importcertsldap

Perl写的CA认证程序

## OpenCA - RA Server Command
## (c) 1998-2001 by Massimiliano Pala and OpenCA Group
##
##   File Name: importCertsLDAP
##       Brief: importCertificates onto LDAP server
## Description: Add issued certificates to LDAP server
##  Parameters: 

if ( $cmd !~ /importCertsLDAP/i ) {
        configError( "Wrong Command Usage ($cmd/importReqs)!" );
        exit 1;
}

my ( $ldap, $result, @certsList, $cert, $parsed, $dn, $mesg, $tmp);
my ( @ouList, @dnList, $subDn );


## Get Required Parameters
my $basedn 	= getRequired( "basedn" );
my $serverDir   = getRequired( 'ServerDir' );
my $lastFile    = "${serverDir}/stuff/lastImport.txt";

my ( $org )	= ( $basedn =~ /o\s*=\s*([^\,]+)/i );

## Load list of last imported certificates
@certsList = split /\n/, $tools->getFile( "$lastFile" );

## Start Logging Page
print startLogPage ( "LDAP Certificates Importing" );

## Connection Setup Setting
print addLogSection ( "Initializing LDAP connection ... ");
if ( not ( $ldap = LDAP_connect() )) {
	print addErrorLog ("LDAP: Connection Refused by server!\n");
	exit(1);
};

$ret = LDAP_bind( LDAP => $ldap );
if( not $ret->{STATUS} ) {
	print addErrorLog("LDAP: Failed in Bind.","$ret->{CODE}");
	LDAP_disconnect( LDAP => $ldap );
	exit(1);
};
print addLogLine ( "Ok." );
print closeLogSection ();

print addLogSection ("Adding Certificates:");
print addLogLine ("");

foreach ( @certsList ) {
	if( not $cert = $db->getItem( DATATYPE=>"VALID_CERTIFICATE",KEY=>$_ )) {
		print addPreLogLine ( "[ Can not find certificate $_ ]" );
		next;
	}

	$dn = $cert->getParsed()->{DN};
	@ouList = reverse @{$cert->getParsed()->{OU}};

	$tmp = $dn;
	$tmp =~ s/\s*Email\s*=[^\,]+\,*//gi;

	## We have to create the base object
	$subDN = $dn;
	$subDN =~ s/\s*Email\s*=[^\,]+\,*//gi;
	$subDN =~ s/\s*$basedn$//i;

	@dnList = reverse split /\s*\,\s*/, $subDN;

	$mesg = $ldap->search( base => "$tmp" );
	if( $mesg->count == 0 ) {

		$tmp = $basedn;
		@ouList = ();
		foreach $obj ( @dnList ) {
			## Build Object DN
			$tmp = "$obj, $tmp";

			## Add to ouList if it is an OU object
			if( $obj =~ /^ou\s*=(.*)/i ) {
				@ouList = ( "$1", @ouList );
			}

			## Search if the object is there otherwise we
			## add it
			$mesg = $ldap->search(base=>"$tmp",scope=>"base" );
			if( $mesg->count == 0 ) {

				## Add OU object(s)
				if( $obj =~ /ou\s*=(.*)/i ) {
					$result = $ldap->add(
						dn => "$tmp",
						attr => [ 'ou' => [ @ouList ],
						    'objectclass' => [
							"top",
							"organizationalUnit"],
					]);
				}
			}
		}

		## Reget the original dn, without EMAIL field
		$tmp = $dn;
		$tmp =~ s/\s*Email\s*=[^\,]+\,*//gi;

		## Let's build the SN (not x509 oid)
		$sn = $cert->getParsed()->{CN};
		$sn =~ s/^\s*[\S]+\s*//;

		$sn = $cert->getParsed()->{CN} if ( "$sn" eq "" );

		## Try adding the entry with the certificate (DER)
		$result = $ldap->add( dn=>"$tmp",
				attr => [ 'sn' => $sn,
					  'cn' => $cert->getParsed()->{CN},
					  'ou' => [ @ouList ],
					  'mail' => $cert->getParsed()->{EMAIL},
					  'userCertificate;binary' => $cert->getDER(),
					  'objectclass' => [ 'top',
							     'InetOrgPerson' ],
				]);
	} else {
		## The Object exists, let's add only the certificate
		$result = $ldap->modify( $tmp, 
			add => [ 'userCertificate;binary' => $cert->getDER() ]);
	}
	if( not $result->code or $result->code == 68 ) {
		print addPreLogLine ( "Added $dn" );
	} else {
		print addPreLogLine ( "<font color=\"red\">Not added $dn</font>" );
	}
}
print closeLogSection ();

print addLogSection ("Disconnecting ... ");
if( $ldap ) { LDAP_disconnect ( LDAP => $ldap ); };
print addLogLine ( "Ok" );
print closeLogSection ();
closePage();

1;