Add PKCS login setup controls

pull/1/head
Timothy Pearson 9 years ago
parent c14f2f4613
commit 5f90079891

@ -155,6 +155,7 @@ int main(int argc, char *argv[])
int prevSecondsToExpiry = (7*24*60*60); int prevSecondsToExpiry = (7*24*60*60);
while (1) { while (1) {
bool newCertDownloaded = false;
bool allDownloadsOK = true; bool allDownloadsOK = true;
TQDateTime now = TQDateTime::currentDateTime(); TQDateTime now = TQDateTime::currentDateTime();
TQDateTime earliestCertExpiry = now.addDays(14); // Recheck every 7 days regardless of last expiry check results TQDateTime earliestCertExpiry = now.addDays(14); // Recheck every 7 days regardless of last expiry check results
@ -174,7 +175,10 @@ int main(int argc, char *argv[])
printf("[INFO] Certificate %s expires %s\n", certificateFileName.ascii(), certExpiry.toString().ascii()); fflush(stdout); printf("[INFO] Certificate %s expires %s\n", certificateFileName.ascii(), certExpiry.toString().ascii()); fflush(stdout);
} }
if (immediate || (certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) { if (immediate || (certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
if (get_certificate_from_server("publicRootCertificate", certificateFileName, realmcfg) != 0) { if (get_certificate_from_server("publicRootCertificate", certificateFileName, realmcfg) == 0) {
newCertDownloaded = true;
}
else {
allDownloadsOK = false; allDownloadsOK = false;
} }
} }
@ -185,7 +189,10 @@ int main(int argc, char *argv[])
else { else {
mkdir(TDE_CERTIFICATE_DIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH); mkdir(TDE_CERTIFICATE_DIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
mkdir(KERBEROS_PKI_PUBLICDIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH); mkdir(KERBEROS_PKI_PUBLICDIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
if (get_certificate_from_server("publicRootCertificate", certificateFileName, realmcfg) != 0) { if (get_certificate_from_server("publicRootCertificate", certificateFileName, realmcfg) == 0) {
newCertDownloaded = true;
}
else {
allDownloadsOK = false; allDownloadsOK = false;
} }
} }
@ -196,7 +203,10 @@ int main(int argc, char *argv[])
printf("[INFO] CRL %s expires %s\n", crlFileName.ascii(), certExpiry.toString().ascii()); fflush(stdout); printf("[INFO] CRL %s expires %s\n", crlFileName.ascii(), certExpiry.toString().ascii()); fflush(stdout);
} }
if (immediate || (certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) { if (immediate || (certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
if (get_certificate_from_server("publicRootCertificateRevocationList", crlFileName, realmcfg) != 0) { if (get_certificate_from_server("publicRootCertificateRevocationList", crlFileName, realmcfg) == 0) {
newCertDownloaded = true;
}
else {
allDownloadsOK = false; allDownloadsOK = false;
} }
} }
@ -207,10 +217,19 @@ int main(int argc, char *argv[])
else { else {
mkdir(TDE_CERTIFICATE_DIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH); mkdir(TDE_CERTIFICATE_DIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
mkdir(KERBEROS_PKI_PUBLICDIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH); mkdir(KERBEROS_PKI_PUBLICDIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
if (get_certificate_from_server("publicRootCertificateRevocationList", crlFileName, realmcfg) != 0) { if (get_certificate_from_server("publicRootCertificateRevocationList", crlFileName, realmcfg) == 0) {
newCertDownloaded = true;
}
else {
allDownloadsOK = false; allDownloadsOK = false;
} }
} }
if (newCertDownloaded) {
if (LDAPManager::rehashClientPKCSCertificates() != 0) {
printf("[WARNING] Unable to rehash client PKCS certificates\n"); fflush(stdout);
}
}
} }
immediate = false; immediate = false;

@ -102,6 +102,9 @@ LDAPConfig::LDAPConfig(TQWidget *parent, const char *name, const TQStringList&)
connect(base->passwordHash, TQT_SIGNAL(activated(int)), this, TQT_SLOT(changed())); connect(base->passwordHash, TQT_SIGNAL(activated(int)), this, TQT_SLOT(changed()));
connect(base->ignoredUsers, TQT_SIGNAL(textChanged(const TQString&)), this, TQT_SLOT(changed())); connect(base->ignoredUsers, TQT_SIGNAL(textChanged(const TQString&)), this, TQT_SLOT(changed()));
connect(base->pamEnablePKCS11Logons, TQT_SIGNAL(clicked()), this, TQT_SLOT(changed()));
connect(base->pamEnablePKCS11Logons, TQT_SIGNAL(clicked()), this, TQT_SLOT(processLockouts()));
connect(base->pamPKCS11LoginCardSlot, TQT_SIGNAL(valueChanged(int)), this, TQT_SLOT(changed()));
connect(base->pamEnableCachedLogons, TQT_SIGNAL(clicked()), this, TQT_SLOT(changed())); connect(base->pamEnableCachedLogons, TQT_SIGNAL(clicked()), this, TQT_SLOT(changed()));
connect(base->pamCreateHomeDirectory, TQT_SIGNAL(clicked()), this, TQT_SLOT(changed())); connect(base->pamCreateHomeDirectory, TQT_SIGNAL(clicked()), this, TQT_SLOT(changed()));
connect(base->pamCreateHomeDirectory, TQT_SIGNAL(clicked()), this, TQT_SLOT(processLockouts())); connect(base->pamCreateHomeDirectory, TQT_SIGNAL(clicked()), this, TQT_SLOT(processLockouts()));
@ -165,6 +168,8 @@ void LDAPConfig::load(bool useDefaults )
} }
base->ignoredUsers->setText(m_clientRealmConfig.ignoredUsers); base->ignoredUsers->setText(m_clientRealmConfig.ignoredUsers);
base->pamEnablePKCS11Logons->setChecked(m_clientRealmConfig.pamConfig.enable_pkcs11_login);
base->pamPKCS11LoginCardSlot->setValue(m_clientRealmConfig.pamConfig.pkcs11_login_card_slot);
base->pamEnableCachedLogons->setChecked(m_clientRealmConfig.pamConfig.enable_cached_credentials); base->pamEnableCachedLogons->setChecked(m_clientRealmConfig.pamConfig.enable_cached_credentials);
base->pamCreateHomeDirectory->setChecked(m_clientRealmConfig.pamConfig.autocreate_user_directories_enable); base->pamCreateHomeDirectory->setChecked(m_clientRealmConfig.pamConfig.autocreate_user_directories_enable);
base->pamCreateHomeDirectoryUmask->setValue(m_clientRealmConfig.pamConfig.autocreate_user_directories_umask); base->pamCreateHomeDirectoryUmask->setValue(m_clientRealmConfig.pamConfig.autocreate_user_directories_umask);
@ -217,6 +222,8 @@ void LDAPConfig::save() {
m_clientRealmConfig.passwordHash = base->passwordHash->currentText(); m_clientRealmConfig.passwordHash = base->passwordHash->currentText();
m_clientRealmConfig.ignoredUsers = base->ignoredUsers->text(); m_clientRealmConfig.ignoredUsers = base->ignoredUsers->text();
m_clientRealmConfig.pamConfig.enable_pkcs11_login = base->pamEnablePKCS11Logons->isChecked();
m_clientRealmConfig.pamConfig.pkcs11_login_card_slot = base->pamPKCS11LoginCardSlot->value();
m_clientRealmConfig.pamConfig.enable_cached_credentials = base->pamEnableCachedLogons->isChecked(); m_clientRealmConfig.pamConfig.enable_cached_credentials = base->pamEnableCachedLogons->isChecked();
m_clientRealmConfig.pamConfig.autocreate_user_directories_enable = base->pamCreateHomeDirectory->isChecked(); m_clientRealmConfig.pamConfig.autocreate_user_directories_enable = base->pamCreateHomeDirectory->isChecked();
m_clientRealmConfig.pamConfig.autocreate_user_directories_umask = base->pamCreateHomeDirectoryUmask->value(); m_clientRealmConfig.pamConfig.autocreate_user_directories_umask = base->pamCreateHomeDirectoryUmask->value();
@ -343,6 +350,13 @@ void LDAPConfig::processLockouts() {
base->pamCreateHomeDirectoryUmask->setEnabled(false); base->pamCreateHomeDirectoryUmask->setEnabled(false);
base->pamCreateHomeDirectorySkelDir->setEnabled(false); base->pamCreateHomeDirectorySkelDir->setEnabled(false);
} }
if (base->pamEnablePKCS11Logons->isChecked()) {
base->pamPKCS11LoginCardSlot->setEnabled(true);
}
else {
base->pamPKCS11LoginCardSlot->setEnabled(false);
}
} }
void LDAPConfig::bondToNewRealm() { void LDAPConfig::bondToNewRealm() {

@ -454,6 +454,14 @@
<string>&amp;Enable logon credentials cache</string> <string>&amp;Enable logon credentials cache</string>
</property> </property>
</widget> </widget>
<widget class="TQCheckBox" row="2" column="0" colspan="2">
<property name="name">
<cstring>pamEnablePKCS11Logons</cstring>
</property>
<property name="text">
<string>&amp;Enable PKCS#11 card login</string>
</property>
</widget>
<widget class="TQLabel" row="0" column="2"> <widget class="TQLabel" row="0" column="2">
<property name="name"> <property name="name">
<cstring>unnamed</cstring> <cstring>unnamed</cstring>
@ -500,6 +508,33 @@
</sizepolicy> </sizepolicy>
</property> </property>
</widget> </widget>
<widget class="TQLabel" row="2" column="2">
<property name="name">
<cstring>unnamed</cstring>
</property>
<property name="text">
<string>PKCS#11 certificate slot</string>
</property>
<property name="sizePolicy">
<sizepolicy>
<hsizetype>0</hsizetype>
<vsizetype>0</vsizetype>
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
</widget>
<widget class="KIntNumInput" row="2" column="3" >
<property name="name">
<cstring>pamPKCS11LoginCardSlot</cstring>
</property>
<property name="minValue">
<number>0</number>
</property>
<property name="maxValue">
<number>999</number>
</property>
</widget>
<widget class="KURLRequester" row="1" column="3" > <widget class="KURLRequester" row="1" column="3" >
<property name="name"> <property name="name">
<cstring>pamCreateHomeDirectorySkelDir</cstring> <cstring>pamCreateHomeDirectorySkelDir</cstring>

Loading…
Cancel
Save