CONN@" value="${user.min.conn}"/>
- <replace file="${dst.load.bootstrap.script}" token="@LOG_MAX_CONN@" value="${user.max.conn}"/>
<replace file="${dst.load.bootstrap.script}" token="@USR_MIN_CONN@" value="${log.min.conn}"/>
<replace file="${dst.load.bootstrap.script}" token="@USR_MAX_CONN@" value="${log.max.conn}"/>
<replace file="${dst.load.bootstrap.script}" token="@SERVER_TYPE@" value="${ldap.server.type}"/>
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/feb55897/config/bootstrap/fortress.properties.src
----------------------------------------------------------------------
diff --git a/config/bootstrap/fortress.properties.src b/config/bootstrap/fortress.properties.src
index d5dafd8..9fd4080 100755
--- a/config/bootstrap/fortress.properties.src
+++ b/config/bootstrap/fortress.properties.src
@@ -42,9 +42,15 @@ max.user.conn=@USR_MAX_CONN@
min.admin.conn=@ADM_MIN_CONN@
max.admin.conn=@ADM_MAX_CONN@
-# This min/max settings for read/write access to LDAP slapd access log entries:
+# These credentials are used for read/write access to all nodes under slapd access log suffix:
+log.admin.user=@LOG_ROOT_DN@
+# For corresponding log user:
+log.admin.pw=@CFG_LOG_ROOT_PW@
+
+# This is min/max settings for LDAP administrator pool connections that have read/write access to all nodes under suffix:
min.log.conn=@LOG_MIN_CONN@
max.log.conn=@LOG_MAX_CONN@
+
# enable this to see trace statements when connection pool allocates new connections:
debug.ldap.pool=true
# Default for pool reconnect flag is false:
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/feb55897/config/fortress.properties.src
----------------------------------------------------------------------
diff --git a/config/fortress.properties.src b/config/fortress.properties.src
index 563c2d7..06aa5f9 100755
--- a/config/fortress.properties.src
+++ b/config/fortress.properties.src
@@ -43,6 +43,19 @@ admin.pw=@CFG_ROOT_PW@
min.admin.conn=@ADM_MIN_CONN@
max.admin.conn=@ADM_MAX_CONN@
+# This is min/max settings for LDAP administrator pool connections that have read/write access to all nodes under suffix:
+min.admin.conn=@ADM_MIN_CONN@
+max.admin.conn=@ADM_MAX_CONN@
+
+# These credentials are used for read/write access to all nodes under slapd access log suffix:
+log.admin.user=@LOG_ROOT_DN@
+# For corresponding log user:
+log.admin.pw=@CFG_LOG_ROOT_PW@
+
+# This is min/max settings for LDAP administrator pool connections that have read/write access to all nodes under suffix:
+min.log.conn=@LOG_MIN_CONN@
+max.log.conn=@LOG_MAX_CONN@
+
# This node contains fortress properties stored on behalf of connecting LDAP clients:
config.realm=DEFAULT
config.root=ou=Config,@SUFFIX@
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/feb55897/ldap/setup/refreshLDAPData-src.xml
----------------------------------------------------------------------
diff --git a/ldap/setup/refreshLDAPData-src.xml b/ldap/setup/refreshLDAPData-src.xml
index 90c7941..4b7fee4 100755
--- a/ldap/setup/refreshLDAPData-src.xml
+++ b/ldap/setup/refreshLDAPData-src.xml
@@ -52,12 +52,8 @@
<addconfig>
<config props="enable.audit:true"/>
<config props="config.realm:DEFAULT"/>
- <config props="log.admin.user:@LOG_ROOT_DN@"/>
- <config props="log.admin.pw:@CFG_LOG_ROOT_PW@"/>
<config props="min.user.conn:@USR_MIN_CONN@"/>
<config props="max.user.conn:@USR_MAX_CONN@"/>
- <config props="min.log.conn:@LOG_MIN_CONN@"/>
- <config props="max.log.conn:@LOG_MAX_CONN@"/>
<config props="user.session.props.enabled:false"/>
<config props="authn.type:default"/>
<config props="ldap.server.type:@SERVER_TYPE@"/>
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/feb55897/src/main/java/org/apache/directory/fortress/core/ldap/ApacheDsDataProvider.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/ldap/ApacheDsDataProvider.java b/src/main/java/org/apache/directory/fortress/core/ldap/ApacheDsDataProvider.java
index d38f573..38d36c0 100644
--- a/src/main/java/org/apache/directory/fortress/core/ldap/ApacheDsDataProvider.java
+++ b/src/main/java/org/apache/directory/fortress/core/ldap/ApacheDsDataProvider.java
@@ -102,6 +102,12 @@ public abstract class ApacheDsDataProvider
private static final String LDAP_ADMIN_POOL_UID = "admin.user";
private static final String LDAP_ADMIN_POOL_PW = "admin.pw";
+ // Used for slapd access log {@link org.apache.directory.fortress.core.rbacAuditDAO}
+ private static final String LDAP_LOG_POOL_UID = "log.admin.user";
+ private static final String LDAP_LOG_POOL_PW = "log.admin.pw";
+ private static final String LDAP_LOG_POOL_MIN = "min.log.conn";
+ private static final String LDAP_LOG_POOL_MAX = "max.log.conn";
+
// Used for TLS/SSL client-side configs:
private static final String ENABLE_LDAP_SSL = "enable.ldap.ssl";
private static final String ENABLE_LDAP_SSL_DEBUG = "enable.ldap.ssl.debug";
@@ -143,6 +149,8 @@ public abstract class ApacheDsDataProvider
int port = Config.getInt( LDAP_PORT, 10389 );
int min = Config.getInt( LDAP_ADMIN_POOL_MIN, 1 );
int max = Config.getInt( LDAP_ADMIN_POOL_MAX, 10 );
+ int logmin = Config.getInt( LDAP_LOG_POOL_MIN, 1 );
+ int logmax = Config.getInt( LDAP_LOG_POOL_MAX, 10 );
if(IS_SET_TRUST_STORE_PROP)
{
@@ -167,8 +175,7 @@ public abstract class ApacheDsDataProvider
TRUST_STORE,
TRUST_STORE_PW.toCharArray() , null, true ) );
- String adminPw = null;
-
+ String adminPw;
if ( EncryptUtil.isEnabled() )
{
adminPw = EncryptUtil.decrypt( Config.getProperty( LDAP_ADMIN_POOL_PW ) );
@@ -212,19 +219,44 @@ public abstract class ApacheDsDataProvider
adminPool.setMaxActive( max );
adminPool.setMinIdle( min );
- // Create the Log pool
- logPool = new LdapConnectionPool( factory );
- logPool.setTestOnBorrow( true );
- logPool.setWhenExhaustedAction( GenericObjectPool.WHEN_EXHAUSTED_GROW );
- logPool.setMaxActive( max );
- logPool.setMinIdle( min );
-
// Create the User pool
userPool = new LdapConnectionPool( factory );
userPool.setTestOnBorrow( true );
userPool.setWhenExhaustedAction( GenericObjectPool.WHEN_EXHAUSTED_GROW );
userPool.setMaxActive( max );
userPool.setMinIdle( min );
+
+ // Create the Log pool
+ // TODO: Initializing the log pool in static block requires static props set within fortress.properties.
+ // To make this dynamic requires moving this code outside of static block AND storing the connection metadata inside fortress config node (in ldap).
+ LdapConnectionConfig logConfig = new LdapConnectionConfig();
+ logConfig.setLdapHost( host );
+ logConfig.setLdapPort( port );
+ logConfig.setName( Config.getProperty( LDAP_ADMIN_POOL_UID, "" ) );
+
+ // added by smckinney for TLS/SSL config:
+ logConfig.setUseSsl( IS_SSL );
+ logConfig.setTrustManagers( new LdapClientTrustStoreManager(
+ TRUST_STORE,
+ TRUST_STORE_PW.toCharArray() , null, true ) );
+
+ logConfig.setName( Config.getProperty( LDAP_LOG_POOL_UID, "" ) );
+ String logPw;
+ if ( EncryptUtil.isEnabled() )
+ {
+ logPw = EncryptUtil.decrypt( Config.getProperty( LDAP_ADMIN_POOL_PW ) );
+ }
+ else
+ {
+ logPw = Config.getProperty( LDAP_LOG_POOL_PW );
+ }
+ logConfig.setCredentials( logPw );
+ factory = new PoolableLdapConnectionFactory( logConfig );
+ logPool = new LdapConnectionPool( factory );
+ logPool.setTestOnBorrow( true );
+ logPool.setWhenExhaustedAction( GenericObjectPool.WHEN_EXHAUSTED_GROW );
+ logPool.setMaxActive( logmax );
+ logPool.setMinIdle( logmin );
}
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/feb55897/src/main/java/org/apache/directory/fortress/core/util/attr/AttrHelper.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/util/attr/AttrHelper.java b/src/main/java/org/apache/directory/fortress/core/util/attr/AttrHelper.java
index 6976ed4..f1ab501 100755
--- a/src/main/java/org/apache/directory/fortress/core/util/attr/AttrHelper.java
+++ b/src/main/java/org/apache/directory/fortress/core/util/attr/AttrHelper.java
@@ -19,6 +19,7 @@
*/
package org.apache.directory.fortress.core.util.attr;
+import org.apache.directory.api.util.DateUtils;
import org.apache.directory.fortress.core.GlobalIds;
import org.apache.directory.fortress.core.rbac.Administrator;
import org.apache.directory.fortress.core.rbac.AuthZ;
@@ -32,7 +33,7 @@ import java.util.Properties;
/**
* Class contains static utilities for various conversions of ldap data to application entity and back. These methods are called by the
- * Fortress DAO's, i.e. {@link org.apache.directory.fortress.core.rbac.dao.UserDAO}.
+ * Fortress DAO's, i.e. {@link org.apache.directory.fortress.core.rbac.UserDAO}.
* These are low-level data utilities and no validations are performed. These apis should not be called by outside programs.
* <p/>
* This class is thread safe.
@@ -60,7 +61,6 @@ public class AttrHelper
// copy the user and perm pools:
trgR.setOsP(srcR.getOsP());
trgR.setOsU(srcR.getOsU());
-
}
/**
@@ -92,7 +92,6 @@ public class AttrHelper
propList.size();
for (String raw : propList)
{
-
int indx = raw.indexOf(separator);
if (indx >= 1)
{
@@ -186,7 +185,7 @@ public class AttrHelper
/**
- * Convert from raw ldap generalized time format to {@link java.util.Date}. Use the UnboundID SDK, <a href="http://www.unboundid.com/products/ldap-sdk/">JGraphT</a>
+ * Convert from raw ldap generalized time format to {@link java.util.Date}.
* to decode the string.
*
* @param inputString containing raw ldap generalized time formatted string.
@@ -195,14 +194,13 @@ public class AttrHelper
public static Date decodeGeneralizedTime(String inputString) throws ParseException
{
Date aDate = null;
- // TODO: fix me (removed for unboundid)
- //aDate = com.unboundid.util.StaticUtils.decodeGeneralizedTime(inputString);
+ aDate = DateUtils.getDate( inputString );
return aDate;
}
/**
- * Convert from java date {@link java.util.Date} format to raw ldap generalized time format. Use the UnboundID SDK, <a href="http://www.unboundid.com/products/ldap-sdk/">JGraphT</a>
+ * Convert from java date {@link java.util.Date} format to raw ldap generalized time format.
* to encode the string.
*
* @param date reference to standard java date.
@@ -211,8 +209,7 @@ public class AttrHelper
public static String encodeGeneralizedTime(Date date)
{
String szTime = null;
- // TODO: fix me (removed for unboundid)
- //szTime = com.unboundid.util.StaticUtils.encodeGeneralizedTime(date);
+ szTime = DateUtils.getGeneralizedTime( date );
return szTime;
}