You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
713 lines
25 KiB
713 lines
25 KiB
/***************************************************************************
|
|
* Copyright (C) 2012 by Timothy Pearson *
|
|
* kb9vqf@pearsoncomputing.net *
|
|
* *
|
|
* This program is free software; you can redistribute it and/or modify *
|
|
* it under the terms of the GNU General Public License as published by *
|
|
* the Free Software Foundation; either version 2 of the License, or *
|
|
* (at your option) any later version. *
|
|
* *
|
|
* This program is distributed in the hope that it will be useful, *
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of *
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
|
|
* GNU General Public License for more details. *
|
|
* *
|
|
* You should have received a copy of the GNU General Public License *
|
|
* along with this program; if not, write to the *
|
|
* Free Software Foundation, Inc., *
|
|
* 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. *
|
|
***************************************************************************/
|
|
|
|
#include <tqlayout.h>
|
|
|
|
#include <klocale.h>
|
|
#include <kglobal.h>
|
|
#include <kcombobox.h>
|
|
#include <kparts/genericfactory.h>
|
|
#include <ksimpleconfig.h>
|
|
#include <kglobalsettings.h>
|
|
#include <kstandarddirs.h>
|
|
#include <kurlrequester.h>
|
|
#include <klistview.h>
|
|
#include <kopenwith.h>
|
|
#include <kpropertiesdialog.h>
|
|
#include <kio/job.h>
|
|
#include <tqdir.h>
|
|
#include <tqheader.h>
|
|
#include <knuminput.h>
|
|
#include <kpassdlg.h>
|
|
#include <klineedit.h>
|
|
#include <kmessagebox.h>
|
|
|
|
#include <tdesu/process.h>
|
|
|
|
#include "ldapbonding.h"
|
|
#include "bondwizard.h"
|
|
#include "ldappasswddlg.h"
|
|
#include "realmpropertiesdialog.h"
|
|
|
|
// FIXME
|
|
// Connect this to CMake/Automake
|
|
#define KDE_CONFDIR "/etc/trinity"
|
|
#define KRB5_FILE "/etc/krb5.conf"
|
|
#define NSSWITCH_FILE "/etc/nsswitch.conf"
|
|
#define PAMD_DIRECTORY "/etc/pam.d/"
|
|
#define PAMD_COMMON_ACCOUNT "common-account"
|
|
#define PAMD_COMMON_AUTH "common-auth"
|
|
|
|
typedef KGenericFactory<LDAPConfig, TQWidget> ldapFactory;
|
|
|
|
K_EXPORT_COMPONENT_FACTORY( kcm_ldapbonding, ldapFactory("kcmldapbonding"))
|
|
|
|
KSimpleConfig *systemconfig = 0;
|
|
|
|
LDAPConfig::LDAPConfig(TQWidget *parent, const char *name, const TQStringList&)
|
|
: TDECModule(parent, name), myAboutData(0)
|
|
{
|
|
TQVBoxLayout *layout = new TQVBoxLayout(this, KDialog::marginHint(), KDialog::spacingHint());
|
|
systemconfig = new KSimpleConfig( TQString::fromLatin1( KDE_CONFDIR "/ldap/ldapconfigrc" ));
|
|
systemconfig->setFileWriteMode(S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
|
|
|
|
TDEAboutData* about = new TDEAboutData("ldap", I18N_NOOP("TDE LDAP Manager"), "0.1",
|
|
I18N_NOOP("TDE LDAP Manager Control Panel Module"),
|
|
TDEAboutData::License_GPL,
|
|
I18N_NOOP("(c) 2012 Timothy Pearson"), 0, 0);
|
|
|
|
about->addAuthor("Timothy Pearson", 0, "kb9vqf@pearsoncomputing.net");
|
|
setAboutData( about );
|
|
|
|
base = new LDAPConfigBase(this);
|
|
layout->add(base);
|
|
base->ldapRealmList->setAllColumnsShowFocus(true);
|
|
base->ldapRealmList->setFullWidth(true);
|
|
|
|
setRootOnlyMsg(i18n("<b>Bonded LDAP realms take effect system wide, and require administrator access to modify</b><br>To alter the system's bonded LDAP realms, click on the \"Administrator Mode\" button below."));
|
|
setUseRootOnlyMsg(true);
|
|
|
|
connect(base->systemEnableSupport, TQT_SIGNAL(clicked()), this, TQT_SLOT(changed()));
|
|
connect(base->defaultRealm, TQT_SIGNAL(activated(int)), this, TQT_SLOT(changed()));
|
|
connect(base->ticketLifetime, TQT_SIGNAL(valueChanged(int)), this, TQT_SLOT(changed()));
|
|
connect(base->systemEnableSupport, TQT_SIGNAL(clicked()), this, TQT_SLOT(processLockouts()));
|
|
connect(base->ldapRealmList, TQT_SIGNAL(selectionChanged()), this, TQT_SLOT(processLockouts()));
|
|
|
|
connect(base->btnBondRealm, TQT_SIGNAL(clicked()), this, TQT_SLOT(bondToNewRealm()));
|
|
connect(base->btnReBondRealm, TQT_SIGNAL(clicked()), this, TQT_SLOT(reBondToRealm()));
|
|
connect(base->btnRemoveRealm, TQT_SIGNAL(clicked()), this, TQT_SLOT(removeRealm()));
|
|
connect(base->btnDeactivateRealm, TQT_SIGNAL(clicked()), this, TQT_SLOT(deactivateRealm()));
|
|
connect(base->btnRealmProperties, TQT_SIGNAL(clicked()), this, TQT_SLOT(realmProperties()));
|
|
|
|
connect(base->ldapVersion, TQT_SIGNAL(valueChanged(int)), this, TQT_SLOT(changed()));
|
|
connect(base->ldapTimeout, TQT_SIGNAL(valueChanged(int)), this, TQT_SLOT(changed()));
|
|
connect(base->bindPolicy, TQT_SIGNAL(activated(int)), this, TQT_SLOT(changed()));
|
|
connect(base->ldapBindTimeout, TQT_SIGNAL(valueChanged(int)), this, TQT_SLOT(changed()));
|
|
connect(base->passwordHash, TQT_SIGNAL(activated(int)), this, TQT_SLOT(changed()));
|
|
connect(base->ignoredUsers, TQT_SIGNAL(textChanged(const TQString&)), this, TQT_SLOT(changed()));
|
|
|
|
m_fqdn = LDAPManager::getMachineFQDN();
|
|
base->hostFQDN->setEnabled(false);
|
|
base->hostFQDN->clear();
|
|
base->hostFQDN->insertItem(m_fqdn);
|
|
|
|
load();
|
|
|
|
systemconfig->setGroup(NULL);
|
|
TQString ldapRole = systemconfig->readEntry("LDAPRole", "Workstation");
|
|
|
|
if ((getuid() != 0) || (!systemconfig->checkConfigFilesWritable( true )) || (ldapRole != "Workstation")) {
|
|
base->systemEnableSupport->setEnabled(false);
|
|
}
|
|
|
|
processLockouts();
|
|
};
|
|
|
|
LDAPConfig::~LDAPConfig() {
|
|
delete systemconfig;
|
|
}
|
|
|
|
void LDAPConfig::load() {
|
|
kgs = new TDEGlobalSettings();
|
|
|
|
load(false);
|
|
}
|
|
|
|
void LDAPConfig::load(bool useDefaults )
|
|
{
|
|
int i;
|
|
bool thisIsMyMachine;
|
|
|
|
//Update the toggle buttons with the current configuration
|
|
systemconfig->setReadDefaults( useDefaults );
|
|
|
|
systemconfig->setGroup(NULL);
|
|
base->systemEnableSupport->setChecked(systemconfig->readBoolEntry("EnableLDAP", false));
|
|
m_defaultRealm = systemconfig->readEntry("DefaultRealm", TQString::null);
|
|
m_ticketLifetime = systemconfig->readNumEntry("TicketLifetime", 86400);
|
|
if (m_fqdn == systemconfig->readEntry("HostFQDN", "")) {
|
|
thisIsMyMachine = true;
|
|
}
|
|
else {
|
|
thisIsMyMachine = false;
|
|
}
|
|
|
|
m_ldapVersion = systemconfig->readNumEntry("ConnectionLDAPVersion", 3);
|
|
m_ldapTimeout = systemconfig->readNumEntry("ConnectionLDAPTimeout", 2);
|
|
m_bindPolicy = systemconfig->readEntry("ConnectionBindPolicy", "soft");
|
|
m_ldapBindTimeout = systemconfig->readNumEntry("ConnectionBindTimeout", 2);
|
|
m_passwordHash = systemconfig->readEntry("ConnectionPasswordHash", "exop");
|
|
m_ignoredUsers = systemconfig->readEntry("ConnectionIgnoredUsers", DEFAULT_IGNORED_USERS_LIST);
|
|
|
|
// Load realms
|
|
m_realms.clear();
|
|
m_realms = LDAPManager::readTDERealmList(systemconfig, !thisIsMyMachine);
|
|
|
|
base->ticketLifetime->setValue(m_ticketLifetime);
|
|
|
|
base->ldapVersion->setValue(m_ldapVersion);
|
|
base->ldapTimeout->setValue(m_ldapTimeout);
|
|
for (i=0; i<base->bindPolicy->count(); i++) {
|
|
if (base->bindPolicy->text(i).lower() == m_defaultRealm.lower()) {
|
|
base->bindPolicy->setCurrentItem(i);
|
|
break;
|
|
}
|
|
}
|
|
base->ldapBindTimeout->setValue(m_ldapBindTimeout);
|
|
for (i=0; i<base->passwordHash->count(); i++) {
|
|
if (base->passwordHash->text(i).lower() == m_passwordHash.lower()) {
|
|
base->passwordHash->setCurrentItem(i);
|
|
break;
|
|
}
|
|
}
|
|
base->ignoredUsers->setText(m_ignoredUsers);
|
|
|
|
updateRealmList();
|
|
|
|
processLockouts();
|
|
|
|
emit changed(useDefaults);
|
|
}
|
|
|
|
void LDAPConfig::updateRealmList() {
|
|
base->ldapRealmList->clear();
|
|
base->defaultRealm->clear();
|
|
LDAPRealmConfigList::Iterator it;
|
|
for (it = m_realms.begin(); it != m_realms.end(); ++it) {
|
|
LDAPRealmConfig realmcfg = it.data();
|
|
(void)new TQListViewItem(base->ldapRealmList, ((realmcfg.bonded)?i18n("Bonded"):i18n("Deactivated")), realmcfg.name);
|
|
base->defaultRealm->insertItem(realmcfg.name);
|
|
}
|
|
if (m_defaultRealm != "") {
|
|
for (int i=0; i<base->defaultRealm->count(); i++) {
|
|
if (base->defaultRealm->text(i) == m_defaultRealm) {
|
|
base->defaultRealm->setCurrentItem(i);
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
processLockouts();
|
|
}
|
|
|
|
void LDAPConfig::defaults() {
|
|
|
|
}
|
|
|
|
void LDAPConfig::save() {
|
|
TQString errorstring;
|
|
|
|
// Write system configuration
|
|
systemconfig->setGroup(NULL);
|
|
systemconfig->writeEntry("EnableLDAP", base->systemEnableSupport->isChecked());
|
|
systemconfig->writeEntry("HostFQDN", m_fqdn);
|
|
m_defaultRealm = base->defaultRealm->currentText();
|
|
m_ticketLifetime = base->ticketLifetime->value();
|
|
|
|
m_ldapVersion = base->ldapVersion->value();
|
|
m_ldapTimeout = base->ldapTimeout->value();
|
|
m_bindPolicy = base->bindPolicy->currentText();
|
|
m_ldapBindTimeout = base->ldapBindTimeout->value();
|
|
m_passwordHash = base->passwordHash->currentText();
|
|
m_ignoredUsers = base->ignoredUsers->text();
|
|
|
|
if (m_defaultRealm != "") {
|
|
systemconfig->writeEntry("DefaultRealm", m_defaultRealm);
|
|
}
|
|
else {
|
|
systemconfig->deleteEntry("DefaultRealm");
|
|
}
|
|
systemconfig->writeEntry("TicketLifetime", m_ticketLifetime);
|
|
|
|
systemconfig->writeEntry("ConnectionLDAPVersion", m_ldapVersion);
|
|
systemconfig->writeEntry("ConnectionLDAPTimeout", m_ldapTimeout);
|
|
systemconfig->writeEntry("ConnectionBindPolicy", m_bindPolicy);
|
|
systemconfig->writeEntry("ConnectionBindTimeout", m_ldapBindTimeout);
|
|
systemconfig->writeEntry("ConnectionPasswordHash", m_passwordHash);
|
|
systemconfig->writeEntry("ConnectionIgnoredUsers", m_ignoredUsers);
|
|
|
|
LDAPManager::writeTDERealmList(m_realms, systemconfig);
|
|
systemconfig->sync();
|
|
|
|
if (base->systemEnableSupport->isChecked()) {
|
|
// Write the Kerberos5 configuration file
|
|
writeKrb5ConfFile();
|
|
// Write the LDAP configuration file
|
|
writeLDAPConfFile();
|
|
// Write the NSSwitch configuration file
|
|
writeNSSwitchFile();
|
|
// Write the PAM configuration files
|
|
writePAMFiles();
|
|
// Write the cron files
|
|
LDAPManager::writeCronFiles();
|
|
|
|
if (m_defaultRealm != "") {
|
|
// Bind anonymously to LDAP
|
|
LDAPCredentials* credentials = new LDAPCredentials;
|
|
credentials->username = "";
|
|
credentials->password = "";
|
|
credentials->realm = m_defaultRealm.upper();
|
|
credentials->use_tls = false;
|
|
LDAPManager* ldap_mgr = new LDAPManager(m_defaultRealm.upper(), TQString("ldap://%1").arg(m_realms[m_defaultRealm].admin_server).ascii(), credentials);
|
|
|
|
// Add the domain-wide computer local admin group to local sudoers
|
|
ldap_mgr->writeSudoersConfFile(&errorstring);
|
|
// Get and install the CA root certificate from LDAP
|
|
mkdir(TDE_CERTIFICATE_DIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
|
|
mkdir(KERBEROS_PKI_PUBLICDIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
|
|
if (ldap_mgr->getTDECertificate("publicRootCertificate", KERBEROS_PKI_PUBLICDIR + m_realms[m_defaultRealm].admin_server + ".ldap.crt", &errorstring) != 0) {
|
|
KMessageBox::sorry(this, i18n("<qt><b>Unable to obtain root certificate for realm %1!</b><p>Details: %2</qt>").arg(m_defaultRealm.upper()).arg(errorstring), i18n("Unable to Obtain Certificate"));
|
|
}
|
|
|
|
delete ldap_mgr;
|
|
delete credentials;
|
|
}
|
|
}
|
|
|
|
load();
|
|
}
|
|
|
|
void LDAPConfig::processLockouts() {
|
|
bool panelIsEnabled = (base->systemEnableSupport->isEnabled() && base->systemEnableSupport->isChecked());
|
|
|
|
base->groupRealms->setEnabled(panelIsEnabled);
|
|
base->groupKrbDefaults->setEnabled(panelIsEnabled);
|
|
base->groupConnectionParameters->setEnabled(panelIsEnabled);
|
|
|
|
TQListViewItem *selrealm = base->ldapRealmList->selectedItem();
|
|
if (selrealm) {
|
|
LDAPRealmConfig realmcfg = m_realms[selrealm->text(1)];
|
|
base->btnBondRealm->setEnabled(true);
|
|
base->btnReBondRealm->setEnabled(true);
|
|
if (realmcfg.bonded) {
|
|
base->btnDeactivateRealm->setEnabled(true);
|
|
base->btnRemoveRealm->setEnabled(false);
|
|
base->btnRealmProperties->setEnabled(false);
|
|
}
|
|
else {
|
|
base->btnDeactivateRealm->setEnabled(false);
|
|
base->btnRemoveRealm->setEnabled(true);
|
|
base->btnRealmProperties->setEnabled(true);
|
|
}
|
|
}
|
|
else {
|
|
base->btnBondRealm->setEnabled(true);
|
|
base->btnReBondRealm->setEnabled(false);
|
|
base->btnDeactivateRealm->setEnabled(false);
|
|
base->btnRemoveRealm->setEnabled(false);
|
|
base->btnRealmProperties->setEnabled(false);
|
|
}
|
|
}
|
|
|
|
void LDAPConfig::bondToNewRealm() {
|
|
// Something will probably change
|
|
save();
|
|
|
|
BondWizard bondwizard(&m_realms, this, this);
|
|
bondwizard.exec();
|
|
|
|
// Something probably changed
|
|
load();
|
|
}
|
|
|
|
void LDAPConfig::reBondToRealm() {
|
|
TQListViewItem *selrealm = base->ldapRealmList->selectedItem();
|
|
if (selrealm) {
|
|
TQString realmName = selrealm->text(1);
|
|
LDAPRealmConfig realmcfg = m_realms[realmName];
|
|
|
|
// Password prompt...
|
|
TQString errorString;
|
|
LDAPPasswordDialog passdlg(this);
|
|
passdlg.m_base->ldapAdminRealm->setEnabled(false);
|
|
passdlg.m_base->ldapAdminRealm->setText(realmName);
|
|
if (passdlg.exec() == TQDialog::Accepted) {
|
|
setEnabled(false);
|
|
if (bondRealm(m_realms[realmName], passdlg.m_base->ldapAdminUsername->text(), passdlg.m_base->ldapAdminPassword->password(), passdlg.m_base->ldapAdminRealm->text(), &errorString) == 0) {
|
|
// Success!
|
|
realmcfg.bonded = true;
|
|
m_realms.remove(realmName);
|
|
m_realms.insert(realmName, realmcfg);
|
|
save();
|
|
}
|
|
else {
|
|
KMessageBox::error(this, i18n("<qt><b>Unable to bond to realm!</b><p>Details: %1</qt>").arg(errorString), i18n("Unable to Bond to Realm"));
|
|
}
|
|
setEnabled(true);
|
|
}
|
|
}
|
|
updateRealmList();
|
|
}
|
|
|
|
void LDAPConfig::removeRealm() {
|
|
TQListViewItem *selrealm = base->ldapRealmList->selectedItem();
|
|
if (selrealm) {
|
|
m_realms.remove(selrealm->text(1));
|
|
updateRealmList();
|
|
changed();
|
|
}
|
|
}
|
|
|
|
void LDAPConfig::deactivateRealm() {
|
|
TQListViewItem *selrealm = base->ldapRealmList->selectedItem();
|
|
if (selrealm) {
|
|
TQString realmName = selrealm->text(1);
|
|
LDAPRealmConfig realmcfg = m_realms[realmName];
|
|
if (realmcfg.bonded == true) {
|
|
// Password prompt...
|
|
TQString errorString;
|
|
LDAPPasswordDialog passdlg(this);
|
|
passdlg.m_base->ldapAdminRealm->setEnabled(false);
|
|
passdlg.m_base->ldapAdminRealm->setText(realmName);
|
|
passdlg.m_base->passprompt->setText(i18n("Please provide LDAP realm administrator credentials below to complete the unbonding process"));
|
|
if (passdlg.exec() == TQDialog::Accepted) {
|
|
setEnabled(false);
|
|
if (unbondRealm(m_realms[realmName], passdlg.m_base->ldapAdminUsername->text(), passdlg.m_base->ldapAdminPassword->password(), passdlg.m_base->ldapAdminRealm->text(), &errorString) == 0) {
|
|
// Success!
|
|
realmcfg.bonded = false;
|
|
m_realms.remove(realmName);
|
|
m_realms.insert(realmName, realmcfg);
|
|
save();
|
|
}
|
|
else {
|
|
KMessageBox::error(this, i18n("<qt><b>Unable to unbond from realm!</b><p>%1</qt>").arg(errorString), i18n("Unable to Unbond from Realm"));
|
|
}
|
|
setEnabled(true);
|
|
}
|
|
}
|
|
}
|
|
updateRealmList();
|
|
}
|
|
|
|
int LDAPConfig::bondRealm(LDAPRealmConfig realmcfg, TQString adminUserName, const char * adminPassword, TQString adminRealm, TQString *errstr) {
|
|
TQCString command = "kadmin";
|
|
QCStringList args;
|
|
args << TQCString("-p") << TQCString(adminUserName+"@"+(adminRealm.upper())) << TQCString("-r") << TQCString(adminRealm.upper());
|
|
|
|
TQString hoststring = "host/"+m_fqdn;
|
|
|
|
TQString prompt;
|
|
PtyProcess kadminProc;
|
|
kadminProc.exec(command, args);
|
|
prompt = LDAPManager::readFullLineFromPtyProcess(&kadminProc);
|
|
prompt = prompt.stripWhiteSpace();
|
|
if (prompt == "kadmin>") {
|
|
command = TQCString("ext "+hoststring);
|
|
kadminProc.enableLocalEcho(false);
|
|
kadminProc.writeLine(command, true);
|
|
do { // Discard our own input
|
|
prompt = LDAPManager::readFullLineFromPtyProcess(&kadminProc);
|
|
printf("(kadmin) '%s'\n\r", prompt.ascii());
|
|
} while (prompt == TQString(command));
|
|
prompt = prompt.stripWhiteSpace();
|
|
if (prompt.endsWith(" Password:")) {
|
|
kadminProc.enableLocalEcho(false);
|
|
kadminProc.writeLine(adminPassword, true);
|
|
do { // Discard our own input
|
|
prompt = LDAPManager::readFullLineFromPtyProcess(&kadminProc);
|
|
printf("(kadmin) '%s'\n\r", prompt.ascii());
|
|
} while (prompt == "");
|
|
prompt = prompt.stripWhiteSpace();
|
|
}
|
|
if (prompt.contains("authentication failed")) {
|
|
if (errstr) *errstr = LDAPManager::detailedKAdminErrorMessage(prompt);
|
|
kadminProc.enableLocalEcho(false);
|
|
kadminProc.writeLine("quit", true);
|
|
return 1;
|
|
}
|
|
else if (prompt.endsWith("Principal does not exist")) {
|
|
// Wait for kadmin to be ready for the next command
|
|
if (!prompt.contains("kadmin>")) {
|
|
prompt = "";
|
|
}
|
|
while (prompt == "") {
|
|
prompt = LDAPManager::readFullLineFromPtyProcess(&kadminProc);
|
|
printf("(kadmin) '%s'\n\r", prompt.ascii());
|
|
}
|
|
command = TQCString("ank --random-key "+hoststring);
|
|
kadminProc.enableLocalEcho(false);
|
|
kadminProc.writeLine(command, true);
|
|
do { // Discard our own input
|
|
prompt = LDAPManager::readFullLineFromPtyProcess(&kadminProc);
|
|
printf("(kadmin) '%s'\n\r", prompt.ascii());
|
|
} while (prompt == TQString(command));
|
|
prompt = prompt.stripWhiteSpace();
|
|
// Use all defaults
|
|
while (prompt != "kadmin>") {
|
|
if (prompt.endsWith(" Password:")) {
|
|
kadminProc.enableLocalEcho(false);
|
|
kadminProc.writeLine(adminPassword, true);
|
|
do { // Discard our own input
|
|
prompt = LDAPManager::readFullLineFromPtyProcess(&kadminProc);
|
|
printf("(kadmin) '%s'\n\r", prompt.ascii());
|
|
} while (prompt == "");
|
|
prompt = prompt.stripWhiteSpace();
|
|
}
|
|
if (prompt.contains("authentication failed")) {
|
|
if (errstr) *errstr = LDAPManager::detailedKAdminErrorMessage(prompt);
|
|
kadminProc.enableLocalEcho(false);
|
|
kadminProc.writeLine("quit", true);
|
|
return 1;
|
|
}
|
|
else {
|
|
// Extract whatever default is in the [brackets] and feed it back to kadmin
|
|
TQString defaultParam;
|
|
int leftbracket = prompt.find("[");
|
|
int rightbracket = prompt.find("]");
|
|
if ((leftbracket >= 0) && (rightbracket >= 0)) {
|
|
leftbracket++;
|
|
defaultParam = prompt.mid(leftbracket, rightbracket-leftbracket);
|
|
}
|
|
command = TQCString(defaultParam);
|
|
kadminProc.enableLocalEcho(false);
|
|
kadminProc.writeLine(command, true);
|
|
do { // Discard our own input
|
|
prompt = LDAPManager::readFullLineFromPtyProcess(&kadminProc);
|
|
printf("(kadmin) '%s'\n\r", prompt.ascii());
|
|
} while (prompt == TQString(command));
|
|
prompt = prompt.stripWhiteSpace();
|
|
}
|
|
}
|
|
command = TQCString("ext "+hoststring);
|
|
kadminProc.enableLocalEcho(false);
|
|
kadminProc.writeLine(command, true);
|
|
do { // Discard our own input
|
|
prompt = LDAPManager::readFullLineFromPtyProcess(&kadminProc);
|
|
printf("(kadmin) '%s'\n\r", prompt.ascii());
|
|
} while (prompt == TQString(command));
|
|
prompt = prompt.stripWhiteSpace();
|
|
if (prompt != "kadmin>") {
|
|
if (errstr) *errstr = LDAPManager::detailedKAdminErrorMessage(prompt);
|
|
kadminProc.enableLocalEcho(false);
|
|
kadminProc.writeLine("quit", true);
|
|
return 1;
|
|
}
|
|
|
|
// Success!
|
|
kadminProc.enableLocalEcho(false);
|
|
kadminProc.writeLine("quit", true);
|
|
|
|
realmcfg.bonded = true;
|
|
m_realms.remove(realmcfg.name);
|
|
m_realms.insert(realmcfg.name, realmcfg);
|
|
save();
|
|
return 0;
|
|
}
|
|
else if (prompt == "kadmin>") {
|
|
// Success!
|
|
kadminProc.enableLocalEcho(false);
|
|
kadminProc.writeLine("quit", true);
|
|
|
|
realmcfg.bonded = true;
|
|
m_realms.remove(realmcfg.name);
|
|
m_realms.insert(realmcfg.name, realmcfg);
|
|
save();
|
|
return 0;
|
|
}
|
|
|
|
// Failure
|
|
if (errstr) *errstr = LDAPManager::detailedKAdminErrorMessage(prompt);
|
|
kadminProc.enableLocalEcho(false);
|
|
kadminProc.writeLine("quit", true);
|
|
return 1;
|
|
}
|
|
|
|
if (errstr) *errstr = "Internal error. Verify that kadmin exists and can be executed.";
|
|
return 1; // Failure
|
|
}
|
|
|
|
int LDAPConfig::unbondRealm(LDAPRealmConfig realmcfg, TQString adminUserName, const char * adminPassword, TQString adminRealm, TQString *errstr) {
|
|
Q_UNUSED(realmcfg);
|
|
|
|
TQCString command = "kadmin";
|
|
QCStringList args;
|
|
args << TQCString("-p") << TQCString(adminUserName+"@"+(adminRealm.upper()));
|
|
|
|
TQString hoststring = "host/"+m_fqdn;
|
|
|
|
TQString prompt;
|
|
PtyProcess kadminProc;
|
|
kadminProc.exec(command, args);
|
|
prompt = LDAPManager::readFullLineFromPtyProcess(&kadminProc);
|
|
prompt = prompt.stripWhiteSpace();
|
|
if (prompt == "kadmin>") {
|
|
command = TQCString("delete "+hoststring);
|
|
kadminProc.enableLocalEcho(false);
|
|
kadminProc.writeLine(command, true);
|
|
do { // Discard our own input
|
|
prompt = LDAPManager::readFullLineFromPtyProcess(&kadminProc);
|
|
printf("(kadmin) '%s'\n\r", prompt.ascii());
|
|
} while (prompt == TQString(command));
|
|
prompt = prompt.stripWhiteSpace();
|
|
if (prompt.endsWith(" Password:")) {
|
|
kadminProc.enableLocalEcho(false);
|
|
kadminProc.writeLine(adminPassword, true);
|
|
do { // Discard our own input
|
|
prompt = LDAPManager::readFullLineFromPtyProcess(&kadminProc);
|
|
printf("(kadmin) '%s'\n\r", prompt.ascii());
|
|
} while (prompt == "");
|
|
prompt = prompt.stripWhiteSpace();
|
|
}
|
|
if (prompt != "kadmin>") {
|
|
if (errstr) *errstr = LDAPManager::detailedKAdminErrorMessage(prompt);
|
|
kadminProc.enableLocalEcho(false);
|
|
kadminProc.writeLine("quit", true);
|
|
return 1;
|
|
}
|
|
|
|
// Success!
|
|
kadminProc.enableLocalEcho(false);
|
|
kadminProc.writeLine("quit", true);
|
|
return 0;
|
|
}
|
|
|
|
return 1; // Failure
|
|
}
|
|
|
|
void LDAPConfig::realmProperties() {
|
|
TQListViewItem *selrealm = base->ldapRealmList->selectedItem();
|
|
if (selrealm) {
|
|
RealmPropertiesDialog rpdialog(&m_realms, selrealm->text(1), this);
|
|
if (rpdialog.exec() == TQDialog::Accepted) {
|
|
updateRealmList();
|
|
changed();
|
|
}
|
|
}
|
|
}
|
|
|
|
void LDAPConfig::writeKrb5ConfFile() {
|
|
TQFile file(KRB5_FILE);
|
|
if (file.open(IO_WriteOnly)) {
|
|
TQTextStream stream( &file );
|
|
|
|
stream << "# This file was automatically generated by TDE\n";
|
|
stream << "# All changes will be lost!\n";
|
|
stream << "\n";
|
|
|
|
// Defaults
|
|
stream << "[libdefaults]\n";
|
|
stream << " ticket_lifetime = " << m_ticketLifetime << "\n";
|
|
if (m_defaultRealm != "") {
|
|
stream << " default_realm = " << m_defaultRealm << "\n";
|
|
}
|
|
stream << "\n";
|
|
|
|
// Realms
|
|
stream << "[realms]\n";
|
|
LDAPRealmConfigList::Iterator it;
|
|
for (it = m_realms.begin(); it != m_realms.end(); ++it) {
|
|
LDAPRealmConfig realmcfg = it.data();
|
|
stream << " " << realmcfg.name << " = {\n";
|
|
stream << " kdc = " << realmcfg.kdc << ":" << realmcfg.kdc_port << "\n";
|
|
stream << " admin_server = " << realmcfg.admin_server << ":" << realmcfg.admin_server_port << "\n";
|
|
stream << " pkinit_require_eku = " << (realmcfg.pkinit_require_eku?"true":"false") << "\n";
|
|
stream << " pkinit_require_krbtgt_otherName = " << (realmcfg.pkinit_require_krbtgt_otherName?"true":"false") << "\n";
|
|
stream << " win2k_pkinit = " << (realmcfg.win2k_pkinit?"yes":"no") << "\n";
|
|
stream << " win2k_pkinit_require_binding = " << (realmcfg.win2k_pkinit_require_binding?"yes":"no") << "\n";
|
|
stream << " }\n";
|
|
}
|
|
stream << "\n";
|
|
|
|
// Domain aliases
|
|
stream << "[domain_realm]\n";
|
|
LDAPRealmConfigList::Iterator it2;
|
|
for (it2 = m_realms.begin(); it2 != m_realms.end(); ++it2) {
|
|
LDAPRealmConfig realmcfg = it2.data();
|
|
TQStringList domains = realmcfg.domain_mappings;
|
|
for (TQStringList::Iterator it3 = domains.begin(); it3 != domains.end(); ++it3 ) {
|
|
stream << " " << *it3 << " = " << realmcfg.name << "\n";
|
|
}
|
|
}
|
|
|
|
file.close();
|
|
}
|
|
}
|
|
|
|
void LDAPConfig::writeLDAPConfFile() {
|
|
LDAPManager::writeLDAPConfFile(m_realms[m_defaultRealm]);
|
|
}
|
|
|
|
void LDAPConfig::writeNSSwitchFile() {
|
|
TQFile file(NSSWITCH_FILE);
|
|
if (file.open(IO_WriteOnly)) {
|
|
TQTextStream stream( &file );
|
|
|
|
stream << "# This file was automatically generated by TDE\n";
|
|
stream << "# All changes will be lost!\n";
|
|
stream << "\n";
|
|
stream << "passwd: files ldap [NOTFOUND=return] db" << "\n";
|
|
stream << "group: files ldap [NOTFOUND=return] db" << "\n";
|
|
stream << "shadow: files ldap [NOTFOUND=return] db" << "\n";
|
|
stream << "\n";
|
|
stream << "hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4" << "\n";
|
|
stream << "networks: files" << "\n";
|
|
stream << "\n";
|
|
stream << "protocols: db files" << "\n";
|
|
stream << "services: db files" << "\n";
|
|
stream << "ethers: db files" << "\n";
|
|
stream << "rpc: db files" << "\n";
|
|
stream << "\n";
|
|
stream << "netgroup: nis" << "\n";
|
|
|
|
file.close();
|
|
}
|
|
}
|
|
|
|
void LDAPConfig::writePAMFiles() {
|
|
TQFile file(PAMD_DIRECTORY PAMD_COMMON_ACCOUNT);
|
|
if (file.open(IO_WriteOnly)) {
|
|
TQTextStream stream( &file );
|
|
|
|
stream << "# This file was automatically generated by TDE\n";
|
|
stream << "# All changes will be lost!\n";
|
|
stream << "\n";
|
|
stream << "account sufficient pam_unix.so nullok_secure" << "\n";
|
|
stream << "account sufficient pam_ldap.so" << "\n";
|
|
stream << "account required pam_permit.so" << "\n";
|
|
|
|
file.close();
|
|
}
|
|
|
|
TQFile file2(PAMD_DIRECTORY PAMD_COMMON_AUTH);
|
|
if (file2.open(IO_WriteOnly)) {
|
|
TQTextStream stream( &file2 );
|
|
|
|
stream << "# This file was automatically generated by TDE\n";
|
|
stream << "# All changes will be lost!\n";
|
|
stream << "\n";
|
|
stream << "auth [default=ignore success=ignore] pam_mount.so" << "\n";
|
|
stream << "auth sufficient pam_unix.so nullok try_first_pass" << "\n";
|
|
stream << "auth [default=ignore success=1 service_err=reset] pam_krb5.so ccache=/tmp/krb5cc_%u use_first_pass" << "\n";
|
|
stream << "auth [default=die success=done] pam_ccreds.so action=validate use_first_pass" << "\n";
|
|
stream << "auth sufficient pam_ccreds.so action=store use_first_pass" << "\n";
|
|
stream << "auth required pam_deny.so" << "\n";
|
|
|
|
file2.close();
|
|
}
|
|
}
|
|
|
|
int LDAPConfig::buttons() {
|
|
return TDECModule::Apply|TDECModule::Help;
|
|
}
|
|
|
|
TQString LDAPConfig::quickHelp() const
|
|
{
|
|
return i18n("This module configures which LDAP realms TDE uses for authentication.");
|
|
}
|