TDE
/
kcmldapcontroller
mirror of https://mirror.git.trinitydesktop.org/gitea/TDE/kcmldapcontroller
0
0
Fork 0
Code Issues Releases Wiki Activity

Provide a range of user and certificate management options

Browse Source
pull/1/head
Timothy Pearson 12 years ago
parent 023a331a3c
commit 02cfa8d8af
5 changed files with 570 additions and 48 deletions
Show Stats Download Patch File Download Diff File

2
confskel/openldap/skel.ldif
Unescape View File

@ -300,7 +300,7 @@ objectClass: tdeBuiltinStore
objectClass: applicationProcess
tdeBuiltinAccount: TRUE
structuralObjectClass: applicationProcess
builtinRealmAdminAccount: cn=@@@ADMINUSER@@@,ou=users,ou=core,ou=realm,@@@REALM_DCNAME@@@
builtinRealmAdminAccount: uid=@@@ADMINUSER@@@,ou=users,ou=core,ou=realm,@@@REALM_DCNAME@@@
builtinRealmAdminGroup: cn=@@@ADMINGROUP@@@,ou=groups,ou=core,ou=realm,@@@REALM_DCNAME@@@
builtinMachineAdminGroup: cn=@@@LOCALADMINGROUP@@@,ou=groups,ou=core,ou=realm,@@@REALM_DCNAME@@@
builtinStandardUserGroup: cn=@@@STANDARDUSERGROUP@@@,ou=groups,ou=core,ou=realm,@@@REALM_DCNAME@@@

422
src/ldapcontroller.cpp
Unescape View File

@ -46,6 +46,7 @@
#include <tdesu/process.h>
#include <libtdeldap.h>
#include <kfiledialog.h>
#include <kpassdlg.h>
#include "sha1.h"
@ -69,17 +70,12 @@
#define HEIMDAL_ACL_FILE "/etc/heimdal-kdc/kadmind.acl"
#define OPENSSL_EXTENSIONS_FILE TDE_CERTIFICATE_DIR "pki_extensions"
#define ROLE_WORKSTATION 0
#define ROLE_REALM_CONTROLLER 1
#define ROLE_SECONDARY_REALM_CONTROLLER 1
#define ROLE_PRIMARY_REALM_CONTROLLER 2
#define KEY_STRENGTH 2048
// RAJA FIXME
// Provide a way to change the LDAP root password
// in the olcDatabase (field olcRootPW) after installation!
typedef KGenericFactory<LDAPController, TQWidget> ldapFactory;
K_EXPORT_COMPONENT_FACTORY( kcm_ldapcontroller, ldapFactory("kcmldapcontroller"))
@ -104,7 +100,8 @@ LDAPController::LDAPController(TQWidget *parent, const char *name, const TQStrin
m_base->systemRole->clear();
m_base->systemRole->insertItem("Workstation", ROLE_WORKSTATION);
m_base->systemRole->insertItem("Realm Controller", ROLE_REALM_CONTROLLER);
m_base->systemRole->insertItem("Secondary Realm Controller", ROLE_SECONDARY_REALM_CONTROLLER);
m_base->systemRole->insertItem("Primary Realm Controller", ROLE_PRIMARY_REALM_CONTROLLER);
setRootOnlyMsg(i18n("<b>LDAP controller settings take effect system wide, and require administrator access to modify</b><br>To alter the system's realm controller settings, click on the \"Administrator Mode\" button below."));
setUseRootOnlyMsg(true);
@ -114,7 +111,21 @@ LDAPController::LDAPController(TQWidget *parent, const char *name, const TQStrin
connect(m_base->systemRole, TQT_SIGNAL(activated(const TQString&)), this, TQT_SLOT(systemRoleChanged()));
connect(m_base->caRegenerate, TQT_SIGNAL(clicked()), this, TQT_SLOT(btncaRegenerate()));
connect(m_base->caExport, TQT_SIGNAL(clicked()), this, TQT_SLOT(btncaExport()));
connect(m_base->caExportKey, TQT_SIGNAL(clicked()), this, TQT_SLOT(btncaExportKey()));
connect(m_base->caExportCert, TQT_SIGNAL(clicked()), this, TQT_SLOT(btncaExportCert()));
connect(m_base->krbRegenerate, TQT_SIGNAL(clicked()), this, TQT_SLOT(btnkrbRegenerate()));
connect(m_base->krbExportKey, TQT_SIGNAL(clicked()), this, TQT_SLOT(btnkrbExportKey()));
connect(m_base->krbExportCert, TQT_SIGNAL(clicked()), this, TQT_SLOT(btnkrbExportCert()));
connect(m_base->ldapRegenerate, TQT_SIGNAL(clicked()), this, TQT_SLOT(btnldapRegenerate()));
connect(m_base->ldapExportKey, TQT_SIGNAL(clicked()), this, TQT_SLOT(btnldapExportKey()));
connect(m_base->ldapExportCert, TQT_SIGNAL(clicked()), this, TQT_SLOT(btnldapExportCert()));
connect(m_base->btnChangeLDAPRootPassword, TQT_SIGNAL(clicked()), this, TQT_SLOT(btnChangeLDAPRootPassword()));
connect(m_base->btnChangeRealmAdminPassword, TQT_SIGNAL(clicked()), this, TQT_SLOT(btnChangeRealmAdminPassword()));
connect(&m_certRefreshTimer, TQT_SIGNAL(timeout()), this, TQT_SLOT(updateCertDisplay()));
m_fqdn = LDAPManager::getMachineFQDN();
@ -125,10 +136,6 @@ LDAPController::LDAPController(TQWidget *parent, const char *name, const TQStrin
load();
if (getuid() != 0 || !m_systemconfig->checkConfigFilesWritable( true )) {
m_base->systemEnableSupport->setEnabled(false);
}
processLockouts();
};
@ -137,7 +144,7 @@ LDAPController::~LDAPController() {
void LDAPController::systemRoleChanged() {
if (m_base->systemRole->currentItem() != m_prevRole) {
if (m_base->systemRole->currentItem() == ROLE_REALM_CONTROLLER) {
if (m_base->systemRole->currentItem() == ROLE_PRIMARY_REALM_CONTROLLER) {
// Verify that this workstation was not already bonded to an LDAP realm!
bool bonded = false;
TQStringList cfgRealms = m_systemconfig->groupList();
@ -174,15 +181,77 @@ void LDAPController::systemRoleChanged() {
load();
}
}
if (m_base->systemRole->currentItem() == ROLE_WORKSTATION) {
else if (m_base->systemRole->currentItem() == ROLE_SECONDARY_REALM_CONTROLLER) {
// RAJA FIXME
KMessageBox::error(0, i18n("<qt>Secondary realm controller support is not yet available<p>If you want to see it implemented, contact the Trinity Desktop developers</qt>"), i18n("Feature Not Yet Available"));
m_base->systemRole->setCurrentItem(m_prevRole);
}
else if (m_base->systemRole->currentItem() == ROLE_WORKSTATION) {
if (KMessageBox::warningYesNo(this, i18n("<qt><b>WARNING</b><br>You are attempting to demote a realm controller<p>This action will <b>PERMANENTLY DESTROY</b> the realm directory stored on this machine<p>If you do not want to do this, select <b>Cancel</b> below</qt>"), i18n("Are you absolutely sure?"), TQString("Continue"), TQString("Cancel")) == KMessageBox::Yes) {
ProcessingDialog pdialog(this);
pdialog.setStatusMessage(i18n("Preparing to demote primary realm controller..."));
pdialog.raise();
pdialog.setActiveWindow();
tqApp->processEvents();
save();
pdialog.setStatusMessage(i18n("Stopping servers..."));
// Stop SASL
if (controlSASLServer(SC_STOP) != 0) {
//
}
// Stop Heimdal
if (controlHeimdalServer(SC_STOP) != 0) {
//
}
// Stop slapd
if (controlLDAPServer(SC_STOP) != 0) {
//
}
pdialog.setStatusMessage(i18n("Purging LDAP database..."));
tqApp->processEvents();
controlHeimdalServer(SC_PURGE);
controlLDAPServer(SC_PURGE);
pdialog.setStatusMessage(i18n("Purging local configuration..."));
tqApp->processEvents();
system(TQString("rm -rf %1").arg(TDE_CERTIFICATE_DIR));
// Write the TDE realm configuration file
LDAPRealmConfigList realms;
LDAPManager::writeTDERealmList(realms, m_systemconfig);
m_systemconfig->deleteEntry("DefaultRealm");
m_systemconfig->sync();
pdialog.closeDialog();
load();
}
else {
m_base->systemRole->setCurrentItem(m_prevRole);
}
}
}
}
void LDAPController::processLockouts() {
bool enabled = (m_base->systemEnableSupport->isEnabled() && m_base->systemEnableSupport->isChecked());
bool enabled = true;
bool canChangeLDAPEnabled = true;
if (getuid() != 0 || !m_systemconfig->checkConfigFilesWritable( true )) {
canChangeLDAPEnabled = false;
enabled = false;
}
if (m_base->systemRole->currentItem() != ROLE_WORKSTATION) {
canChangeLDAPEnabled = false;
}
m_base->systemEnableSupport->setEnabled(canChangeLDAPEnabled);
m_base->systemRole->setEnabled(enabled);
}
@ -201,8 +270,8 @@ void LDAPController::load() {
if (!thisIsMyMachine) {
ldapRole = "Workstation";
}
if (ldapRole == "Realm Controller") {
m_base->systemRole->setCurrentItem(ROLE_REALM_CONTROLLER);
if (ldapRole == "Primary Realm Controller") {
m_base->systemRole->setCurrentItem(ROLE_PRIMARY_REALM_CONTROLLER);
}
else {
m_base->systemRole->setCurrentItem(ROLE_WORKSTATION);
@ -219,28 +288,141 @@ void LDAPController::load() {
m_certconfig.commonName = m_systemconfig->readEntry("commonName");
m_certconfig.emailAddress = m_systemconfig->readEntry("emailAddress");
m_realmconfig = LDAPManager::readTDERealmList(m_systemconfig, !thisIsMyMachine);
if (!thisIsMyMachine) {
LDAPManager::writeTDERealmList(m_realmconfig, m_systemconfig);
}
m_systemconfig->setGroup(NULL);
m_defaultRealm = m_systemconfig->readEntry("DefaultRealm");
if (m_base->systemRole->currentItem() == ROLE_REALM_CONTROLLER) {
if (m_base->systemRole->currentItem() == ROLE_PRIMARY_REALM_CONTROLLER) {
m_base->groupRealmController->show();
m_base->groupRealmCertificates->show();
m_base->realmName->setText(m_systemconfig->readEntry("DefaultRealm"));
m_base->caExpiryString->setText("Expires " + LDAPManager::getCertificateExpiration(KERBEROS_PKI_PEM_FILE).toString());
// RAJA FIXME
m_base->realmName->setText(m_defaultRealm);
// Display builtin account and group names, and provide a password reset button for each builtin user (yes, this includes the LDAP admin account!)
// FIXME
// root account should not be locked to "admin"!
// when fixing, please fix the other instance of locked "admin" in realmwizard.cpp ::accept()
m_base->ldapRootUser->setText(TQString("cn=%1,").arg("admin") + LDAPManager::ldapdnForRealm(m_defaultRealm));
TQString realmname = m_defaultRealm.upper();
LDAPCredentials* credentials = new LDAPCredentials;
credentials->username = "";
credentials->password = "";
credentials->realm = realmname;
LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials);
TQString errorstring;
LDAPTDEBuiltinsInfo builtins = ldap_mgr->getTDEBuiltinMappings(&errorstring);
delete ldap_mgr;
delete credentials;
m_base->realmAdminUser->setText(LDAPManager::cnFromDn(builtins.builtinRealmAdminAccount));
m_base->realmAdminGroup->setText(LDAPManager::cnFromDn(builtins.builtinRealmAdminGroup));
m_base->realmMachineAdminGroup->setText(LDAPManager::cnFromDn(builtins.builtinMachineAdminGroup));
m_base->realmStandardUserGroup->setText(LDAPManager::cnFromDn(builtins.builtinStandardUserGroup));
updateCertDisplay();
m_certRefreshTimer.start(60*1000);
}
else {
m_base->groupRealmController->hide();
m_base->groupRealmCertificates->hide();
m_certRefreshTimer.stop();
}
processLockouts();
}
#define CERT_STATUS_COLOR_ACTIVE TQColor(0, 128, 0)
#define CERT_STATUS_COLOR_STALE TQColor(128, 64, 0)
#define CERT_STATUS_COLOR_EXPIRED TQColor(128, 0, 0)
#define CERT_STATUS_COLOR_NOTFOUND CERT_STATUS_COLOR_EXPIRED
void LDAPController::updateCertDisplay() {
TQDateTime certExpiry;
TQDateTime now = TQDateTime::currentDateTime();
TQDateTime soon = now.addDays(7);
TQString kdc_certfile = KERBEROS_PKI_KDC_FILE;
kdc_certfile.replace("@@@KDCSERVER@@@", m_realmconfig[m_defaultRealm].kdc);
TQString ldap_certfile = LDAP_CERT_FILE;
ldap_certfile.replace("@@@ADMINSERVER@@@", m_realmconfig[m_defaultRealm].admin_server);
// Certificate Authority
if (TQFile::exists(KERBEROS_PKI_PEM_FILE)) {
certExpiry = LDAPManager::getCertificateExpiration(KERBEROS_PKI_PEM_FILE);
if (certExpiry >= now) {
m_base->caExpiryString->setText("Expires " + certExpiry.toString());
if (certExpiry >= soon) {
m_base->caExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_ACTIVE);
}
else {
m_base->caExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_STALE);
}
}
else {
m_base->caExpiryString->setText("Expired " + certExpiry.toString());
m_base->caExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_EXPIRED);
}
}
else {
m_base->caExpiryString->setText("File not found");
m_base->caExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_NOTFOUND);
}
// Kerberos
if (TQFile::exists(kdc_certfile)) {
certExpiry = LDAPManager::getCertificateExpiration(kdc_certfile);
if (certExpiry >= now) {
m_base->krbExpiryString->setText("Expires " + certExpiry.toString());
if (certExpiry >= soon) {
m_base->krbExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_ACTIVE);
}
else {
m_base->krbExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_STALE);
}
}
else {
m_base->krbExpiryString->setText("Expired " + certExpiry.toString());
m_base->krbExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_EXPIRED);
}
}
else {
m_base->krbExpiryString->setText("File not found");
m_base->krbExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_NOTFOUND);
}
// LDAP
if (TQFile::exists(kdc_certfile)) {
certExpiry = LDAPManager::getCertificateExpiration(ldap_certfile);
if (certExpiry >= now) {
m_base->ldapExpiryString->setText("Expires " + certExpiry.toString());
if (certExpiry >= soon) {
m_base->ldapExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_ACTIVE);
}
else {
m_base->ldapExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_STALE);
}
}
else {
m_base->ldapExpiryString->setText("Expired " + certExpiry.toString());
m_base->ldapExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_EXPIRED);
}
}
else {
m_base->ldapExpiryString->setText("File not found");
m_base->ldapExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_NOTFOUND);
}
}
void LDAPController::btncaRegenerate() {
LDAPManager::generatePublicKerberosCACertificate(m_certconfig);
TQString realmname = m_systemconfig->readEntry("DefaultRealm").upper();
TQString realmname = m_defaultRealm.upper();
LDAPCredentials* credentials = new LDAPCredentials;
credentials->username = "";
credentials->password = "";
@ -256,7 +438,16 @@ void LDAPController::btncaRegenerate() {
load();
}
void LDAPController::btncaExport() {
void LDAPController::btncaExportKey() {
KURL src = KERBEROS_PKI_PEMKEY_FILE;
KURL dest = KFileDialog::getSaveURL(TQString::null, "*.key|Private Key (*.key)", this, i18n("Select a location to save a copy of the private key..."));
if (!dest.isEmpty()) {
KIO::CopyJob* job = KIO::copy(src, dest, true);
connect(job, TQT_SIGNAL(result(KIO::Job*)), this, TQT_SLOT(slotCertCopyResult(KIO::Job*)));
}
}
void LDAPController::btncaExportCert() {
KURL src = KERBEROS_PKI_PEM_FILE;
KURL dest = KFileDialog::getSaveURL(TQString::null, "*.pem|PKI Certificate Files (*.pem)", this, i18n("Select a location to save a copy of the certificate..."));
if (!dest.isEmpty()) {
@ -265,12 +456,165 @@ void LDAPController::btncaExport() {
}
}
void LDAPController::btnkrbRegenerate() {
LDAPManager::generatePublicKerberosCertificate(m_certconfig, m_realmconfig[m_defaultRealm]);
load();
}
void LDAPController::btnkrbExportKey() {
TQString kdc_keyfile = KERBEROS_PKI_KDCKEY_FILE;
kdc_keyfile.replace("@@@KDCSERVER@@@", m_realmconfig[m_defaultRealm].kdc);
KURL src = kdc_keyfile;
KURL dest = KFileDialog::getSaveURL(TQString::null, "*.key|Private Key (*.key)", this, i18n("Select a location to save a copy of the private key..."));
if (!dest.isEmpty()) {
KIO::CopyJob* job = KIO::copy(src, dest, true);
connect(job, TQT_SIGNAL(result(KIO::Job*)), this, TQT_SLOT(slotCertCopyResult(KIO::Job*)));
}
}
void LDAPController::btnkrbExportCert() {
TQString kdc_certfile = KERBEROS_PKI_KDC_FILE;
kdc_certfile.replace("@@@KDCSERVER@@@", m_realmconfig[m_defaultRealm].kdc);
KURL src = kdc_certfile;
KURL dest = KFileDialog::getSaveURL(TQString::null, "*.pem|PKI Certificate Files (*.pem)", this, i18n("Select a location to save a copy of the certificate..."));
if (!dest.isEmpty()) {
KIO::CopyJob* job = KIO::copy(src, dest, true);
connect(job, TQT_SIGNAL(result(KIO::Job*)), this, TQT_SLOT(slotCertCopyResult(KIO::Job*)));
}
}
void LDAPController::btnldapRegenerate() {
struct stat sb;
uid_t slapd_uid = 0;
gid_t slapd_gid = 0;
// Get LDAP user uid/gid
struct passwd *pwd;
pwd = getpwnam(m_ldapUserName);
slapd_uid = pwd->pw_uid;
slapd_gid = pwd->pw_gid;
LDAPManager::generatePublicLDAPCertificate(m_certconfig, m_realmconfig[m_defaultRealm], slapd_uid, slapd_gid);
load();
}
void LDAPController::btnldapExportKey() {
TQString ldap_keyfile = LDAP_CERTKEY_FILE;
ldap_keyfile.replace("@@@ADMINSERVER@@@", m_realmconfig[m_defaultRealm].admin_server);
KURL src = ldap_keyfile;
KURL dest = KFileDialog::getSaveURL(TQString::null, "*.key|Private Key (*.key)", this, i18n("Select a location to save a copy of the private key..."));
if (!dest.isEmpty()) {
KIO::CopyJob* job = KIO::copy(src, dest, true);
connect(job, TQT_SIGNAL(result(KIO::Job*)), this, TQT_SLOT(slotCertCopyResult(KIO::Job*)));
}
}
void LDAPController::btnldapExportCert() {
TQString ldap_certfile = LDAP_CERT_FILE;
ldap_certfile.replace("@@@ADMINSERVER@@@", m_realmconfig[m_defaultRealm].admin_server);
KURL src = ldap_certfile;
KURL dest = KFileDialog::getSaveURL(TQString::null, "*.pem|PKI Certificate Files (*.pem)", this, i18n("Select a location to save a copy of the certificate..."));
if (!dest.isEmpty()) {
KIO::CopyJob* job = KIO::copy(src, dest, true);
connect(job, TQT_SIGNAL(result(KIO::Job*)), this, TQT_SLOT(slotCertCopyResult(KIO::Job*)));
}
}
void LDAPController::slotCertCopyResult(KIO::Job* job) {
if (job->error()) {
job->showErrorDialog(this);
}
}
void LDAPController::btnChangeLDAPRootPassword() {
// NOTE
// There is (currently) no good way to replace the root password
// This convoluted procedure is (currently) the best I can do...
bool ret = false;
TQCString rootPassword;
int result = KPasswordDialog::getNewPassword(rootPassword, i18n("Please enter the new LDAP root password:"));
if (result == KPasswordDialog::Accepted) {
SHA1 sha;
sha.process(rootPassword, strlen(rootPassword));
TQString rootpw_hash = sha.base64Hash();
TQString oldconfigfilename = "/etc/ldap/slapd.d/cn=config/" + TQString("olcDatabase={%1}hdb.ldif.bkp").arg(1);
TQString newconfigfilename = "/etc/ldap/slapd.d/cn=config/" + TQString("olcDatabase={%1}hdb.ldif").arg(1);
if (controlLDAPServer(SC_STOP) == 0) {
rename(newconfigfilename.ascii(), oldconfigfilename.ascii());
TQFile ifile(oldconfigfilename);
TQFile ofile(newconfigfilename);
if (ifile.open(IO_ReadOnly)) {
if (ofile.open(IO_WriteOnly)) {
TQString line;
TQTextStream istream(&ifile);
TQTextStream ostream(&ofile);
while (!istream.atEnd()) {
line = istream.readLine();
if (line.startsWith("olcRootPW:")) {
ostream << "olcRootPW: {SHA}" << rootpw_hash << "\n";
}
else {
ostream << line << "\n";
}
}
ifile.close();
unlink(oldconfigfilename);
ofile.close();
if (controlLDAPServer(SC_START) == 0) {
ret = true;
}
}
else {
ifile.close();
rename(oldconfigfilename.ascii(), newconfigfilename.ascii());
}
}
else {
rename(oldconfigfilename.ascii(), newconfigfilename.ascii());
}
}
if (!ret) {
KMessageBox::error(0, i18n("<qt>Unable to modify LDAP root password<p>Your LDAP server may now be in an inconsistent or disabled state</qt>"), i18n("Internal Failure"));
}
}
}
void LDAPController::btnChangeRealmAdminPassword() {
TQCString adminPassword;
int result = KPasswordDialog::getNewPassword(adminPassword, i18n("Please enter the new realm administrator password:"));
if (result == KPasswordDialog::Accepted) {
TQString realmname = m_defaultRealm.upper();
LDAPCredentials* credentials = new LDAPCredentials;
credentials->username = "";
credentials->password = "";
credentials->realm = realmname;
LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials);
TQString errorstring;
LDAPTDEBuiltinsInfo builtins = ldap_mgr->getTDEBuiltinMappings(&errorstring);
LDAPUserInfo adminuserinfo = ldap_mgr->getUserByDistinguishedName(builtins.builtinRealmAdminAccount);
if (adminuserinfo.informationValid) {
adminuserinfo.new_password = adminPassword;
ldap_mgr->setPasswordForUser(adminuserinfo, &errorstring);
}
delete ldap_mgr;
delete credentials;
}
}
void LDAPController::defaults() {
//
}
@ -278,6 +622,7 @@ void LDAPController::defaults() {
void LDAPController::save() {
m_systemconfig->setGroup(NULL);
m_systemconfig->writeEntry("EnableLDAP", m_base->systemEnableSupport->isChecked());
m_systemconfig->writeEntry("HostFQDN", m_fqdn);
m_systemconfig->writeEntry("LDAPRole", m_base->systemRole->currentText());
// Write cert config
@ -371,7 +716,6 @@ void replacePlaceholdersInFile(TQString infile, TQString outfile, LDAPRealmConfi
}
ostream << line << "\n";
}
ifile.close();
ofile.close();
// Set permissions
@ -383,6 +727,7 @@ void replacePlaceholdersInFile(TQString infile, TQString outfile, LDAPRealmConfi
//KMessageBox::error(0, i18n("<qt>Unable to open output schema file %1 for writing</qt>").arg(outfile), i18n("Internal Failure"));
printf("[INTERNAL FAILURE] Unable to open output schema file %s for writing\n\r", outfile.ascii()); fflush(stdout);
}
ifile.close();
}
else {
//KMessageBox::error(0, i18n("<qt>Unable to open template schema file %1</qt>").arg(infile), i18n("Internal Failure"));
@ -796,14 +1141,7 @@ int LDAPController::createRealmCertificates(LDAPCertConfig certinfo, LDAPRealmCo
chmod(kdc_keyfile.ascii(), S_IRUSR|S_IWUSR);
chown(kdc_keyfile.ascii(), 0, 0);
command = TQString("openssl req -new -out %1 -key %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(kdc_reqfile).arg(kdc_keyfile).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(certinfo.commonName).arg(certinfo.emailAddress);
system(command);
command = TQString("openssl x509 -req -in %1 -CAkey %2 -CA %3 -out %4 -extfile %5 -extensions kdc_cert -CAcreateserial").arg(kdc_reqfile).arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(kdc_certfile).arg(OPENSSL_EXTENSIONS_FILE);
system(command);
chmod(kdc_certfile.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
chown(kdc_certfile.ascii(), 0, 0);
unlink(kdc_reqfile.ascii());
unlink(OPENSSL_EXTENSIONS_FILE);
LDAPManager::generatePublicKerberosCertificate(certinfo, realmconfig);
// LDAP certificate
TQString ldap_certfile = LDAP_CERT_FILE;
@ -817,13 +1155,7 @@ int LDAPController::createRealmCertificates(LDAPCertConfig certinfo, LDAPRealmCo
chmod(ldap_keyfile.ascii(), S_IRUSR|S_IWUSR);
chown(ldap_keyfile.ascii(), ldap_uid, ldap_gid);
command = TQString("openssl req -new -out %1 -key %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(ldap_reqfile).arg(ldap_keyfile).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(realmconfig.admin_server).arg(certinfo.emailAddress);
system(command);
command = TQString("openssl x509 -req -in %1 -CAkey %2 -CA %3 -out %4 -CAcreateserial").arg(ldap_reqfile).arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(ldap_certfile);
system(command);
chmod(ldap_certfile.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
chown(ldap_certfile.ascii(), ldap_uid, ldap_gid);
unlink(ldap_reqfile.ascii());
LDAPManager::generatePublicLDAPCertificate(certinfo, realmconfig, ldap_uid, ldap_gid);
return 0;
}
@ -841,6 +1173,8 @@ int LDAPController::uploadKerberosCAFileToLDAP(LDAPManager* ldap_mgr, TQString*
return -1;
}
// #define STRICT_SETUP 1
int LDAPController::createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig realmconfig, TQString adminUserName, TQString adminGroupName, TQString machineAdminGroupName, TQString standardUserGroupName, const char * adminPassword, TQString rootUserName, const char * rootPassword, TQString adminRealm, LDAPCertConfig certinfo, TQString *errstr) {
int ldifSchemaNumber;
@ -874,21 +1208,27 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME
// Stop SASL
if (controlSASLServer(SC_STOP) != 0) {
#ifdef STRICT_SETUP
if (errstr) *errstr = i18n("Unable to stop SASL server");
pdialog.closeDialog();
return -1;
#endif // STRICT_SETUP
}
// Stop Heimdal
if (controlHeimdalServer(SC_STOP) != 0) {
#ifdef STRICT_SETUP
if (errstr) *errstr = i18n("Unable to stop Kerberos server");
pdialog.closeDialog();
return -1;
#endif // STRICT_SETUP
}
// Stop slapd
if (controlLDAPServer(SC_STOP) != 0) {
#ifdef STRICT_SETUP
if (errstr) *errstr = i18n("Unable to stop LDAP server");
pdialog.closeDialog();
return -1;
#endif // STRICT_SETUP
}
pdialog.setStatusMessage(i18n("Purging existing LDAP database..."));
@ -1000,6 +1340,8 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME
chmod(TQString(SASL_DEFAULT_FILE).ascii(), S_IRUSR|S_IWUSR|S_IRGRP);
chmod(TQString(SASL_CONTROL_FILE).ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
chmod(TQString(OPENSSL_EXTENSIONS_FILE).ascii(), S_IRUSR|S_IWUSR);
pdialog.setStatusMessage(i18n("Installing realm certificates..."));
tqApp->processEvents();

18
src/ldapcontroller.h
Unescape View File

@ -29,6 +29,7 @@
#include <kglobalsettings.h>
#include <tqpushbutton.h>
#include <tqcombobox.h>
#include <tqtimer.h>
#include <kio/jobclasses.h>
#include <libtdeldap.h>
@ -64,11 +65,22 @@ class LDAPController: public KCModule
private slots:
void systemRoleChanged();
void processLockouts();
void updateCertDisplay();
void btncaRegenerate();
void btncaExport();
void btncaExportKey();
void btncaExportCert();
void btnkrbRegenerate();
void btnkrbExportKey();
void btnkrbExportCert();
void btnldapRegenerate();
void btnldapExportKey();
void btnldapExportCert();
void slotCertCopyResult(KIO::Job*);
void btnChangeLDAPRootPassword();
void btnChangeRealmAdminPassword();
private:
int controlKAdminDaemon(sc_command command);
int controlSASLServer(sc_command command);
@ -93,6 +105,10 @@ class LDAPController: public KCModule
TQString m_ldapGroupName;
LDAPCertConfig m_certconfig;
TQString m_defaultRealm;
LDAPRealmConfigList m_realmconfig;
TQTimer m_certRefreshTimer;
};
#endif // _LDAPCONTROLLER_H_

173
src/ldapcontrollerconfigbase.ui
Unescape View File

@ -92,6 +92,87 @@
<cstring>realmName</cstring>
</property>
</widget>
<widget class="TQLabel" row="1" column="0" colspan="1">
<property name="name">
<cstring>unnamed</cstring>
</property>
<property name="text">
<cstring>LDAP Root User:</cstring>
</property>
</widget>
<widget class="TQLabel" row="1" column="1" colspan="1">
<property name="name">
<cstring>ldapRootUser</cstring>
</property>
</widget>
<widget class="TQPushButton" row="1" column="2" colspan="1">
<property name="name">
<cstring>btnChangeLDAPRootPassword</cstring>
</property>
<property name="text">
<cstring>Change Password</cstring>
</property>
</widget>
<widget class="TQLabel" row="2" column="0" colspan="1">
<property name="name">
<cstring>unnamed</cstring>
</property>
<property name="text">
<cstring>Realm Administrative User:</cstring>
</property>
</widget>
<widget class="TQLabel" row="2" column="1" colspan="1">
<property name="name">
<cstring>realmAdminUser</cstring>
</property>
</widget>
<widget class="TQPushButton" row="2" column="2" colspan="1">
<property name="name">
<cstring>btnChangeRealmAdminPassword</cstring>
</property>
<property name="text">
<cstring>Change Password</cstring>
</property>
</widget>
<widget class="TQLabel" row="3" column="0" colspan="1">
<property name="name">
<cstring>unnamed</cstring>
</property>
<property name="text">
<cstring>Realm Administrative Group:</cstring>
</property>
</widget>
<widget class="TQLabel" row="3" column="1" colspan="1">
<property name="name">
<cstring>realmAdminGroup</cstring>
</property>
</widget>
<widget class="TQLabel" row="4" column="0" colspan="1">
<property name="name">
<cstring>unnamed</cstring>
</property>
<property name="text">
<cstring>Machine Administrative Group:</cstring>
</property>
</widget>
<widget class="TQLabel" row="4" column="1" colspan="1">
<property name="name">
<cstring>realmMachineAdminGroup</cstring>
</property>
</widget>
<widget class="TQLabel" row="5" column="0" colspan="1">
<property name="name">
<cstring>unnamed</cstring>
</property>
<property name="text">
<cstring>Standard User Group:</cstring>
</property>
</widget>
<widget class="TQLabel" row="5" column="1" colspan="1">
<property name="name">
<cstring>realmStandardUserGroup</cstring>
</property>
</widget>
</grid>
</widget>
<widget class="TQGroupBox" row="2" column="0">
@ -113,12 +194,12 @@
<cstring>Certificate Authority:</cstring>
</property>
</widget>
<widget class="TQLabel" row="0" column="1" colspan="1">
<widget class="TQLabel" row="1" column="0" colspan="1">
<property name="name">
<cstring>caExpiryString</cstring>
</property>
</widget>
<widget class="TQPushButton" row="0" column="2" colspan="1">
<widget class="TQPushButton" row="0" column="2" colspan="1" rowspan="2">
<property name="name">
<cstring>caRegenerate</cstring>
</property>
@ -126,12 +207,94 @@
<cstring>Regenerate Certificate</cstring>
</property>
</widget>
<widget class="TQPushButton" row="0" column="3" colspan="1">
<widget class="TQPushButton" row="0" column="3" colspan="1" rowspan="2">
<property name="name">
<cstring>caExportKey</cstring>
</property>
<property name="text">
<cstring>Export Private Key</cstring>
</property>
</widget>
<widget class="TQPushButton" row="0" column="4" colspan="1" rowspan="2">
<property name="name">
<cstring>caExportCert</cstring>
</property>
<property name="text">
<cstring>Export Public Certificate</cstring>
</property>
</widget>
<widget class="TQLabel" row="2" column="0" colspan="1">
<property name="name">
<cstring>unnamed</cstring>
</property>
<property name="text">
<cstring>Kerberos:</cstring>
</property>
</widget>
<widget class="TQLabel" row="3" column="0" colspan="1">
<property name="name">
<cstring>krbExpiryString</cstring>
</property>
</widget>
<widget class="TQPushButton" row="2" column="2" colspan="1" rowspan="2">
<property name="name">
<cstring>krbRegenerate</cstring>
</property>
<property name="text">
<cstring>Regenerate Certificate</cstring>
</property>
</widget>
<widget class="TQPushButton" row="2" column="3" colspan="1" rowspan="2">
<property name="name">
<cstring>krbExportKey</cstring>
</property>
<property name="text">
<cstring>Export Private Key</cstring>
</property>
</widget>
<widget class="TQPushButton" row="2" column="4" colspan="1" rowspan="2">
<property name="name">
<cstring>krbExportCert</cstring>
</property>
<property name="text">
<cstring>Export Public Certificate</cstring>
</property>
</widget>
<widget class="TQLabel" row="4" column="0" colspan="1">
<property name="name">
<cstring>unnamed</cstring>
</property>
<property name="text">
<cstring>LDAP TLS:</cstring>
</property>
</widget>
<widget class="TQLabel" row="5" column="0" colspan="1">
<property name="name">
<cstring>ldapExpiryString</cstring>
</property>
</widget>
<widget class="TQPushButton" row="4" column="2" colspan="1" rowspan="2">
<property name="name">
<cstring>ldapRegenerate</cstring>
</property>
<property name="text">
<cstring>Regenerate Certificate</cstring>
</property>
</widget>
<widget class="TQPushButton" row="4" column="3" colspan="1" rowspan="2">
<property name="name">
<cstring>ldapExportKey</cstring>
</property>
<property name="text">
<cstring>Export Private Key</cstring>
</property>
</widget>
<widget class="TQPushButton" row="4" column="4" colspan="1" rowspan="2">
<property name="name">
<cstring>caExport</cstring>
<cstring>ldapExportCert</cstring>
</property>
<property name="text">
<cstring>Export Certificate</cstring>
<cstring>Export Public Certificate</cstring>
</property>
</widget>
</grid>

3
src/realmwizard.cpp
Unescape View File

@ -239,8 +239,9 @@ void RealmWizard::accept() {
// Try to create realm
TQString errorString;
// RAJA FIXME
// FIXME
// root account should not be locked to "admin"!
// when fixing, please fix the other instance of locked "admin" in ldapcontroller.cpp ::load()
backButton()->setEnabled(false);
nextButton()->setEnabled(false);
finishButton()->setEnabled(false);

Write Preview
Loading…
Cancel
Save