Use TDESimpleConfig

Signed-off-by: Michele Calgaro <michele.calgaro@yahoo.it>

CMakeLists.txt

@@ -7,7 +7,11 @@
 ############################################
 
 
-cmake_minimum_required( VERSION 3.1 )
+##### set project version ########################
+
+include( TDEVersion )
+cmake_minimum_required( VERSION ${TDE_CMAKE_MINIMUM_VERSION} )
+tde_set_project_version( )
 
 
 #### general package setup
@@ -31,11 +35,6 @@ include( CheckCXXSourceCompiles )
 include( TDEMacros )
 
 
-##### set version number ########################
-
-tde_set_project_version( )
-
-
 ##### setup install paths
 
 include( TDESetupPaths )
@@ -59,6 +58,8 @@ option( WITH_GCC_VISIBILITY "Enable fvisibility and fvisibility-inlines-hidden"
 
 set( KDE_CONFDIR "/etc/trinity" CACHE STRING "TDE Settings Directory" )
 set( KRB5_FILE "/etc/krb5.conf" CACHE STRING "Kerberos config file"   )
+set( SYSTEM_CA_STORE_CERT_LOCATION "/usr/local/share/ca-certificates/" CACHE STRING "Location of ca-certificates" )
+set( SYSTEM_CA_STORE_REGENERATE_COMMAND "update-ca-certificates" CACHE STRING "Command to update ca-certificates" )
 set( CRON_UPDATE_PRIMARY_REALM_CERTIFICATES_OPENLDAP_RELOAD_COMMAND "/etc/init.d/slapd force-reload" CACHE STRING "Cron command to update openLDAP" )
 
 
@@ -69,7 +70,7 @@ include( ConfigureChecks.cmake )
 
 ###### global compiler settings
 
-add_definitions( -DHAVE_CONFIG_H )
+add_definitions( -DHAVE_CONFIG_H ${ENABLE_PERMISSIVE_FLAG} )
 
 set( CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${TQT_CXX_FLAGS}" )
 set( CMAKE_SHARED_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS} -Wl,--no-undefined" )

ConfigureChecks.cmake

@@ -26,9 +26,104 @@ if( WITH_GCC_VISIBILITY )
 endif( WITH_GCC_VISIBILITY )
 
 
+##### get the system's default path for libraries
+
+tde_save_and_set( CMAKE_INSTALL_PREFIX "/usr" )
+include( GNUInstallDirs OPTIONAL )
+if( CMAKE_INSTALL_LIBDIR )
+  set( SYSTEM_LIBDIR "${CMAKE_INSTALL_LIBDIR}" )
+else( )
+  set( SYSTEM_LIBDIR "lib${LIB_SUFFIX}" )
+endif( )
+tde_restore( CMAKE_INSTALL_PREFIX )
+
+
 ##### check for ldap
 
 find_library( HAVE_LIBLDAP ldap )
 if( NOT HAVE_LIBLDAP )
   tde_message_fatal( "ldap is required, but was not found on your system" )
 endif( NOT HAVE_LIBLDAP )
+
+
+##### check for krb5
+
+pkg_search_module( KRB5 heimdal-krb5 krb5 )
+if( NOT KRB5_FOUND)
+  if( NOT DEFINED KRB5_CONFIG_EXECUTABLE )
+    find_program( KRB5_CONFIG_EXECUTABLE NAMES krb5-config.heimdal krb5-config )
+    if( NOT KRB5_CONFIG_EXECUTABLE )
+      tde_message_fatal( "krb5 library is required but not found on your system" )
+    endif( )
+  endif( )
+
+  execute_process(
+    COMMAND ${KRB5_CONFIG_EXECUTABLE} --libs
+    OUTPUT_VARIABLE KRB5_LIBRARIES
+    ERROR_VARIABLE KRB5_LIBRARIES
+    OUTPUT_STRIP_TRAILING_WHITESPACE
+    ERROR_STRIP_TRAILING_WHITESPACE
+  )
+  execute_process(
+    COMMAND ${KRB5_CONFIG_EXECUTABLE} --cflags
+    OUTPUT_VARIABLE KRB5_INCLUDE_DIRS
+    ERROR_VARIABLE KRB5_INCLUDE_DIRS
+    OUTPUT_STRIP_TRAILING_WHITESPACE
+    ERROR_STRIP_TRAILING_WHITESPACE
+  )
+  if( NOT "${KRB5_LIBRARIES}" STREQUAL "" )
+    set( KRB5_FOUND 1 )
+  endif( )
+endif( )
+
+find_path( HEIMDAL_INCLUDEDIR
+    NAMES krb5_asn1.h
+    HINTS ${KRB5_INCLUDE_DIRS} ${KRB5_INCLUDEDIR} /usr/include
+    PATH_SUFFIXES "heimdal"
+)
+if( NOT "${HEIMDAL_INCLUDEDIR}" STREQUAL "${KRB5_INCLUDEDIR}" )
+  # fix Heimdal include dirs
+  set( KRB5_INCLUDE_DIRS "${HEIMDAL_INCLUDEDIR}" )
+endif( )
+
+find_path( HEIMDAL_LIBDIR
+    NAMES libhdb.so
+    HINTS
+      ${KRB5_LIBRARY_DIRS} ${KRB5_LIBDIR}
+      /usr/${SYSTEM_LIBDIR} /usr/local/${SYSTEM_LIBDIR}
+    PATH_SUFFIXES "heimdal"
+)
+if( NOT "${HEIMDAL_LIBDIR}" STREQUAL "${KRB5_LIBDIR}" )
+  # fix Heimdal library dirs
+  set( KRB5_LIBRARY_DIRS "${HEIMDAL_LIBDIR}" )
+endif( )
+
+if( "${HEIMDAL_INCLUDEDIR}" STREQUAL "HEIMDAL_INCLUDEDIR-NOTFOUND" OR
+    "${HEIMDAL_LIBDIR}" STREQUAL "HEIMDAL_LIBDIR-NOTFOUND" )
+    tde_message_fatal( "Heimdal Kerberos is required, but was not found on our system" )
+endif( )
+
+
+# check compiler permissive flag
+check_cxx_compiler_flag( -fpermissive HAVE_PERMISSIVE_SUPPORT )
+if( HAVE_PERMISSIVE_SUPPORT )
+  set( ENABLE_PERMISSIVE_FLAG "-fpermissive" )
+endif( )
+
+
+##### check for tdehwlib
+
+tde_save_and_set( CMAKE_REQUIRED_INCLUDES "${TDE_INCLUDE_DIR}" )
+check_cxx_source_compiles( "
+  #include <tdemacros.h>
+    #ifndef __TDE_HAVE_TDEHWLIB
+    #error tdecore is not build with tdehwlib
+    #endif
+    int main() { return 0; } "
+  HAVE_TDEHWLIB
+)
+tde_restore( CMAKE_REQUIRED_INCLUDES )
+if( NOT HAVE_TDEHWLIB )
+  tde_message_fatal( "tdehwlib is required, but not built in tdecore" )
+endif( NOT HAVE_TDEHWLIB )
+set( TDEHW_LIBRARIES "tdehw-shared" )

config.h.cmake

@@ -1,7 +1,7 @@
 #define VERSION "@VERSION@"
 
 // Defined if you have fvisibility and fvisibility-inlines-hidden support.
-#cmakedefine __KDE_HAVE_GCC_VISIBILITY 1
+#cmakedefine __TDE_HAVE_GCC_VISIBILITY 1
 
 /* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
    significant byte first (like Motorola and SPARC, unlike Intel). */
@@ -13,5 +13,11 @@
 /* Define Kerberos config file */
 #cmakedefine KRB5_FILE "@KRB5_FILE@"
 
+/* Define Location of ca-certificates */
+#cmakedefine SYSTEM_CA_STORE_CERT_LOCATION "@SYSTEM_CA_STORE_CERT_LOCATION@"
+
+/* Define Command to update ca-certificats */
+#cmakedefine SYSTEM_CA_STORE_REGENERATE_COMMAND "@SYSTEM_CA_STORE_REGENERATE_COMMAND@"
+
 /* Define Cron command to update openLDAP certificats */
 #cmakedefine CRON_UPDATE_PRIMARY_REALM_CERTIFICATES_OPENLDAP_RELOAD_COMMAND "@CRON_UPDATE_PRIMARY_REALM_CERTIFICATES_OPENLDAP_RELOAD_COMMAND@"

src/CMakeLists.txt

@@ -11,6 +11,7 @@ include_directories(
 link_directories(
   ${TQT_LIBRARY_DIRS}
   ${TDE_LIB_DIR}
+  ${KRB5_LIBRARY_DIRS}
 )
 
 
@@ -27,8 +28,9 @@ tde_add_library( tdeldap SHARED AUTOMOC
      tdeui-shared
      tdecore-shared
      tdeio-shared
+     ${TDEHW_LIBRARIES}
      tdesu
-     lber
+     krb5 kadm5clnt kadm5srv hdb lber 
      ldap
 
   VERSION 1.0.0

src/ldaplogindlg.cpp

@@ -23,13 +23,13 @@
 #include <tqmap.h>
 
 #include <tdeapplication.h>
-#include <ksimpleconfig.h>
+#include <tdesimpleconfig.h>
 #include <tdelocale.h>
 #include <kdebug.h>
-#include <kstandarddirs.h>
+#include <tdestandarddirs.h>
 #include <kiconloader.h>
 #include <dcopclient.h>
-#include <kprocess.h>
+#include <tdeprocess.h>
 #include <kcombobox.h>
 
 #include "ldaplogindlg.h"

src/ldaplogindlg.h

@@ -30,7 +30,7 @@ class TQStringList;
   */
 
 class LDAPLogin : public LDAPLoginDlg  {
-	Q_OBJECT
+	TQ_OBJECT
 public:
 	LDAPLogin(TQWidget *parent=0, const char *name=0);
 	~LDAPLogin();

src/ldappasswddlg.cpp

@@ -32,8 +32,8 @@
 #include "ldaplogindlg.h"
 #include "ldappasswddlg.h"
 
-LDAPPasswordDialog::LDAPPasswordDialog(TQWidget* parent, const char* name, bool allowGSSAPI)
-	: KDialogBase(parent, name, true, i18n("LDAP Authentication"), (allowGSSAPI)?Ok|Cancel|User1:Ok|Cancel, Ok, true, i18n("Authenticate with SASL/GSSAPI"))
+LDAPPasswordDialog::LDAPPasswordDialog(TQWidget* parent, const char* name, bool allowGSSAPI, bool allowSmartCard)
+	: KDialogBase(parent, name, true, i18n("LDAP Authentication"), Ok|Cancel|((allowGSSAPI)?User1:0)|((allowSmartCard)?User2:0), Ok, true, i18n("Authenticate with SASL/GSSAPI"), i18n("Authenticate with cryptographic card"))
 {
 	m_base = new LDAPLogin(this);
 
@@ -42,11 +42,19 @@ LDAPPasswordDialog::LDAPPasswordDialog(TQWidget* parent, const char* name, bool
 
 void LDAPPasswordDialog::slotOk() {
 	use_gssapi = false;
+	use_smartcard = false;
 	accept();
 }
 
 void LDAPPasswordDialog::slotUser1() {
 	use_gssapi = true;
+	use_smartcard = false;
+	accept();
+}
+
+void LDAPPasswordDialog::slotUser2() {
+	use_gssapi = false;
+	use_smartcard = true;
 	accept();
 }
 

src/ldappasswddlg.h

@@ -26,20 +26,22 @@
 
 class LDAPLogin;
 
-class KDE_EXPORT LDAPPasswordDialog : public KDialogBase
+class TDE_EXPORT LDAPPasswordDialog : public KDialogBase
 {
-	Q_OBJECT
+	TQ_OBJECT
 
 public:
-	LDAPPasswordDialog(TQWidget* parent = 0, const char* name = 0, bool allowGSSAPI = true);
+	LDAPPasswordDialog(TQWidget* parent = 0, const char* name = 0, bool allowGSSAPI = true, bool allowSmartCard = false);
 
 public slots:
 	void slotOk();
 	void slotUser1();
+	void slotUser2();
 
 public:
 	LDAPLogin *m_base;
 	bool use_gssapi;
+	bool use_smartcard;
 };
 
 #endif

src/libtdeldap.h

@@ -1,5 +1,5 @@
 /***************************************************************************
- *   Copyright (C) 2012-2013 by Timothy Pearson                            *
+ *   Copyright (C) 2012-2015 by Timothy Pearson                            *
  *   kb9vqf@pearsoncomputing.net                                           *
  *                                                                         *
  *   This program is free software; you can redistribute it and/or modify  *
@@ -21,16 +21,19 @@
 #ifndef _LIBTDELDAP_H_
 #define _LIBTDELDAP_H_
 
+#include <stdint.h>
 #include <unistd.h>
 #include <sys/stat.h>
 #include <ldap.h>
+#include <kadm5/admin.h>
 
 #include <tqobject.h>
 #include <tqstring.h>
 #include <tqdatetime.h>
 #include <tqvaluelist.h>
+#include <tqfile.h>
 
-#include <ksimpleconfig.h>
+#include <tdesimpleconfig.h>
 
 // FIXME
 // Connect this to CMake/Automake
@@ -47,6 +50,8 @@
 
 #define KERBEROS_PKI_PEM_FILE KERBEROS_PKI_ANCHORDIR "tdeca.pem"
 #define KERBEROS_PKI_PEMKEY_FILE KERBEROS_PKI_ANCHORDIR "tdeca.key.pem"
+#define KERBEROS_PKI_CRL_FILE KERBEROS_PKI_ANCHORDIR "tdecrl.pem"
+#define KERBEROS_PKI_CRLDB_FILE KERBEROS_PKI_ANCHORDIR "tdecrl.db"
 #define KERBEROS_PKI_KDC_FILE KERBEROS_PKI_PUBLICDIR "@@@KDCSERVER@@@.pki.crt"
 #define KERBEROS_PKI_KDCKEY_FILE KERBEROS_PKI_PRIVATEDIR "@@@KDCSERVER@@@.pki.key"
 #define KERBEROS_PKI_KDCREQ_FILE KERBEROS_PKI_PRIVATEDIR "@@@KDCSERVER@@@.pki.req"
@@ -54,14 +59,23 @@
 #define LDAP_CERT_FILE KERBEROS_PKI_PUBLICDIR "@@@ADMINSERVER@@@.ldap.crt"
 #define LDAP_CERTKEY_FILE KERBEROS_PKI_PRIVATEDIR "@@@ADMINSERVER@@@.ldap.key"
 #define LDAP_CERTREQ_FILE KERBEROS_PKI_PRIVATEDIR "@@@ADMINSERVER@@@.ldap.req"
+#define LDAP_CERTREVOC_FILE KERBEROS_PKI_PUBLICDIR "@@@ADMINSERVER@@@.ldap.crl"
 
-#define OPENSSL_EXTENSIONS_FILE TDE_CERTIFICATE_DIR "pki_extensions"
+#define OPENSSL_EXTENSIONS_FILE TDE_CERTIFICATE_DIR "openssl.cfg"
 
 #define DEFAULT_IGNORED_USERS_LIST "avahi,avahi-autoipd,backup,bin,colord,daemon,games,gnats,haldaemon,hplip,irc,klog,landscape,libuuid,list,lp,mail,man,messagebus,news,ntp,polkituser,postfix,proxy,pulse,root,rtkit,saned,sshd,statd,sync,sys,syslog,timidity,usbmux,uucp,www-data"
 
 #define CRON_UPDATE_PRIMARY_REALM_CERTIFICATES_FILE "/etc/cron.daily/tde-upd-pri-rlm-certs"
 #define CRON_UPDATE_PRIMARY_REALM_CERTIFICATES_COMMAND TDE_BINDIR "/primaryrccertupdater"
 
+// 1 year
+#define KERBEROS_PKI_PEMKEY_EXPIRY_DAYS 365
+
+// 1 month
+#define KERBEROS_PKI_CRL_EXPIRY_DAYS 30
+#define KERBEROS_PKI_KRB_EXPIRY_DAYS 30
+#define KERBEROS_PKI_LDAP_EXPIRY_DAYS 30
+
 // Values from hdb.asn1
 enum LDAPKRB5Flags {
 	KRB5_INITIAL			= 0x00000001,
@@ -141,7 +155,20 @@ inline KRB5TicketFlags operator&(KRB5TicketFlags a, KRB5TicketFlags b)
 typedef TQValueList<uid_t> UserList;
 typedef TQValueList<gid_t> GroupList;
 
-class KDE_EXPORT LDAPCredentials
+namespace PKICertificateStatus {
+	enum PKICertificateStatusEnum {
+		Invalid		= 0,
+		Valid		= 1,
+		Revoked		= 2
+	};
+}
+
+typedef TQValueList<TQByteArray> TQByteArrayList;
+
+typedef TQPair<uint32_t, TQByteArray> PKICertificateEntry;
+typedef TQValueList<PKICertificateEntry> PKICertificateEntryList;
+
+class TDE_EXPORT LDAPCredentials
 {
 	public:
 		LDAPCredentials();
@@ -149,15 +176,16 @@ class KDE_EXPORT LDAPCredentials
 
 	public:
 		TQString username;
-		TQCString password;
+		TQString password;
 		TQString realm;
 		bool use_tls;
 		bool use_gssapi;
+		bool use_smartcard;
 		TQString service;
 };
 
 // PRIVATE
-class KDE_EXPORT LDAPRealmConfig
+class TDE_EXPORT LDAPRealmConfig
 {
 	public:
 		TQString name;
@@ -173,11 +201,16 @@ class KDE_EXPORT LDAPRealmConfig
 		bool pkinit_require_krbtgt_otherName;
 		bool win2k_pkinit;
 		bool win2k_pkinit_require_binding;
+		TQString certificate_revocation_list_url;
 };
 
 // PRIVATE
-class KDE_EXPORT LDAPCertConfig
+class TDE_EXPORT LDAPCertConfig
 {
+	public:
+		LDAPCertConfig();
+		~LDAPCertConfig();
+
 	public:
 		bool generate_certs;
 		TQString provided_kerberos_pem;
@@ -187,6 +220,11 @@ class KDE_EXPORT LDAPCertConfig
 		TQString provided_ldap_crt;
 		TQString provided_ldap_key;
 
+		int caExpiryDays;
+		int caCrlExpiryDays;
+		int kerberosExpiryDays;
+		int ldapExpiryDays;
+
 		TQString countryName;
 		TQString stateOrProvinceName;
 		TQString localityName;
@@ -197,13 +235,15 @@ class KDE_EXPORT LDAPCertConfig
 };
 
 // PRIVATE
-class KDE_EXPORT LDAPPamConfig
+class TDE_EXPORT LDAPPamConfig
 {
 	public:
 		LDAPPamConfig();
 		~LDAPPamConfig();
 
 	public:
+		bool enable_pkcs11_login;
+		int pkcs11_login_card_slot;
 		bool enable_cached_credentials;
 		bool autocreate_user_directories_enable;
 		mode_t autocreate_user_directories_umask;
@@ -211,7 +251,7 @@ class KDE_EXPORT LDAPPamConfig
 };
 
 // PRIVATE
-class KDE_EXPORT LDAPClientRealmConfig
+class TDE_EXPORT LDAPClientRealmConfig
 {
 	public:
 		bool enable_bonding;
@@ -234,7 +274,7 @@ class KDE_EXPORT LDAPClientRealmConfig
 
 typedef TQMap<TQString, LDAPRealmConfig> LDAPRealmConfigList;
 
-class KDE_EXPORT LDAPUserInfo
+class TDE_EXPORT LDAPUserInfo
 {
 	public:
 		LDAPUserInfo();
@@ -252,7 +292,7 @@ class KDE_EXPORT LDAPUserInfo
 		gid_t primary_gid;
 		bool tde_builtin_account;
 		LDAPKRB5Flags status;			// Default active user is 586 [KRB5_ACTIVE_DEFAULT] and locked out user is 7586 [KRB5_DISABLED_ACCOUNT]
-		TQCString new_password;
+		TQString new_password;
 		TQDateTime account_created;
 		TQDateTime account_modified;
 		TQDateTime password_last_changed;
@@ -312,9 +352,12 @@ class KDE_EXPORT LDAPUserInfo
 		TQString businessCategory;
 		TQString carLicense;
 		TQString notes;
+
+		// PKI
+		PKICertificateEntryList pkiCertificates;
 };
 
-class KDE_EXPORT LDAPGroupInfo
+class TDE_EXPORT LDAPGroupInfo
 {
 	public:
 		LDAPGroupInfo();
@@ -331,7 +374,7 @@ class KDE_EXPORT LDAPGroupInfo
 		TQStringList userlist;
 };
 
-class KDE_EXPORT LDAPMachineInfo
+class TDE_EXPORT LDAPMachineInfo
 {
 	public:
 		LDAPMachineInfo();
@@ -348,7 +391,7 @@ class KDE_EXPORT LDAPMachineInfo
 		LDAPKRB5Flags status;		// Default is 126 [KRB5_MACHINE_ACCOUNT_DEFAULT]
 };
 
-class KDE_EXPORT LDAPServiceInfo
+class TDE_EXPORT LDAPServiceInfo
 {
 	public:
 		LDAPServiceInfo();
@@ -366,7 +409,7 @@ class KDE_EXPORT LDAPServiceInfo
 		LDAPKRB5Flags status;		// Default is 126 [KRB5_SERVICE_PRINCIPAL_DEFAULT]
 };
 
-class KDE_EXPORT LDAPTDEBuiltinsInfo
+class TDE_EXPORT LDAPTDEBuiltinsInfo
 {
 	public:
 		LDAPTDEBuiltinsInfo();
@@ -380,7 +423,7 @@ class KDE_EXPORT LDAPTDEBuiltinsInfo
 		TQString builtinStandardUserGroup;
 };
 
-class KDE_EXPORT LDAPMasterReplicationMapping
+class TDE_EXPORT LDAPMasterReplicationMapping
 {
 	public:
 		LDAPMasterReplicationMapping();
@@ -393,7 +436,7 @@ class KDE_EXPORT LDAPMasterReplicationMapping
 
 typedef TQValueList<LDAPMasterReplicationMapping> LDAPMasterReplicationMap;
 
-class KDE_EXPORT LDAPMasterReplicationInfo
+class TDE_EXPORT LDAPMasterReplicationInfo
 {
 	public:
 		LDAPMasterReplicationInfo();
@@ -407,14 +450,14 @@ class KDE_EXPORT LDAPMasterReplicationInfo
 		int timeout;
 		int syncMethod;
 		TQString syncDN;
-		TQCString syncPassword;
+		TQString syncPassword;
 		TQString certificateFile;
 		TQString caCertificateFile;
 		bool ignore_ssl_failure;
 		bool replicate_olcGlobal;
 };
 
-class KDE_EXPORT KerberosTicketInfo
+class TDE_EXPORT KerberosTicketInfo
 {
 	public:
 		KerberosTicketInfo();
@@ -445,8 +488,8 @@ typedef TQValueList<KerberosTicketInfo> KerberosTicketInfoList;
 
 class PtyProcess;
 
-class KDE_EXPORT LDAPManager : public TQObject {
-	Q_OBJECT
+class TDE_EXPORT LDAPManager : public TQObject {
+	TQ_OBJECT
 
 	public:
 		LDAPManager(TQString realm, TQString host, TQObject *parent=0, const char *name=0);
@@ -479,37 +522,54 @@ class KDE_EXPORT LDAPManager : public TQObject {
 		int deleteServiceInfo(LDAPServiceInfo service, TQString *errstr=0);
 
 		int exportKeytabForPrincipal(TQString principal, TQString fileName, TQString *errstr=0);
+		int deleteKeytabEntriesForPrincipal(TQString principal, TQString fileName, TQString *errstr=0);
 
-		LDAPCredentials currentLDAPCredentials();
+		LDAPCredentials currentLDAPCredentials(bool inferGSSAPIData=false);
 
 		int moveKerberosEntries(TQString newSuffix, TQString* errstr=0);
 		int writeCertificateFileIntoDirectory(TQByteArray cert, TQString attr, TQString* errstr=0);
+		int writePKICertificateFilesIntoDirectory(LDAPUserInfo user, TQString attr, TQString* errstr=0);
 
 		TQString getRealmCAMaster(TQString* errstr=0);
 		int setRealmCAMaster(TQString masterFQDN, TQString* errstr=0);
+		int getLdapCertificateStoreAttribute(TQString attribute, TQString* value, TQString* errstr=0);
+		int setLdapCertificateStoreAttribute(TQString attribute, TQString value, TQString* errstr=0);
 
 		LDAPTDEBuiltinsInfo getTDEBuiltinMappings(TQString *errstr=0);
 		LDAPMasterReplicationInfo getLDAPMasterReplicationSettings(TQString *errstr=0);
 		int setLDAPMasterReplicationSettings(LDAPMasterReplicationInfo replicationinfo, TQString *errstr=0);
 		int writeSudoersConfFile(TQString *errstr=0);
+		int getTDECertificate(TQString certificateName, TQFile *fileHandle, TQString *errstr=0);
 		int getTDECertificate(TQString certificateName, TQString fileName, TQString *errstr=0);
+		int getTDECertificate(TQString certificateName, TQByteArray *certificate, TQString *errstr=0);
 		int setPasswordForUser(LDAPUserInfo user, TQString *errstr);
 
 		static int writePrimaryRealmCertificateUpdateCronFile(TQString *errstr=0);
+		static int installCACertificateInHostCAStore(TQString *errstr=0);
+		static int retrieveAndInstallCaCrl(LDAPManager* manager=0, TQString *errstr=0);
 		static TQString getMachineFQDN();
-		static int writeTDERealmList(LDAPRealmConfigList realms, KSimpleConfig* config, TQString *errstr=0);
-		static LDAPRealmConfigList readTDERealmList(KSimpleConfig* config, bool disableAllBonds=false);
+		static int writeTDERealmList(LDAPRealmConfigList realms, TDESimpleConfig* config, TQString *errstr=0);
+		static LDAPRealmConfigList fetchAndReadTDERealmList(TQString *defaultRealm=0);
+		static LDAPRealmConfigList readTDERealmList(TDESimpleConfig* config, bool disableAllBonds=false);
 		static TQDateTime getCertificateExpiration(TQString certfile);
+		static TQDateTime getCertificateExpiration(TQByteArray certfileContents);
 
-		static int generatePublicKerberosCACertificate(LDAPCertConfig certinfo);
+		static int generatePublicKerberosCACertificate(LDAPCertConfig certinfo, LDAPRealmConfig realmcfg);
 		static int generatePublicKerberosCertificate(LDAPCertConfig certinfo, LDAPRealmConfig realmcfg);
 		static int generatePublicLDAPCertificate(LDAPCertConfig certinfo, LDAPRealmConfig realmcfg, uid_t ldap_uid, gid_t ldap_gid);
 
+		static int generateClientCertificatePair(int expirydays, LDAPUserInfo user, LDAPRealmConfig realmcfg, TQString signingPrivateKeyFile, TQString privateKeyFile, TQString publicCertFile, int clientKeyBitLength=2048, TQString autoLoginPIN=TQString::null, TQString *errstr=0);
+		static int generateClientCertificatePrivateKey(TQString privateKeyFile, int clientKeyBitLength=2048, TQString *errstr=0);
+		static int generateClientCertificatePublicCertificate(int expirydays, LDAPUserInfo user, LDAPRealmConfig realmcfg, TQString signingPrivateKeyFile, TQString privateKeyFile, TQString publicCertFile, TQString autoLoginPIN=TQString::null, TQString *errstr=0);
+
+		int generatePKICRL(int expirydays, LDAPRealmConfig realmcfg, TQString crlFile, TQString signingPrivateKeyFile, TQString revocationDatabaseFile, TQString *errstr=0);
+
 		static TQString ldapdnForRealm(TQString realm);
+		static TQString openssldcForRealm(TQString realm);
 		static TQString cnFromDn(TQString dn);
 
 		static KerberosTicketInfoList getKerberosTicketList(TQString cache=TQString::null, TQString *cacheFileName=0);
-		static int getKerberosPassword(LDAPCredentials &creds, TQString prompt, bool requestServicePrincipal=false, TQWidget* parent=0);
+		static int getKerberosPassword(LDAPCredentials &creds, TQString prompt, bool requestServicePrincipal=false, bool allowSmartCard=false, TQWidget* parent=0);
 		static int obtainKerberosTicket(LDAPCredentials creds, TQString principal, TQString *errstr=0);
 		static int obtainKerberosServiceTicket(TQString principal, TQString *errstr=0);
 		static int destroyKerberosTicket(TQString principal, TQString *errstr=0);
@@ -517,18 +577,28 @@ class KDE_EXPORT LDAPManager : public TQObject {
 		static TQString detailedKAdminErrorMessage(TQString initialMessage);
 		static TQString readFullLineFromPtyProcess(PtyProcess* proc);
 
-		static LDAPClientRealmConfig loadClientRealmConfig(KSimpleConfig* config, bool useDefaults=false);
-		static int saveClientRealmConfig(LDAPClientRealmConfig clientRealmConfig, KSimpleConfig* config, TQString *errstr=0);
+		static LDAPClientRealmConfig loadClientRealmConfig(TDESimpleConfig* config, bool useDefaults=false);
+		static int saveClientRealmConfig(LDAPClientRealmConfig clientRealmConfig, TDESimpleConfig* config, TQString *errstr=0);
 		static int writeClientKrb5ConfFile(LDAPClientRealmConfig clientRealmConfig, LDAPRealmConfigList realmList, TQString *errstr=0);
 		static int writeLDAPConfFile(LDAPRealmConfig realmcfg, LDAPMachineRole machineRole, TQString *errstr=0);
 		static int writeNSSwitchFile(TQString *errstr=0);
+		static int writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, TQString *errstr=0);
+		static int writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, LDAPUserInfo user, TQString opensslConfigFile, TQString caRootKeyFile=TQString::null, TQString caRootCertFile=TQString::null, TQString caRootDatabaseFile=TQString::null, TQString autoLoginPIN=TQString::null, TQString *errstr=0);
 		static int writeClientCronFiles(TQString *errstr=0);
+		static int rehashClientPKCSCertificates(TQString *errstr=0);
 		static int writePAMFiles(LDAPPamConfig pamConfig, TQString *errstr=0);
+		static bool pkcsLoginEnabled();
 
-		static int bondRealm(TQString adminUserName, const char * adminPassword, TQString adminRealm, TQString *errstr=0);
-		static int unbondRealm(LDAPRealmConfig realmcfg, TQString adminUserName, const char * adminPassword, TQString adminRealm, TQString *errstr=0);
+		static int bondRealm(const TQString &adminUserName, const TQString &adminPassword,
+					const TQString &adminRealm, TQString *errstr=0);
+		static int unbondRealm(LDAPRealmConfig realmcfg, const TQString &adminUserName,
+					const TQString &adminPassword, const TQString &adminRealm, TQString *errstr=0);
 
 	private:
+		int bindKAdmin(LDAPCredentials *administrativeCredentials=NULL, TQString *errstr=0);
+		int unbindKAdmin(TQString *errstr=0);
+		int kAdminAddNewPrincipal(TQString principalName, TQString newPassword, TQString *errstr=0);
+		int kAdminDeletePrincipal(TQString principalName, TQString *errstr=0);
 		LDAPUserInfo parseLDAPUserRecord(LDAPMessage* entry);
 		LDAPGroupInfo parseLDAPGroupRecord(LDAPMessage* entry);
 		LDAPMachineInfo parseLDAPMachineRecord(LDAPMessage* entry);
@@ -537,6 +607,7 @@ class KDE_EXPORT LDAPManager : public TQObject {
 		LDAPMasterReplicationInfo parseLDAPMasterReplicationRecord(LDAPMasterReplicationInfo replicationinfo, LDAPMessage* entry);
 		TQString parseLDAPSyncProvOverlayConfigRecord(LDAPMessage* entry);
 		bool parseLDAPTDEStringAttribute(LDAPMessage* entry, TQString attribute, TQString& retval);
+		static TQString getOpenSSLVersion();
 
 	private:
 		TQString m_realm;
@@ -545,6 +616,12 @@ class KDE_EXPORT LDAPManager : public TQObject {
 		TQString m_basedc;
 		LDAPCredentials* m_creds;
 		LDAP *m_ldap;
+
+		// kadmin interface
+		krb5_context m_krb5admContext;
+		void* m_krb5admHandle;
+		char* m_krb5admKeytabFilename;
+		char* m_krb5admRealmName;
 };
 
 #endif // _LIBTDELDAP_H_