post_configuration.xml revision d81978a0815d5b8a75633c35e3e1f8708d36f017
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!--
! CDDL HEADER START
!
! The contents of this file are subject to the terms of the
! Common Development and Distribution License, Version 1.0 only
! (the "License"). You may not use this file except in compliance
! with the License.
!
! You can obtain a copy of the license at
! See the License for the specific language governing permissions
! and limitations under the License.
!
! When distributing Covered Code, include this CDDL HEADER in each
! file and include the License file at
! trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable,
! add the following below this CDDL HEADER, with the fields enclosed
! by brackets "[]" replaced with your own identifying information:
! Portions Copyright [yyyy] [name of copyright owner]
!
! CDDL HEADER END
!
! Copyright 2008 Sun Microsystems, Inc.
! -->
<stax>
<defaultcall function="postConfiguration"/>
<function name="postConfiguration" scope="local">
<function-map-args>
<function-arg-def name="phase" type="required">
<function-arg-description>
phase object
</function-arg-description>
</function-arg-def>
<function-arg-def name="instances" type="required">
<function-arg-description>
list of instances classes
</function-arg-description>
</function-arg-def>
<function-arg-def name="suffix" type="required">
<function-arg-description>
suffix class
</function-arg-description>
</function-arg-def>
<function-arg-def name="scheduler" type="required">
<function-arg-description>
suffix class
</function-arg-description>
</function-arg-def>
</function-map-args>
<sequence>
<!-- ================= Call preambule ======================== -->
<call function="'phasePreamble'">
{ 'phase' : phase,
'fileFd' : LOG_MAIN_FD }
</call>
<message>'debug get first instance'</message>
<!--
<script>
res=instances[0]
</script>
<message>'debug get first instance %s ' % res.getName()</message>
-->
<!-- ================= Display in stance names ================ -->
<iterate in="instances" var="instance">
<sequence>
<!-- == Write tag for xml report -->
<call function="'writeStartTagInstance'">
{
'instance' : instance,
'fileFd' : LOG_MAIN_FD
}
</call>
<call function="'writeMessage'">
{
'fileFd' : LOG_MAIN_FD,
'content' : 'my instance is : %s' % instance.getName()
}
</call>
<!-- ################################################# -->
<!-- Configure Log rotation policy -->
<call function="'dsconfig'">
{ 'location' : instance.getHost(),
'dsPath' : instance.getInstallDir(),
'dsInstanceHost' : instance.getHost(),
'dsInstancePort' : instance.getLDAPPort(),
'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
'subcommand' : 'set-log-rotation-policy-prop',
'objectType' : 'policy-name',
'objectName' : 'Size Limit Rotation Policy',
'optionsString' : '--set file-size-limit:15mb',
'expectedRC' : 0,
'fileFd' : LOG_MAIN_FD
}
</call>
<!-- ################################################# -->
<!-- Activate the plugins Attribut UID -->
<call function="'dsconfig'">
{ 'location' : instance.getHost(),
'dsPath' : instance.getInstallDir(),
'dsInstanceHost' : instance.getHost(),
'dsInstancePort' : instance.getLDAPPort(),
'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
'subcommand' : 'set-plugin-prop',
'objectType' : 'plugin-name' ,
'objectName' : 'UID Unique Attribute',
'optionsString' : '--set enabled:true',
'expectedRC' : 0,
'fileFd' : LOG_MAIN_FD
}
</call>
<!-- Activate the plugins Referential Integrity-->
<call function="'dsconfig'">
{ 'location' : instance.getHost(),
'dsPath' : instance.getInstallDir(),
'dsInstanceHost' : instance.getHost(),
'dsInstancePort' : instance.getLDAPPort(),
'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
'subcommand' : 'set-plugin-prop' ,
'objectType' : 'plugin-name' ,
'objectName' : 'Referential Integrity',
'optionsString' : '--set enabled:true',
'expectedRC' : 0,
'fileFd' : LOG_MAIN_FD}
</call>
<!-- ################################################# -->
<!-- CreateDynamic group under ou=QA Engineers,dc=com -->
<!-- there is 3 dynamics groups to group all the entries depending-->
<!-- on the mailEXT value ; group1, group2 or group3 -->
<!-- ################################################# -->
<!-- =========================== -->
<!-- create QA_dynamic_group1_dn -->
<!-- =========================== -->
<script>
QA_dynamic_group1_dn="cn=QA_dynamic_group1,%s" % suffix.getSuffixDn()
listAttr = []
listAttr.append('objectclass:top')
listAttr.append('objectclass:groupOfURLs')
listAttr.append('ou:Groups')
listAttr.append('memberURL:ldap:///ou=QA Engineers,dc=com??sub?(mailEXT=group1)')
</script>
<call function="'addAnEntry'">
{ 'location' : instance.getHost(),
'dsPath' : instance.getInstallDir(),
'dsInstanceHost' : instance.getHost(),
'dsInstancePort' : instance.getLDAPPort(),
'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
'DNToAdd' : QA_dynamic_group1_dn,
'listAttributes' : listAttr,
'expectedRC' : 0,
'fileFd' : LOG_MAIN_FD
}
</call>
<!-- =========================== -->
<!-- create QA_dynamic_group2_dn -->
<!-- =========================== -->
<script>
QA_dynamic_group2_dn="cn=QA_dynamic_group2,%s" % suffix.getSuffixDn()
listAttr = []
listAttr.append('objectclass:top')
listAttr.append('objectclass:groupOfURLs')
listAttr.append('ou:Groups')
listAttr.append('memberURL:ldap:///ou=QA Engineers,dc=com??sub?(mailEXT=group2)')
</script>
<call function="'addAnEntry'">
{ 'location' : instance.getHost(),
'dsPath' : instance.getInstallDir(),
'dsInstanceHost' : instance.getHost(),
'dsInstancePort' : instance.getLDAPPort(),
'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
'DNToAdd' : QA_dynamic_group2_dn,
'listAttributes' : listAttr,
'expectedRC' : 0,
'fileFd' : LOG_MAIN_FD
}
</call>
<!-- =========================== -->
<!-- create QA_dynamic_group2_dn -->
<!-- =========================== -->
<script>
QA_dynamic_group3_dn="cn=QA_dynamic_group3,%s" % suffix.getSuffixDn()
listAttr = []
listAttr.append('objectclass:top')
listAttr.append('objectclass:groupOfURLs')
listAttr.append('ou:Groups')
listAttr.append('memberURL:ldap:///ou=QA Engineers,dc=com??sub?(mailEXT=group3)')
</script>
<call function="'addAnEntry'">
{ 'location' : instance.getHost(),
'dsPath' : instance.getInstallDir(),
'dsInstanceHost' : instance.getHost(),
'dsInstancePort' : instance.getLDAPPort(),
'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
'DNToAdd' : QA_dynamic_group3_dn,
'listAttributes' : listAttr,
'expectedRC' : 0,
'fileFd' : LOG_MAIN_FD
}
</call>
<!-- =============================== -->
<!-- Define ACI for dynamic group 1 -->
<!-- =============================== -->
<!-- Set Aci to allow read and write access on ou=QA Engineers,dc=com for attribut mailEXT -->
<script>
curr_aci="(targetattr=\"mailEXT\")(version 3.0; acl \" mailEXT add_aci_for_dyn_group1_QA\"; allow (all) groupdn=\"ldap:///%s\";)" % QA_dynamic_group1_dn
</script>
<call function="'modifyAnAttribute'">
{ 'dsPath' : instance.getInstallDir(),
'dsInstanceHost' : instance.getHost(),
'dsInstancePort' : instance.getLDAPPort(),
'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
'DNToModify' : "ou=QA Engineers,dc=com",
'attributeName' : 'aci',
'newAttributeValue' : curr_aci,
'changetype' : 'add',
'expectedRC' : 0,
'fileFd' : LOG_MAIN_FD
}
</call>
<!-- Set Aci to allow read access on ou=QA Engineers,dc=com for all attributs except mailEXT -->
<script>
curr_aci="(targetattr!=\"mailEXT\")(version 3.0; acl \" not mailEXT read add_aci_for_dyn_group1_QA\"; allow (read,search) groupdn=\"ldap:///%s\";)" % QA_dynamic_group1_dn
</script>
<call function="'modifyAnAttribute'">
{ 'dsPath' : instance.getInstallDir(),
'dsInstanceHost' : instance.getHost(),
'dsInstancePort' : instance.getLDAPPort(),
'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
'DNToModify' : "ou=QA Engineers,dc=com",
'attributeName' : 'aci',
'newAttributeValue' : curr_aci,
'changetype' : 'add',
'expectedRC' : 0,
'fileFd' : LOG_MAIN_FD
}
</call>
<!-- Set Aci to allow write and delete access on ou=QA Engineers,dc=com for all attributs except mailEXT -->
<script>
curr_aci="(targetattr!=\"mailEXT\")(version 3.0; acl \" not mailEXT write add_aci_for_dyn_group1_QA\"; allow (write,add,delete) groupdn=\"ldap:///%s\";)" % QA_dynamic_group1_dn
</script>
<call function="'modifyAnAttribute'">
{ 'dsPath' : instance.getInstallDir(),
'dsInstanceHost' : instance.getHost(),
'dsInstancePort' : instance.getLDAPPort(),
'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
'DNToModify' : "ou=QA Engineers,dc=com",
'attributeName' : 'aci',
'newAttributeValue' : curr_aci,
'changetype' : 'add',
'expectedRC' : 0,
'fileFd' : LOG_MAIN_FD
}
</call>
<!-- =============================== -->
<!-- Define ACI for dynamic group 2 -->
<!-- =============================== -->
<!-- Set Aci to allow read and write access on attribut descriptionEXT -->
<!-- access on ou=QA Engineers,dc=com -->
<script>
curr_aci="(targetattr=\"descriptionEXT\")(version 3.0; acl \"aci_1_for_dyn_group2_QA\"; allow (read,search,write,add) groupdn=\"ldap:///%s\";)" % QA_dynamic_group2_dn
</script>
<call function="'modifyAnAttribute'">
{ 'dsPath' : instance.getInstallDir(),
'dsInstanceHost' : instance.getHost(),
'dsInstancePort' : instance.getLDAPPort(),
'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
'DNToModify' : "ou=QA Engineers,dc=com",
'attributeName' : 'aci',
'newAttributeValue' : curr_aci,
'changetype' : 'add',
'expectedRC' : 0,
'fileFd' : LOG_MAIN_FD
}
</call>
<!-- Set Aci to allow all access on all the attributs except descriptionEXT -->
<!-- access on ou=QA Engineers,dc=com -->
<script>
curr_aci="(targetattr!=\"descriptionEXT\")(version 3.0; acl \"aci_2_for_dyn_group2_QA\"; allow (all) groupdn=\"ldap:///%s\";)" % QA_dynamic_group2_dn
</script>
<call function="'modifyAnAttribute'">
{ 'dsPath' : instance.getInstallDir(),
'dsInstanceHost' : instance.getHost(),
'dsInstancePort' : instance.getLDAPPort(),
'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
'DNToModify' : "ou=QA Engineers,dc=com",
'attributeName' : 'aci',
'newAttributeValue' : curr_aci,
'changetype' : 'add',
'expectedRC' : 0,
'fileFd' : LOG_MAIN_FD
}
</call>
<!-- Set Aci to Deny all access on attributs postalCode -->
<!-- access on ou=QA Engineers,dc=com -->
<script>
curr_aci="(targetattr=\"postalCode\")(version 3.0; acl \"aci_2_for_dyn_group2_QA\"; allow (all) groupdn=\"ldap:///%s\";)" % QA_dynamic_group2_dn
</script>
<call function="'modifyAnAttribute'">
{ 'dsPath' : instance.getInstallDir(),
'dsInstanceHost' : instance.getHost(),
'dsInstancePort' : instance.getLDAPPort(),
'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
'DNToModify' : "ou=QA Engineers,dc=com",
'attributeName' : 'aci',
'newAttributeValue' : curr_aci,
'changetype' : 'add',
'expectedRC' : 0,
'fileFd' : LOG_MAIN_FD
}
</call>
<!-- =============================== -->
<!-- Define ACI for dynamic group 3 -->
<!-- =============================== -->
<!-- Set Aci to allow all access on attributs jpegPhoto -->
<script>
curr_aci="(targetattr=\"jpegPhoto\")(version 3.0; acl \"aci_1_for_dyn_group3_QA\"; allow (all) groupdn=\"ldap:///%s\";)" % QA_dynamic_group3_dn
</script>
<call function="'modifyAnAttribute'">
{ 'dsPath' : instance.getInstallDir(),
'dsInstanceHost' : instance.getHost(),
'dsInstancePort' : instance.getLDAPPort(),
'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
'DNToModify' : "ou=QA Engineers,dc=com",
'attributeName' : 'aci',
'newAttributeValue' : curr_aci,
'changetype' : 'add',
'expectedRC' : 0,
'fileFd' : LOG_MAIN_FD
}
</call>
<!-- Set Aci to allow all access on all attributs except jpegPhoto -->
<script>
curr_aci="(targetattr!=\"jpegPhoto\")(version 3.0; acl \"aci_2_for_dyn_group3_QA\"; allow (all) groupdn=\"ldap:///%s\";)" % QA_dynamic_group3_dn
</script>
<call function="'modifyAnAttribute'">
{ 'dsPath' : instance.getInstallDir(),
'dsInstanceHost' : instance.getHost(),
'dsInstancePort' : instance.getLDAPPort(),
'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
'DNToModify' : "ou=QA Engineers,dc=com",
'attributeName' : 'aci',
'newAttributeValue' : curr_aci,
'changetype' : 'add',
'expectedRC' : 0,
'fileFd' : LOG_MAIN_FD
}
</call>
<!-- =========================== -->
<!-- Password policy -->
<!-- =========================== -->
<!-- Create a password policy for group1-->
<call function="'dsconfig'">
{ 'location' : instance.getHost(),
'dsPath' : instance.getInstallDir(),
'dsInstanceHost' : instance.getHost(),
'dsInstancePort' : instance.getLDAPPort(),
'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
'subcommand' : 'create-password-policy',
'objectType' : 'policy-name',
'objectName' : 'password_policy_group1',
'optionsString' : '--set allow-user-password-changes:true \
--type generic \
--set default-password-storage-scheme:"Salted SHA-1" \
--set password-attribute:userpassword',
'expectedRC' : 0,
'fileFd' : LOG_MAIN_FD
}
</call>
<message>'debug %s' % QA_dynamic_group1_dn</message>
<!-- Assign this password policy to the group1-->
<call function="'dsconfig'">
{ 'location' : instance.getHost(),
'dsPath' : instance.getInstallDir(),
'dsInstanceHost' : instance.getHost(),
'dsInstancePort' : instance.getLDAPPort(),
'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
'subcommand' : 'create-virtual-attribute',
'objectType' : 'name',
'objectName' : 'virtual attribute for password_policy_group1',
'optionsString' : '--type user-defined \
--set enabled:true \
--set attribute-type:ds-pwp-password-policy-dn \
--set group-dn:%s \
--set conflict-behavior:real-overrides-virtual \
--set value:"cn=password_policy_group1,cn=Password Policies,cn=config"' % QA_dynamic_group1_dn,
'expectedRC' : 0,
'fileFd' : LOG_MAIN_FD
}
</call>
<!-- Create a password policy for group2-->
<call function="'dsconfig'">
{ 'location' : instance.getHost(),
'dsPath' : instance.getInstallDir(),
'dsInstanceHost' : instance.getHost(),
'dsInstancePort' : instance.getLDAPPort(),
'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
'subcommand' : 'create-password-policy',
'objectType' : 'policy-name',
'objectName' : 'password_policy_group2',
'optionsString' : '--set allow-user-password-changes:true \
--type generic \
--set default-password-storage-scheme:"Salted MD5" \
--set password-attribute:userpassword',
'expectedRC' : 0,
'fileFd' : LOG_MAIN_FD
}
</call>
<message>'debug %s' % QA_dynamic_group2_dn</message>
<!-- Assign this password policy to the group2-->
<call function="'dsconfig'">
{ 'location' : instance.getHost(),
'dsPath' : instance.getInstallDir(),
'dsInstanceHost' : instance.getHost(),
'dsInstancePort' : instance.getLDAPPort(),
'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
'subcommand' : 'create-virtual-attribute',
'objectType' : 'name',
'objectName' : 'virtual attribute for password_policy_group2',
'optionsString' : '--type user-defined \
--set enabled:true \
--set attribute-type:ds-pwp-password-policy-dn \
--set group-dn:%s \
--set conflict-behavior:real-overrides-virtual \
--set value:"cn=password_policy_group1,cn=Password Policies,cn=config"' % QA_dynamic_group2_dn,
'expectedRC' : 0,
'fileFd' : LOG_MAIN_FD
}
</call>
<!-- =========================== -->
<!-- Manage certificates -->
<!-- =========================== -->
<!-- Get the keystore password from keystore.pin file -->
<call function="'getFile'">
{
'location' : instance.getHost(),
'format' : '""'
}
</call>
<script>
# getFile returns: STAXResult = [cmdRC, cmdResult]
server_storepass = STAXResult[1]
SERVER_CERT_FILE = '%s/server_cert.txt' % SERVER_CERT_DIR
SERVER_STOREPASS = server_storepass
</script>
<!-- Create a directory to store the server certificate-->
<call function="'createFolder'">
{ 'location' : instance.getHost(),
'foldername' : SERVER_CERT_DIR,
'fileFd' : LOG_MAIN_FD
}
</call>
<!-- Export the server Cert -->
<message>'---- Export the Server Certicate ----'</message>
<call function="'ExportCertificate'">
{ 'dsPath' : instance.getInstallDir(),
'location' : instance.getHost(),
'certAlias' : 'server-cert' ,
'outputfile' : SERVER_CERT_FILE,
'storepass' : server_storepass,
'storetype' : 'JKS',
'fileFd' : LOG_MAIN_FD,
}
</call>
<!-- == Wrcd pluite tag for xml report -->
<call function="'writeEndTagInstance'">
{ 'fileFd' : LOG_MAIN_FD }
</call>
</sequence>
</iterate>
<!--== Get the enabled clients list from all modules ==-->
<call function="'getEnabledClients'">{'scheduler':scheduler}</call>
<script>clients = STAXResult </script>
<!--======= Create instance log dir on instance's host =====-->
<iterate in="clients" var="client">
<sequence>
<if expr="client.getName() == 'secureSearch' or client.getName() == 'secureModifyEntries' or client.getName() == 'secureUserpasswordModify'">
<sequence>
<!-- == Write tag for xml report -->
<call function="'writeStartTagClient'">
{
'client' : client,
'fileFd' : LOG_MAIN_FD
}
</call>
<!-- Get the informations about the Server Instance for this client -->
<script>
cParams = client.getParams()
serverInstanceFromClient = cParams[0][1]
baseDN_for_userMapping = cParams[1][1]
certAlias = cParams[7][1]
from scheduler import getInstance
serverInstance = getInstance(serverInstanceFromClient,instances)
</script>
<!-- informations about the Client certificate DB -->
<!-- The client certificate DB is generated on the client host -->
<script>
USER_DN ="uid=%s,%s" % (certAlias,baseDN_for_userMapping)
USER_CERT_FILE_RFC="%s/client_cert_rfc.txt" % CLIENT_CERT_TMP
USER_CERT_FILE="%s/client_cert.txt" % CLIENT_CERT_TMP
CLIENT_KEYPASS="password"
CLIENT_STOREPASS="password"
</script>
<call function="'writeMessage'">
{
'fileFd' : LOG_MAIN_FD,
'content' : 'Create folder %s on %s ' %
(CLIENT_CERT_TMP,client.getHost())
}
</call>
<!-- Create folder on the client host where are store client keystore
and certificate-->
<call function="'createFolder'">
{ 'location' : client.getHost(),
'foldername' : CLIENT_KEYSTORE_DIR,
'fileFd' : LOG_MAIN_FD
}
</call>
<!-- On the client Host, generate a JKS client certificate : certAlias -->
<call function="'genCertificate'">
{ 'dsPath' : CLIENT_CERT_TMP,
'location' : client.getHost(),
'certAlias' : certAlias,
'dname' : USER_DN,
'storepass' : CLIENT_STOREPASS,
'keystore' : CLIENT_KEYSTORE,
'keypass' : CLIENT_KEYPASS,
'storetype' : 'JKS',
'fileFd' : LOG_MAIN_FD
}
</call>
<!-- Self-Sign client Certificate : certAlias -->
<message>'---- Self-Signing client Certificate : %s ---- ' % (certAlias)</message>
<call function="'SelfSignCertificate'">
{ 'dsPath' : CLIENT_CERT_TMP,
'location' : client.getHost(),
'certAlias' : certAlias,
'storepass' : CLIENT_STOREPASS,
'keypass' : CLIENT_KEYPASS,
'keystore' : CLIENT_KEYSTORE,
'storetype' : 'JKS' ,
'fileFd' : LOG_MAIN_FD
}
</call>
<!-- export client certificate : certAlias -->
<message> '---- Export the client certificate : %s ---- ' % (certAlias)</message>
<call function="'ExportCertificate'">
{ 'dsPath' : CLIENT_CERT_TMP,
'location' : client.getHost(),
'certAlias' : certAlias,
'outputfile' : USER_CERT_FILE,
'storepass' : CLIENT_STOREPASS,
'keystore' : CLIENT_KEYSTORE,
'storetype' : 'JKS',
'fileFd' : LOG_MAIN_FD
}
</call>
<!-- export client certificate RFC format : certAlias -->
<message> '---- Export the client certificate in RFC : %s ---- ' % (certAlias)</message>
<call function="'ExportCertificate'">
{ 'dsPath' : CLIENT_CERT_TMP,
'location' : client.getHost(),
'certAlias' : certAlias,
'outputfile' : USER_CERT_FILE_RFC,
'storepass' : CLIENT_STOREPASS,
'keystore' : CLIENT_KEYSTORE,
'format' : 'rfc',
'storetype' : 'JKS',
'fileFd' : LOG_MAIN_FD
}
</call>
<!-- Get the keystore password from keystore.pin file -->
<call function="'getFile'">
{
'location' : serverInstance.getHost(),
'format' : '""'
}
</call>
<script>
# getFile returns: STAXResult = [cmdRC, cmdResult]
server_storepass = STAXResult[1]
</script>
<!-- The directory containing the client certificates DB
is copied on the server instance -->
<!-- and the directory containing the server certificate DB
is copied on the associated client -->
<script>
REMOTE_CLIENT_CERT_TMP="%s/CERT_%s_%s" % (serverInstance.getLogDir(),client.getName(),client.getId())
REMOTE_USER_CERT_FILE="%s/client_cert.txt" % REMOTE_CLIENT_CERT_TMP
REMOTE_SERVER_CERT_FILE = '%s/server_cert.txt' % REMOTE_SERVER_CERT_TMP
SERVER_STOREPASS = server_storepass
</script>
<!--== Copy the directory containing the server cert DB on the Client host -->
<call function="'copyFolder'">
{ 'location' : serverInstance.getHost(),
'remoteHost' : client.getHost(),
'fromDirectory' : SERVER_CERT_TMP,
'toDirectory' : REMOTE_SERVER_CERT_TMP,
'fileFd' : LOG_MAIN_FD
}
</call>
<!--== Copy the directory containing the client cert DB on the Server Host -->
<call function="'copyFolder'">
{ 'location' : client.getHost(),
'remoteHost' : serverInstance.getHost(),
'fromDirectory' : CLIENT_CERT_TMP,
'toDirectory' : REMOTE_CLIENT_CERT_TMP,
'fileFd' : LOG_MAIN_FD
}
</call>
<call function="'writeMessage'">
{
'fileFd' : LOG_MAIN_FD,
'content' : 'Import server certificate under %s on %s ' % (CLIENT_KEYSTORE,client.getHost())
}
</call>
<!-- Import the server Certificate in the client database -->
<message>'---- Import the Server Certificate in the client keystore----'</message>
<call function="'ImportCertificate'">
{ 'dsPath' : CLIENT_CERT_TMP,
'location' : client.getHost(),
'certAlias' : 'server-cert',
'inputfile' : REMOTE_SERVER_CERT_FILE,
'storepass' : CLIENT_STOREPASS,
'keystore' : CLIENT_KEYSTORE,
'storetype' : 'JKS',
'fileFd' : LOG_MAIN_FD
}
</call>
<!-- Import the client Certificates in the server trustore -->
<message> '---- Import the client Certificates %s in the server trustore' % (certAlias)</message>
<call function="'ImportCertificate'">
{ 'dsPath' : serverInstance.getInstallDir(),
'location' : serverInstance.getHost(),
'certAlias' : certAlias,
'keystore' : 'truststore',
'inputfile' : REMOTE_USER_CERT_FILE,
'storepass' : server_storepass,
'storetype' : 'JKS',
'fileFd' : LOG_MAIN_FD
}
</call>
<call function="'create_mapping_user'">
{ 'instance' : serverInstance,
'certAlias' : certAlias,
'client_cert_directory' : REMOTE_CLIENT_CERT_TMP,
'user_dn' : USER_DN,
'base_dn' : baseDN_for_userMapping,
'fileFd' : LOG_MAIN_FD
}
</call>
<!-- == Write tag for xml report -->
<call function="'writeEndTagClient'">
{ 'fileFd' : LOG_MAIN_FD }
</call>
</sequence>
</if>
</sequence>
</iterate>
<!-- ================= Call postambule ======================= -->
<call function="'phasePostamble'">
{ 'phase' : phase,
'fileFd' : LOG_MAIN_FD
}
</call>
</sequence>
</function>
<!-- ************************************************************ -->
<function name="create_mapping_user" scope="local">
<function-map-args>
<function-arg-def name="instance" type="required">
</function-arg-def>
<function-arg-def name="certAlias" type="required">
</function-arg-def>
<function-arg-def name="client_cert_directory" type="required">
</function-arg-def>
<function-arg-def name="base_dn" type="required">
</function-arg-def>
<function-arg-def name="user_dn" type="required">
</function-arg-def>
<function-arg-def name="fileFd" type="required">
</function-arg-def>
</function-map-args>
<sequence>
<call function="'writeMessage'">
{
'fileFd' : fileFd,
'content' : 'Create the user %s' % user_dn
}
</call>
<!-- create user entry on the Instance server -->
<message>'###### Add an entry ###### '</message>
<script>
listAttr = []
listAttr.append('objectclass:top')
listAttr.append('objectclass:organizationalperson')
listAttr.append('objectclass:inetorgperson')
listAttr.append('objectclass:person')
listAttr.append('objectclass:ds-certificate-user')
listAttr.append('objectclass:strongAuthenticationUser')
listAttr.append('objectclass:inetorgpersonext')
listAttr.append('userCertificate;binary: bad_certificate')
listAttr.append('givenname:%s' % certAlias)
listAttr.append('userpassword:userpassword')
listAttr.append('mailEXT: group1')
listAttr.append('descriptionEXT: this is mapping client description')
listAttr.append('sn:%s' % certAlias)
listAttr.append('cn:%s' % certAlias)
</script>
<call function="'addAnEntry'">
{ 'location' : instance.getHost(),
'dsPath' : instance.getInstallDir(),
'dsInstanceHost' : instance.getHost(),
'dsInstancePort' : instance.getLDAPPort(),
'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
'DNToAdd' : user_dn,
'listAttributes' : listAttr,
'expectedRC' : 0,
'fileFd' : fileFd
}
</call>
<call function="'ldapSearch'">
{ 'dsPath' : instance.getInstallDir(),
'dsInstanceHost' : instance.getHost(),
'dsInstancePort' : serverInstance.getLDAPPort(),
'dsBaseDN' : suffix.getSuffixDn(),
'dsScope' : 'base',
'dsFilter' : 'objectclass=*',
'dsInstanceDn' : user_dn,
'dsInstancePswd' : "userpassword",
'expectedRC' : 0,
'fileFd' : fileFd
}
</call>
<call function="'writeMessage'">
{
'fileFd' : fileFd,
'content' : 'Add the aci to the user %s' % user_dn
}
</call>
<script>
curr_aci="(targetattr=\"*\")(version 3.0; acl \"add_aci\"; allow (search,read,write) userdn=\"ldap:///%s\";)" % user_dn
</script>
<call function="'modifyAnAttribute'">
{ 'dsPath' : instance.getInstallDir(),
'dsInstanceHost' : instance.getHost(),
'dsInstancePort' : instance.getLDAPPort(),
'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
'DNToModify' : base_dn,
'attributeName' : 'aci',
'newAttributeValue' : curr_aci,
'changetype' : 'add',
'expectedRC' : 0,
'fileFd' : fileFd
}
</call>
<!-- Read the certificate exported as RFC -->
<call function="'getFile'">
{ 'location' : instance.getHost(),
'filename' : '%s/client_cert_rfc.txt ' % (client_cert_directory)
}
</call>
<message>
'Certificate contents:\n %s' % cmdResult
</message>
<!-- Extract BEGIN CERTIFICATE and END CERTIFICATE -->
<script>
certList=cmdResult.split('\n')
ret_str = ""
for line in certList:
index_cert = line.find("CERTIFICATE")
if index_cert == -1:
ret_str+=line.strip()
</script>
<script>
listAttr = []
listAttr.append('dn: %s' % user_dn)
listAttr.append('changetype: modify')
listAttr.append('replace: userCertificate;binary')
listAttr.append('userCertificate;binary:: %s' % ret_str)
</script>
<!-- Write out the ldif -->
<script>
outfile = open(LdifFile,"w")
for line in listAttr:
outfile.write("%s\n" % line)
</script>
<call function="'modifyEntry'">
{ 'dsPath' : instance.getInstallDir(),
'dsInstanceHost' : instance.getHost(),
'dsInstancePort' : instance.getLDAPPort(),
'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
'entryToBeModified' : '%s' % LdifFile,
'expectedRC' : 0,
'fileFd' : fileFd
}
</call>
<call function="'modifyAnAttribute'">
{ 'dsPath' : instance.getInstallDir(),
'dsInstanceHost' : instance.getHost(),
'dsInstancePort' : instance.getLDAPPort(),
'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
'DNToModify' : user_dn,
'attributeName' : 'userCertificate;binary',
'newAttributeValue' : ret_str,
'changetype' : 'modify',
'expectedRC' : 0,
'fileFd' : fileFd
}
</call>
</sequence>
</function>
</stax>