Author: rhafer Date: Fri Nov 13 16:01:22 2009 New Revision: 59535 URL: http://svn.opensuse.org/viewcvs/yast?rev=59535&view=rev Log: Reworked Wizard Code again - Allow Configuration of a Syncrepl Account - Verfiy SSL certificate to check if replication with TLS protection will work - (hopefully) improved errormessages - Removed unneeded Code - Cleanup Modified: branches/SuSE-Code-11-SP1-Branch/ldap-server/src/LdapServer.pm branches/SuSE-Code-11-SP1-Branch/ldap-server/src/dialogs.ycp Modified: branches/SuSE-Code-11-SP1-Branch/ldap-server/src/LdapServer.pm URL: http://svn.opensuse.org/viewcvs/yast/branches/SuSE-Code-11-SP1-Branch/ldap-server/src/LdapServer.pm?rev=59535&r1=59534&r2=59535&view=diff ============================================================================== --- branches/SuSE-Code-11-SP1-Branch/ldap-server/src/LdapServer.pm (original) +++ branches/SuSE-Code-11-SP1-Branch/ldap-server/src/LdapServer.pm Fri Nov 13 16:01:22 2009 @@ -192,11 +192,9 @@ # hashes of the password policy DNs and and objects my $ppolicy_objects = {}; -# A hash containing the necessary step to setup cn=config -# replication -my $remoteReplicationSetupTodo = {}; - my $syncreplaccount = {}; +my $syncreplbaseconfig = {}; + ## # Read all ldap-server settings # @return true on success @@ -2638,16 +2636,11 @@ return $ppolicy_objects->{$suffix} } -BEGIN { $TYPEINFO {CheckRemoteForReplication} = ["function", "boolean", ["map", "string", "any"] ]; } -sub CheckRemoteForReplication +BEGIN { $TYPEINFO {SetupRemoteForReplication} = ["function", "boolean" ]; } +sub SetupRemoteForReplication { - my ( $self, $param) = @_; - $param->{'target'}->{'port'} = YaST::YCP::Integer($param->{'target'}->{'port'}); - $param->{'starttls'} = YaST::YCP::Boolean($param->{'starttls'}); + my ( $self ) = @_; - SCR->Execute(".ldapserver.init", $param ); - - my @db_changes = (); my $dbs = $self->ReadDatabaseList(); for ( my $i=0; $i < scalar(@{$dbs})-1; $i++) { @@ -2655,39 +2648,92 @@ my $suffix = $dbs->[$i+1]->{'suffix'}; if ( $type eq "config" || $type eq "bdb" || $type eq "hdb" ) { - my $changes = { "index" => $i, "suffix" => $suffix }; my $db = SCR->Read(".ldapserver.database.{".$i."}" ); my $prv = SCR->Read(".ldapserver.database.{".$i."}.syncprov" ); + y2debug("Database $i ". Data::Dumper->Dump([ $prv ]) ); if ( keys %{$prv} == 0 ) { y2milestone("Database $i needs syncprov overlay"); - $changes->{'needsyncprov'} = 1; - } - else - { - $changes->{'needsyncprov'} = 0; + y2milestone("Enabling syncrepl provider overlay on database $i"); + my $syncprov = { 'enabled' => 1, + 'checkpoint' => { 'ops' => YaST::YCP::Integer(100), + 'min' => YaST::YCP::Integer(5) + } + }; + SCR->Write(".ldapserver.database.{".$i."}.syncprov", $syncprov); } + } + } + for ( my $i=0; $i < scalar(@{$dbs})-1; $i++) + { + my $type = $dbs->[$i+1]->{'type'}; + my $suffix = $dbs->[$i+1]->{'suffix'}; + if ( $type eq "config" || $type eq "bdb" || $type eq "hdb" ) + { my $cons = SCR->Read(".ldapserver.database.{".$i."}.syncrepl" ); + my $needsyncrepl = 0; if ( keys %{$cons} == 0 ) { y2milestone("Database $i needs syncrepl config"); - $changes->{'needsyncrepl'} = 1; + $needsyncrepl = 1; } else { - $changes->{'needsyncrepl'} = 0; + my $provider = $cons->{'provider'}; + if ( $provider->{'target'} ne $syncreplbaseconfig->{'provider'}->{'target'} ) + { + y2milestone("Provider Hostname doesn't match"); + $needsyncrepl = 1; + } + elsif ( $provider->{'port'} ne $syncreplbaseconfig->{'provider'}->{'port'}->value ) + { + y2milestone("Provider Port doesn't match"); + $needsyncrepl = 1; + } + elsif ( $provider->{'protocol'} ne $syncreplbaseconfig->{'provider'}->{'protocol'} ) + { + y2milestone("Provider Protocol doesn't match"); + $needsyncrepl = 1; + } + elsif ( $cons->{'binddn'} ne $syncreplbaseconfig->{'binddn'} ) + { + y2milestone("binddn doesn't match syncreplbaseconfig"); + $needsyncrepl = 1; + } + elsif ( $cons->{'credentials'} ne $syncreplbaseconfig->{'credentials'} ) + { + y2milestone("credentials don't match syncreplbaseconfig"); + $needsyncrepl = 1; + } } - if ( lc($db->{'rootdn'}) eq lc($param->{'binddn'}) ) + if ( $needsyncrepl ) { - y2milestone("Repl DN is rootdn of database $i. No ACL needed"); - $changes->{'needsyncacl'} = 0; + y2milestone("Adding syncrepl consumer configuration for database $i"); + $syncreplbaseconfig->{'basedn'} = $suffix; + SCR->Write(".ldapserver.database.{".$i."}.syncrepl", $syncreplbaseconfig ); + } + + } + } + + for ( my $i=0; $i < scalar(@{$dbs})-1; $i++) + { + my $type = $dbs->[$i+1]->{'type'}; + my $suffix = $dbs->[$i+1]->{'suffix'}; + if ( $type eq "config" || $type eq "bdb" || $type eq "hdb" ) + { + my $db = SCR->Read(".ldapserver.database.{".$i."}" ); + my $needsacl = 0; + if ( lc($db->{'rootdn'}) eq lc($syncreplbaseconfig->{'binddn'}) ) + { + y2milestone("Repl DN \"".$syncreplbaseconfig->{'binddn'}. "\" is rootdn of database $i. No ACL needed"); } else { my $acl = SCR->Read(".ldapserver.database.{".$i."}.acl" ); y2debug("Database $i acl:". Data::Dumper->Dump([ $acl ]) ); - my $needacl=1; + my $needacl = 1; foreach my $rule ( @{$acl} ) { my $wholedb=0; @@ -2716,7 +2762,7 @@ foreach my $access ( @{$rule->{'access'}} ) { if ( $access->{'type'} eq "dn.base" && - lc($access->{'value'}) eq lc($param->{'binddn'} ) && + lc($access->{'value'}) eq lc($syncreplbaseconfig->{'binddn'} ) && ($access->{'level'} eq "read" || $access->{'level'} eq "write") ) { @@ -2733,153 +2779,69 @@ } if ( $needacl ) { - y2milestone("Database $i needs sync-acl"); - $changes->{'needsyncacl'} = 1; - } - else - { - $changes->{'needsyncacl'} = 0; + y2milestone("Adding ACL for syncrepl to database $i"); + my @syncacl = ({ + 'target' => {}, + 'access' => [ + { 'type' => "dn.base", + 'value' => $syncreplbaseconfig->{'binddn'}, + 'level' => "read", + 'control' => "" }, + { 'type' => "*", + 'value' => "", + 'level' => "", + 'control' => "break" } + ] + }); + my $acl = SCR->Read(".ldapserver.database.{".$i."}.acl" ); + push @syncacl, (@$acl); + my $rc = SCR->Write(".ldapserver.database.{".$i."}.acl", \@syncacl ); } } - push @db_changes, $changes; - } - } - $remoteReplicationSetupTodo = { "dbchanges" => \@db_changes, "param" => $param }; - return 1; -} - - -BEGIN { $TYPEINFO {SetupRemoteForReplication} = ["function", "boolean" ]; } -sub SetupRemoteForReplication -{ - my $db_changes = $remoteReplicationSetupTodo->{'dbchanges'}; - my $param = $remoteReplicationSetupTodo->{'param'}; - - foreach my $db_change (@{$db_changes}) - { - my $i = $db_change->{'index'}; - if ($db_change->{'needsyncacl'} ) - { - y2milestone("Adding ACL for syncrepl to database $i"); - my @syncacl = ({ - 'target' => {}, - 'access' => [ - { 'type' => "dn.base", - 'value' => $param->{'binddn'}, - 'level' => "read", - 'control' => "" }, - { 'type' => "*", - 'value' => "", - 'level' => "", - 'control' => "break" } - ] - }); - my $acl = SCR->Read(".ldapserver.database.{".$i."}.acl" ); - push @syncacl, (@$acl); - my $rc = SCR->Write(".ldapserver.database.{".$i."}.acl", \@syncacl ); - } - if ( $db_change->{'needsyncprov'} ) - { - y2milestone("Enabling syncrepl provider overlay on database $i"); - my $syncprov = { 'enabled' => 1, - 'checkpoint' => { 'ops' => YaST::YCP::Integer(100), - 'min' => YaST::YCP::Integer(5) - } - }; - SCR->Write(".ldapserver.database.{".$i."}.syncprov", $syncprov); - } - if ( $db_change->{'needsyncrepl'} ) - { - y2milestone("Adding syncrepl consumer configuration for database $i"); - my $syncrepl = { - "provider" => { - "protocol" => $param->{'target'}->{'protocol'}, - "target" => $param->{'target'}->{'target'}, - "port" => $param->{'target'}->{'port'} - }, - "type" => "refreshAndPersist", - "binddn" => $param->{'binddn'}, - "credentials" => $param->{'credentials'}, - "basedn" => $db_change->{"suffix"}, - "starttls" => $param->{'starttls'} - }; - SCR->Write(".ldapserver.database.{".$i."}.syncrepl", $syncrepl ); } } - y2milestone("Comminting changes to provider LDAP"); SCR->Execute(".ldapserver.commitChanges" ); SCR->Execute(".ldapserver.reset" ); - # Remote should be ready now. Now create the local config stub required - # to initiate cn=config replication + $self->CreateSyncReplAccount(); SCR->Execute(".ldapserver.initGlobals" ); - - #SCR->Write(".ldapserver.global.serverIds", [ $ownServerId ] ); my $cfgdatabase = { 'type' => 'config', 'rootdn' => 'cn=config' }; my $frontenddb = { 'type' => 'frontend' }; SCR->Execute('.ldapserver.initDatabases', [ $frontenddb, $cfgdatabase ] ); - my $syncrepl = { - "provider" => { - "protocol" => $param->{'target'}->{'protocol'}, - "target" => $param->{'target'}->{'target'}, - "port" => $param->{'target'}->{'port'} - }, - "type" => "refreshAndPersist", - "binddn" => $param->{'binddn'}, - "credentials" => $param->{'credentials'}, - "basedn" => "cn=config", - "starttls" => $param->{'starttls'}, - "updateref" => {} - }; - SCR->Write(".ldapserver.database.{0}.syncrepl", $syncrepl ); - $overwriteConfig = 1; - $isSyncreplSlave = 1; + $syncreplbaseconfig->{'binddn'} = "cn=config"; + $syncreplbaseconfig->{'credentials'} = $auth_info->{'cn=config'}->{'bind_pw'}; + $syncreplbaseconfig->{'basedn'} = "cn=config"; + SCR->Write(".ldapserver.database.{0}.syncrepl", $syncreplbaseconfig ); + my $ldif = SCR->Read('.ldapserver.configAsLdif' ); + y2milestone($ldif); + $overwriteConfig = 1; +# $self->Write( {resetCsn => 1} ); +# SCR->Execute(".ldapserver.reset" ); + return 1; } -BEGIN { $TYPEINFO{ReplicationSetupSummary} = ["function", "string" ]; } -sub ReplicationSetupSummary { - # Configuration summary text for autoyast - my $self = shift; - my $db_changes = $remoteReplicationSetupTodo->{'dbchanges'}; - my $param = $remoteReplicationSetupTodo->{'param'}; - - my $string = ""; - my $nochanges = 0; - $string .= "<h1>"._("Applying the following changes to: \""). $param->{'target'}->{'target'}."\"</h1>" ; - foreach my $db_change (@{$db_changes} ) - { - $string .= "<h2>"._("Database: \""). $db_change->{'suffix'}."\"</h2>" ; - $string .= "<il>"; - if (! ( $db_change->{'needsyncacl'} || $db_change->{'needsyncprov'} || $db_change->{'needsyncrepl'} )) - { - $string .= "<li>"._("No modifications required.")."</li>"; - } - else - { - $nochanges = 0; - } - if ( $db_change->{'needsyncacl'} ) - { - $string .= "<li>"._("Adding ACL to grant \"").$param->{'binddn'}. _("\" read access for replication.")."</li>"; - } - if ( $db_change->{'needsyncprov'} ) +BEGIN { $TYPEINFO {WriteSyncreplBaseConfig} = ["function", "boolean", ["map", "string", "any"] ]; } +sub WriteSyncreplBaseConfig +{ + my ($self, $syncrepl ) = @_; + $syncreplbaseconfig = $syncrepl; + $syncreplbaseconfig->{'provider'}->{'port'} = YaST::YCP::Integer($syncreplbaseconfig->{'provider'}->{'port'} ); + $syncreplbaseconfig->{'starttls'} = YaST::YCP::Boolean($syncreplbaseconfig->{'starttls'} ); + if (defined $syncreplbaseconfig->{'updateref'} ) + { + if ( defined $syncreplbaseconfig->{'updateref'}->{'port'} ) { - $string .= "<li>"._("Adding LDAPSync provider configuration to be able to act as Replication Provider.")."</li>"; + $syncreplbaseconfig->{'updateref'}->{'port'} = YaST::YCP::Integer( $syncreplbaseconfig->{'updateref'}->{'port'} ); } - if ( $db_change->{'needsyncrepl'} ) + if ( defined $syncreplbaseconfig->{'updateref'}->{'use_provider'} ) { - $string .= "<li>"._("Adding LDAPSync consumer configuration.")."</li>"; + $syncreplbaseconfig->{'updateref'}->{'use_provider'} = YaST::YCP::Boolean( $syncreplbaseconfig->{'updateref'}->{'use_provider'} ); } - $string .= "</il>"; - } - if ( $nochanges ) - { - $string = ""; } - return $string; + return 1; } ## Modified: branches/SuSE-Code-11-SP1-Branch/ldap-server/src/dialogs.ycp URL: http://svn.opensuse.org/viewcvs/yast/branches/SuSE-Code-11-SP1-Branch/ldap-server/src/dialogs.ycp?rev=59535&r1=59534&r2=59535&view=diff ============================================================================== --- branches/SuSE-Code-11-SP1-Branch/ldap-server/src/dialogs.ycp (original) +++ branches/SuSE-Code-11-SP1-Branch/ldap-server/src/dialogs.ycp Fri Nov 13 16:01:22 2009 @@ -801,34 +801,109 @@ testparm = add(testparm, "basedn", "cn=config" ); testparm = add(testparm, "binddn", "cn=config" ); testparm = add(testparm, "credentials", (string)UI::QueryWidget(`te_config_cred, `Value) ); - if(!(boolean)SCR::Execute( .ldapserver.remoteBindCheck, testparm ) ) + + if (!(boolean) LdapServer::InitRemoteConnection( testparm ) ) { - map err = SCR::Error(.ldapserver); - Popup::ErrorDetails( _("Verifying the administration Password for the \"cn=config\" Database failed"), - _("The test returned the following error messages:") - + "\n\n\"" + - (string)err["summary"]:"" + "\"\n\"" + (string)err["description"]:"" + "\"\n" ); + map err = LdapServer::ReadError(); + Popup::ErrorDetails( _("Failed to open connection to the \"cn=config\" Database on the Provider Server.\n") + + _("Please verify that the Provider Server allows remote connections to the \"cn=config\" Database\nand that you entered the correct password"), + _("The following error messages were returned:") + "\n\n\"" + + (string)err["msg"]:"" + "\"\n\"" + + (string)err["details"]:"" + "\"" ); continue; } - - testparm["configcred"] = testparm["credentials"]:""; - testparm["binddn"] = (string)UI::QueryWidget(`te_sync_binddn, `Value); - testparm["credentials"] = (string)UI::QueryWidget(`te_sync_cred, `Value); - if(!(boolean)SCR::Execute( .ldapserver.remoteBindCheck, testparm ) ) - { - map err = SCR::Error(.ldapserver); - return Popup::ContinueCancelHeadline( - _("Verifying the Authentication DN and password for replication failed"), - _("The test returned the following error messages:") - + "\n\n\"" + - (string)err["summary"]:"" + "\"\n\"" + (string)err["description"]:"" - + "\"\n\n" + - _("Do you want to still want to continue?")); - } - if (!(boolean) LdapServer::CheckRemoteForReplication( testparm ) ) + if (!(boolean) LdapServer::VerifyTlsSetup( testparm["target"]:$[] ) ) { map err = LdapServer::ReadError(); - Popup::Error( (string)err["msg"]:"" + "\n" + (string)err["details"]:"" + "\n" ); + Popup::ErrorDetails( _("Error while verifying the TLS/SSL configuration"), + (string)err["msg"]:"" + "\n" + (string)err["details"]:"" + "\n" ); + if (Popup::YesNo( _("Do you want to import a different CA/Server Certificate?") ) ) + { + WFM::CallFunction("common_cert", [] ); + } + continue; + } + // Check if the syncrepl config of cn=config makes sense + map syncrepl = LdapServer::ReadSyncRepl(0); + if ( size(syncrepl) == 0 ) + { + if (Popup::ContinueCancel( _("The Replication Configuration on the Provider Server is missing.\n") + + _("Click Continue to create it now.") ) ) + { + continue; + } + else + { + ret = `cancel; + break; + } + } + else + { + // 1. Verify that the provider uri points to the provider itself + map provider = syncrepl["provider"]:$[]; + boolean setupok=true; + if ( size(provider) > 0 ) + { + if ( (string)provider["target"]:"" != (string)testparm["target","target"]:"" ) + { + y2error("Provider target names do not match: <%1> vs. <%2>", + (string)provider["target"]:"",(string)testparm["target","target"]:""); + setupok=false; + } + if ( (string)provider["protocol"]:"" != (string)testparm["target","protocol"]:"" ) + { + y2error("Provider protocols do not match: <%1> vs. <%2>", + (string)provider["protocol"]:"",(string)testparm["target","protocol"]:""); + setupok=false; + } + if ( (integer)provider["port"]:0 != (integer)testparm["target","port"]:0 ) + { + y2error("Provider ports do not match: <%1> vs. <%2>", + (string)provider["port"]:"",(string)testparm["target","port"]:""); + setupok=false; + } + if ( ! setupok ) + { + Popup::Error( _("The Replication Configuration on the master server indicates that\nis already acting as a Repliation Consumer.\n") + + _("Setting up cascaded replication of the cn=config is not supported currently.") ); + ret = `cancel; + break; + } + } + // 2. Verify that the binddn/credential combination acutally works + map bindtestparm = $[ + "target" : syncrepl["provider"]:$[], + "starttls" : syncrepl["starttls"]:true, + "basedn" : syncrepl["basedn"]:"", + "binddn" : syncrepl["binddn"]:"", + "credentials" : syncrepl["credentials"]:"" + ]; + if(!(boolean)SCR::Execute( .ldapserver.remoteBindCheck, bindtestparm ) ) + { + map err = SCR::Error(.ldapserver); + if ( Popup::ContinueCancel( _("Checking the Authentication credentials defined in the Replication Configuration on the Provider Server failed.\n") + + _("The test returned the following error messages:") + + "\n\n\"" + + (string)err["summary"]:"" + "\"\n\"" + (string)err["description"]:"" + + "\"\n\n" + + _("Click Continue to correct that now.") ) ) + { + syncrepl = SyncreplAccountConfig( syncrepl ); + if ( syncrepl["binddn"]:"" == "cn=config" ) + { + syncrepl["credentials"] = testparm["credentials"]:""; + } + } + else + { + ret = `cancel; + break; + } + } + LdapServer::WriteSyncreplBaseConfig( syncrepl ); + LdapServer::WriteAuthInfo( "cn=config", $[ "bind_dn" : "cn=config", "bind_pw" : testparm["credentials"]:"" ] ); + break; } } if ( ret == `cb_sync_prot ) @@ -853,8 +928,14 @@ } continue; } - return ret; + break; } + if ( ret != `next ) + { + // reset remote connection + SCR::Execute(.ldapserver.reset); + } + return ret; } @@ -864,63 +945,10 @@ */ any ReplicatonSetupSummaryDialog() { - /* LdapServer summary dialog caption */ - - string summary = LdapServer::ReplicationSetupSummary(); any ret = nil; - if ( size(summary) == 0 ) - { - LdapServer::SetupRemoteForReplication(); - ret = `next; - } - else - { - string caption = _("To setup a replication some changes are required on the remote server"); - term contents = - `VBox( - `RichText( summary ) - //, - //`Right( - // `PushButton( `id(`pb_advanced), _("Advanced Configuration") ) - //) - ); - - Wizard::SetContentsButtons(caption, contents, HELPS["summary"]:"", - Label::BackButton(), Label::FinishButton()); - - while(true) - { - - ret = UI::UserInput(); - - /* abort? */ - if (ret == `abort || ret == `cancel ) - { - if( Popup::ReallyAbort(true)) - { - break; - } - else - { - continue; - } - } - else if ( ret == `next ) - { - LdapServer::SetupRemoteForReplication(); - break; - } - else if ( ret == `back ) - { - break; - } - else { - y2error("unexpected retcode: %1", ret); - continue; - } - } - } + LdapServer::SetupRemoteForReplication(); + ret = `next; return ret; } -- To unsubscribe, e-mail: yast-commit+unsubscribe@opensuse.org For additional commands, e-mail: yast-commit+help@opensuse.org