Add standard user group, certificates, etc

13 years ago · 4f186beefc
parent be70ba63c2
commit 4f186beefc
7 changed files with 118 additions and 43 deletions
--- a/confskel/openldap/ldif/tde-core.ldif
+++ b/confskel/openldap/ldif/tde-core.ldif
@ -17,7 +17,13 @@ olcAttributeTypes: {11} ( 1.3.6.1.4.1.99999.1.1.12 NAME 'lastLogon' DESC 'Timest
 olcAttributeTypes: {12} ( 1.3.6.1.4.1.99999.1.1.13 NAME 'lastLogoff' DESC 'Timestamp of last logoff' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
 # Used for storing sharable certificates and keys
 olcAttributeTypes: {13} ( 1.3.6.1.4.1.99999.1.1.14 NAME 'publicRootCertificate' DESC 'Certificate authority root certificate' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 SINGLE-VALUE )
+# Used for storing builtin user/group names
+olcAttributeTypes: {14} ( 1.3.6.1.4.1.99999.1.1.15 NAME 'builtinRealmAdminAccount' DESC 'Built-in realm administrative account distinguished name' SUP name )
+olcAttributeTypes: {15} ( 1.3.6.1.4.1.99999.1.1.16 NAME 'builtinRealmAdminGroup' DESC 'Built-in realm administrative group distinguished name' SUP name )
+olcAttributeTypes: {16} ( 1.3.6.1.4.1.99999.1.1.17 NAME 'builtinMachineAdminGroup' DESC 'Built-in local machine administrative group distinguished name' SUP name )
+olcAttributeTypes: {17} ( 1.3.6.1.4.1.99999.1.1.18 NAME 'builtinStandardUserGroup' DESC 'Built-in standard user group distinguished name' SUP name )
 olcObjectClasses: {0} ( 1.3.6.1.4.1.99999.1.2.1 NAME 'tdeExtendedUserData' SUP top AUXILIARY MAY ( website
 URL $ managerName $ secretaryName $ teletexId $ preferredDelivery $ locallyUniqueID $ notes $ pwdLastSet $ badPwdCount $ badPasswordTime $ lastLogon $ lastLogoff ) )
 olcObjectClasses: {1} ( 1.3.6.1.4.1.99999.1.2.2 NAME 'tdeAccountObject' SUP top AUXILIARY MAY tdeBuiltinAccount )
-olcObjectClasses: {2} ( 1.3.6.1.4.1.99999.1.2.3 NAME 'tdeCertificateStore' SUP top AUXILIARY MAY ( tdeBuiltinAccount $ publicRootCertificate ) )
+olcObjectClasses: {2} ( 1.3.6.1.4.1.99999.1.2.3 NAME 'tdeCertificateStore' SUP top AUXILIARY MAY ( tdeBuiltinAccount $ publicRootCertificate ) )
+olcObjectClasses: {3} ( 1.3.6.1.4.1.99999.1.2.4 NAME 'tdeBuiltinStore' SUP top AUXILIARY MAY ( tdeBuiltinAccount $ builtinRealmAdminAccount $ builtinRealmAdminGroup $ builtinMachineAdminGroup $ builtinStandardUserGroup ) )
--- a/confskel/openldap/skel.ldif
+++ b/confskel/openldap/skel.ldif
@ -198,6 +198,32 @@ entryCSN: @@@TIMESTAMP@@@.000000Z#000000#000#000000
 modifiersName: cn=@@@ROOTUSER@@@,@@@REALM_DCNAME@@@
 modifyTimestamp: @@@TIMESTAMP@@@Z

+dn: cn=@@@STANDARDUSERGROUP@@@,ou=groups,ou=core,ou=realm,@@@REALM_DCNAME@@@
+cn: @@@STANDARDUSERGROUP@@@
+description: Standard Users
+emsdescription: Group
+emsplugins: PosixGroup
+emsplugins: KerberosGroup
+emstype: GroupEntry
+gidNumber: 901
+objectClass: groupOfNames
+objectClass: emsGroup
+objectClass: posixGroup
+objectClass: tdeAccountObject
+emsmodules: kerberos
+emsmodules: posix
+member: cn=placeholder,@@@REALM_DCNAME@@@
+member: uid=@@@ADMINUSER@@@,ou=users,ou=core,ou=realm,@@@REALM_DCNAME@@@
+memberUid: @@@ADMINUSER@@@
+tdeBuiltinAccount: TRUE
+emsmodelclass: EMSGroup
+structuralObjectClass: groupOfNames
+creatorsName: cn=@@@ROOTUSER@@@,@@@REALM_DCNAME@@@
+createTimestamp: @@@TIMESTAMP@@@Z
+entryCSN: @@@TIMESTAMP@@@.000000Z#000000#000#000000
+modifiersName: cn=@@@ROOTUSER@@@,@@@REALM_DCNAME@@@
+modifyTimestamp: @@@TIMESTAMP@@@Z
+
 dn: ou=users,ou=core,ou=realm,@@@REALM_DCNAME@@@
 emscontainertype: EUserContainer
 emsdescription: EMS User Container
@ -265,4 +291,21 @@ creatorsName: cn=@@@ROOTUSER@@@,@@@REALM_DCNAME@@@
 createTimestamp: @@@TIMESTAMP@@@Z
 entryCSN: @@@TIMESTAMP@@@.000000Z#000000#000#000000
 modifiersName: cn=@@@ROOTUSER@@@,@@@REALM_DCNAME@@@
+modifyTimestamp: @@@TIMESTAMP@@@Z
+
+dn: cn=builtin mappings,o=tde,cn=tde realm data,ou=master services,ou=core,ou=realm,@@@REALM_DCNAME@@@
+cn: builtin mappings
+description: TDE Builtin Mappings
+objectClass: tdeBuiltinStore
+objectClass: applicationProcess
+tdeBuiltinAccount: TRUE
+structuralObjectClass: applicationProcess
+builtinRealmAdminAccount: cn=@@@ADMINUSER@@@,ou=users,ou=core,ou=realm,@@@REALM_DCNAME@@@
+builtinRealmAdminGroup: cn=@@@ADMINGROUP@@@,ou=groups,ou=core,ou=realm,@@@REALM_DCNAME@@@
+builtinMachineAdminGroup: cn=@@@LOCALADMINGROUP@@@,ou=groups,ou=core,ou=realm,@@@REALM_DCNAME@@@
+builtinStandardUserGroup: cn=@@@STANDARDUSERGROUP@@@,ou=groups,ou=core,ou=realm,@@@REALM_DCNAME@@@
+creatorsName: cn=@@@ROOTUSER@@@,@@@REALM_DCNAME@@@
+createTimestamp: @@@TIMESTAMP@@@Z
+entryCSN: @@@TIMESTAMP@@@.000000Z#000000#000#000000
+modifiersName: cn=@@@ROOTUSER@@@,@@@REALM_DCNAME@@@
 modifyTimestamp: @@@TIMESTAMP@@@Z
--- a/src/ldapcontroller.cpp
+++ b/src/ldapcontroller.cpp
@ -67,10 +67,6 @@
 #define SASL_CONTROL_FILE "/etc/ldap/sasl2/slapd.conf"

 #define HEIMDAL_ACL_FILE "/etc/heimdal-kdc/kadmind.acl"
-#define TDE_CERTIFICATE_DIR "/etc/trinity/ldap/tde-ca/"
-#define KERBEROS_PKI_ANCHORDIR "/etc/trinity/ldap/tde-ca/anchors/"
-#define KERBEROS_PKI_PRIVATEDIR "/etc/trinity/ldap/tde-ca/private/"
-#define KERBEROS_PKI_PUBLICDIR "/etc/trinity/ldap/tde-ca/public/"
 #define KERBEROS_PKI_PEM_FILE KERBEROS_PKI_ANCHORDIR "tdeca.pem"
 #define KERBEROS_PKI_PEMKEY_FILE KERBEROS_PKI_ANCHORDIR "tdeca.key.pem"
 #define KERBEROS_PKI_KDC_FILE KERBEROS_PKI_PUBLICDIR "@@@KDCSERVER@@@.pki.crt"
@ -266,7 +262,7 @@ void LDAPController::save() {
 	load();
 }

-void replacePlaceholdersInFile(TQString infile, TQString outfile, LDAPRealmConfig realmconfig, TQString adminUserName, TQString adminGroupName, TQString machineAdminGroupName, const char * adminPassword, TQString rootUserName, const char * rootPassword, int ldifSchemaNumber=-1, uid_t userid=-1, gid_t groupid=-1, TQString ldapusername=TQString::null, TQString ldapgroupname=TQString::null) {
+void replacePlaceholdersInFile(TQString infile, TQString outfile, LDAPRealmConfig realmconfig, TQString adminUserName, TQString adminGroupName, TQString machineAdminGroupName, TQString standardUserGroupName, const char * adminPassword, TQString rootUserName, const char * rootPassword, int ldifSchemaNumber=-1, uid_t userid=-1, gid_t groupid=-1, TQString ldapusername=TQString::null, TQString ldapgroupname=TQString::null) {
 	SHA1 sha;
 	sha.process(rootPassword, strlen(rootPassword));
 	TQString rootpw_hash = sha.base64Hash();
@ -315,6 +311,7 @@ void replacePlaceholdersInFile(TQString infile, TQString outfile, LDAPRealmConfi
 				line.replace("@@@ADMINUSER@@@", adminUserName);
 				line.replace("@@@ADMINGROUP@@@", adminGroupName);
 				line.replace("@@@LOCALADMINGROUP@@@", machineAdminGroupName);
+				line.replace("@@@STANDARDUSERGROUP@@@", standardUserGroupName);
 				line.replace("@@@ADMINPW_SHA@@@", adminpw_hash);
 				line.replace("@@@PKINIT_REQUIRE_EKU@@@", (realmconfig.pkinit_require_eku)?"yes":"no");
 				line.replace("@@@PKINIT_REQUIRE_KRBTGT_OTHERNAME@@@", (realmconfig.pkinit_require_krbtgt_otherName)?"yes":"no");
@ -799,7 +796,7 @@ int LDAPController::createRealmCertificates(LDAPCertConfig certinfo, LDAPRealmCo
 	return 0;
 }

-int LDAPController::createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig realmconfig, TQString adminUserName, TQString adminGroupName, TQString machineAdminGroupName, const char * adminPassword, TQString rootUserName, const char * rootPassword, TQString adminRealm, LDAPCertConfig certinfo, TQString *errstr) {
+int LDAPController::createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig realmconfig, TQString adminUserName, TQString adminGroupName, TQString machineAdminGroupName, TQString standardUserGroupName, const char * adminPassword, TQString rootUserName, const char * rootPassword, TQString adminRealm, LDAPCertConfig certinfo, TQString *errstr) {
 	int ldifSchemaNumber;

 	ProcessingDialog pdialog(dialogparent);
@ -869,22 +866,22 @@ configTempDir.setAutoDelete(false);	// RAJA DEBUG ONLY FIXME
 	mkdir(KERBEROS_PKI_PUBLICDIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);

 	// Heimdal
-	replacePlaceholdersInFile(templateDir + "heimdal/heimdal.defaults", HEIMDAL_DEFAULT_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword);
-	replacePlaceholdersInFile(templateDir + "heimdal/kadmind.acl", HEIMDAL_ACL_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword);
-	replacePlaceholdersInFile(templateDir + "heimdal/kdc.conf", destDir + "heimdal-kdc/kdc.conf", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword);
-	replacePlaceholdersInFile(templateDir + "heimdal/krb5.conf", destDir + "krb5.conf", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword);
+	replacePlaceholdersInFile(templateDir + "heimdal/heimdal.defaults", HEIMDAL_DEFAULT_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, standardUserGroupName, adminPassword, rootUserName, rootPassword);
+	replacePlaceholdersInFile(templateDir + "heimdal/kadmind.acl", HEIMDAL_ACL_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, standardUserGroupName, adminPassword, rootUserName, rootPassword);
+	replacePlaceholdersInFile(templateDir + "heimdal/kdc.conf", destDir + "heimdal-kdc/kdc.conf", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, standardUserGroupName, adminPassword, rootUserName, rootPassword);
+	replacePlaceholdersInFile(templateDir + "heimdal/krb5.conf", destDir + "krb5.conf", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, standardUserGroupName, adminPassword, rootUserName, rootPassword);

 	// OpenLDAP
-	replacePlaceholdersInFile(templateDir + "openldap/skel.ldif", configTempDir.name() + "skel.ldif", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword);
-// 	replacePlaceholdersInFile(templateDir + "openldap/ldap/slapd.conf", destDir + "ldap/slapd.conf", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword);
-	replacePlaceholdersInFile(templateDir + "openldap/ldap/slapd.defaults", LDAP_DEFAULT_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, -1, -1, -1, m_ldapUserName, m_ldapGroupName);
+	replacePlaceholdersInFile(templateDir + "openldap/skel.ldif", configTempDir.name() + "skel.ldif", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, standardUserGroupName, adminPassword, rootUserName, rootPassword);
+// 	replacePlaceholdersInFile(templateDir + "openldap/ldap/slapd.conf", destDir + "ldap/slapd.conf", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, standardUserGroupName, adminPassword, rootUserName, rootPassword);
+	replacePlaceholdersInFile(templateDir + "openldap/ldap/slapd.defaults", LDAP_DEFAULT_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, standardUserGroupName, adminPassword, rootUserName, rootPassword, -1, -1, -1, m_ldapUserName, m_ldapGroupName);

 	// SASL
-	replacePlaceholdersInFile(templateDir + "sasl/saslauthd.defaults", SASL_DEFAULT_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword);
-	replacePlaceholdersInFile(templateDir + "sasl/slapd.conf", SASL_CONTROL_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword);
+	replacePlaceholdersInFile(templateDir + "sasl/saslauthd.defaults", SASL_DEFAULT_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, standardUserGroupName, adminPassword, rootUserName, rootPassword);
+	replacePlaceholdersInFile(templateDir + "sasl/slapd.conf", SASL_CONTROL_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, standardUserGroupName, adminPassword, rootUserName, rootPassword);

 	// OpenSSL
-	replacePlaceholdersInFile(templateDir + "openssl/pki_extensions", OPENSSL_EXTENSIONS_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword);
+	replacePlaceholdersInFile(templateDir + "openssl/pki_extensions", OPENSSL_EXTENSIONS_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, standardUserGroupName, adminPassword, rootUserName, rootPassword);

 	// FIXME
 	// This assumes Debian!
@ -914,35 +911,35 @@ configTempDir.setAutoDelete(false);	// RAJA DEBUG ONLY FIXME
 	// Can we do anything about this now?

 	// Base database configuration
-	replacePlaceholdersInFile(templateDir + "openldap/ldif/config.ldif", destDir + "ldap/slapd.d/" + TQString("cn=config.ldif"), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, -1, slapd_uid, slapd_gid);
-	replacePlaceholdersInFile(templateDir + "openldap/ldif/schema.ldif", destDir + "ldap/slapd.d/cn=config/" + TQString("cn=schema.ldif"), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, -1, slapd_uid, slapd_gid);
+	replacePlaceholdersInFile(templateDir + "openldap/ldif/config.ldif", destDir + "ldap/slapd.d/" + TQString("cn=config.ldif"), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, standardUserGroupName, adminPassword, rootUserName, rootPassword, -1, slapd_uid, slapd_gid);
+	replacePlaceholdersInFile(templateDir + "openldap/ldif/schema.ldif", destDir + "ldap/slapd.d/cn=config/" + TQString("cn=schema.ldif"), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, standardUserGroupName, adminPassword, rootUserName, rootPassword, -1, slapd_uid, slapd_gid);
 	ldifSchemaNumber = 0;
-	replacePlaceholdersInFile(templateDir + "openldap/ldif/olcConfig.ldif", destDir + "ldap/slapd.d/cn=config/" + TQString("olcDatabase={%1}config.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
-	replacePlaceholdersInFile(templateDir + "openldap/ldif/moduleConfig.ldif", destDir + "ldap/slapd.d/cn=config/" + TQString("cn=module{%1}.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
+	replacePlaceholdersInFile(templateDir + "openldap/ldif/olcConfig.ldif", destDir + "ldap/slapd.d/cn=config/" + TQString("olcDatabase={%1}config.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, standardUserGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
+	replacePlaceholdersInFile(templateDir + "openldap/ldif/moduleConfig.ldif", destDir + "ldap/slapd.d/cn=config/" + TQString("cn=module{%1}.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, standardUserGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
 	ldifSchemaNumber = 1;
-	replacePlaceholdersInFile(templateDir + "openldap/ldif/olcDatabase.ldif", destDir + "ldap/slapd.d/cn=config/" + TQString("olcDatabase={%1}hdb.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
+	replacePlaceholdersInFile(templateDir + "openldap/ldif/olcDatabase.ldif", destDir + "ldap/slapd.d/cn=config/" + TQString("olcDatabase={%1}hdb.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, standardUserGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);

 	// Schema files
 	ldifSchemaNumber = 0;
-	replacePlaceholdersInFile(templateDir + "openldap/ldif/core.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}core.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
+	replacePlaceholdersInFile(templateDir + "openldap/ldif/core.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}core.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, standardUserGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
 	ldifSchemaNumber = 1;
-	replacePlaceholdersInFile(templateDir + "openldap/ldif/cosine.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}cosine.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
+	replacePlaceholdersInFile(templateDir + "openldap/ldif/cosine.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}cosine.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, standardUserGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
 	ldifSchemaNumber = 2;
-	replacePlaceholdersInFile(templateDir + "openldap/ldif/inetorgperson.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}inetorgperson.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
+	replacePlaceholdersInFile(templateDir + "openldap/ldif/inetorgperson.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}inetorgperson.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, standardUserGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
 	ldifSchemaNumber = 3;
-	replacePlaceholdersInFile(templateDir + "openldap/ldif/rfc2307bis.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}rfc2307bis.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
+	replacePlaceholdersInFile(templateDir + "openldap/ldif/rfc2307bis.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}rfc2307bis.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, standardUserGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
 	ldifSchemaNumber = 4;
-	replacePlaceholdersInFile(templateDir + "openldap/ldif/rfc2739.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}rfc2739.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
+	replacePlaceholdersInFile(templateDir + "openldap/ldif/rfc2739.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}rfc2739.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, standardUserGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
 	ldifSchemaNumber = 5;
-	replacePlaceholdersInFile(templateDir + "openldap/ldif/ppolicy.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}ppolicy.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
+	replacePlaceholdersInFile(templateDir + "openldap/ldif/ppolicy.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}ppolicy.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, standardUserGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
 	ldifSchemaNumber = 6;
-	replacePlaceholdersInFile(templateDir + "openldap/ldif/ems-core.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}ems-core.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
+	replacePlaceholdersInFile(templateDir + "openldap/ldif/ems-core.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}ems-core.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, standardUserGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
 	ldifSchemaNumber = 7;
-	replacePlaceholdersInFile(templateDir + "openldap/ldif/hdb.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}hdb.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
+	replacePlaceholdersInFile(templateDir + "openldap/ldif/hdb.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}hdb.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, standardUserGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
 	ldifSchemaNumber = 8;
-	replacePlaceholdersInFile(templateDir + "openldap/ldif/tde-core.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}tde-core.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
+	replacePlaceholdersInFile(templateDir + "openldap/ldif/tde-core.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}tde-core.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, standardUserGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
 // 	ldifSchemaNumber = 9;
-// 	replacePlaceholdersInFile(templateDir + "openldap/ldif/samba.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}samba.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
+// 	replacePlaceholdersInFile(templateDir + "openldap/ldif/samba.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}samba.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, standardUserGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);

 	// Set permissions
 	chmod(TQString(HEIMDAL_DEFAULT_FILE).ascii(), S_IRUSR|S_IWUSR|S_IRGRP);
@ -1106,15 +1103,14 @@ configTempDir.setAutoDelete(false);	// RAJA DEBUG ONLY FIXME
 		}
 	}

-	delete ldap_mgr;
-	delete credentials;
-
 	// Set @@@ADMINUSER@@@ password in kadmin
 	LDAPCredentials adminuser;
 	adminuser.username = adminUserName;
 	adminuser.password = adminPassword;
 	adminuser.realm = realmconfig.name.upper();
 	if (setKerberosPasswordForUser(adminuser, &errorstring) != 0) {
+		delete ldap_mgr;
+		delete credentials;
 		if (errstr) *errstr = i18n("Unable to set user password in Kerberos database").append(errorstring);
 		pdialog.closeDialog();
 		return -1;
@ -1132,6 +1128,18 @@ configTempDir.setAutoDelete(false);	// RAJA DEBUG ONLY FIXME

 	LDAPManager::writeLDAPConfFile(realmconfig);

+	// Write the sudoers file
+	if (ldap_mgr->writeSudoersConfFile(&errorstring) != 0) {
+		delete ldap_mgr;
+		delete credentials;
+		if (errstr) *errstr = i18n("Unable to set local sudo rights").append(errorstring);
+		pdialog.closeDialog();
+		return -1;
+	}
+
+	delete ldap_mgr;
+	delete credentials;
+
 	pdialog.setStatusMessage(i18n("(Re)starting servers..."));
 	tqApp->processEvents();

@ -1161,6 +1169,9 @@ configTempDir.setAutoDelete(false);	// RAJA DEBUG ONLY FIXME
 		return -1;
 	}

+	// Write the NSS update crontab file and update NSS database
+	LDAPManager::writeCronFiles();
+
 	// RAJA FIXME
 	pdialog.closeDialog();
 }
--- a/src/ldapcontroller.h
+++ b/src/ldapcontroller.h
@ -79,7 +79,7 @@ class LDAPController: public KCModule
 		virtual const KAboutData *aboutData() const { return myAboutData; };

 	public:
-		int createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig realmconfig, TQString adminUserName, TQString adminGroupName, TQString machineAdminGroupName, const char * adminPassword, TQString rootUserName, const char * rootPassword, TQString adminRealm, LDAPCertConfig certinfo, TQString *errstr);
+		int createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig realmconfig, TQString adminUserName, TQString adminGroupName, TQString machineAdminGroupName, TQString standardUserGroupName, const char * adminPassword, TQString rootUserName, const char * rootPassword, TQString adminRealm, LDAPCertConfig certinfo, TQString *errstr);

 	private slots:
 		void systemRoleChanged();
--- a/src/realmfinishpage.cpp
+++ b/src/realmfinishpage.cpp
@ -45,6 +45,7 @@ RealmFinishPage::RealmFinishPage(TQWidget *parent, const char *name ) : RealmFin
 	connect(ldapAdminUsername, TQT_SIGNAL(textChanged(const TQString&)), this, TQT_SLOT(validateEntries()));
 	connect(ldapAdminGroupname, TQT_SIGNAL(textChanged(const TQString&)), this, TQT_SLOT(validateEntries()));
 	connect(ldapMachineAdminGroupname, TQT_SIGNAL(textChanged(const TQString&)), this, TQT_SLOT(validateEntries()));
+	connect(ldapStandardUserGroupname, TQT_SIGNAL(textChanged(const TQString&)), this, TQT_SLOT(validateEntries()));

 	m_parentWizard = dynamic_cast<KWizard*>(parent);
 	m_parentDialog = dynamic_cast<KDialogBase*>(parent);
@ -56,7 +57,7 @@ RealmFinishPage::~RealmFinishPage(){

 void RealmFinishPage::validateEntries() {
 	if (m_parentWizard) {
-		if ((ldapAdminUsername->text() != "") && (ldapAdminGroupname->text() != "") && (ldapMachineAdminGroupname->text() != "")) {
+		if ((ldapAdminUsername->text() != "") && (ldapAdminGroupname->text() != "") && (ldapMachineAdminGroupname->text() != "") && (ldapStandardUserGroupname->text() != "")) {
 			m_parentWizard->finishButton()->setEnabled(true);
 		}
 		else {
@ -64,7 +65,7 @@ void RealmFinishPage::validateEntries() {
 		}
 	}
 	if (m_parentDialog) {
-		if ((ldapAdminUsername->text() != "") && (ldapAdminGroupname->text() != "") && (ldapMachineAdminGroupname->text() != "")) {
+		if ((ldapAdminUsername->text() != "") && (ldapAdminGroupname->text() != "") && (ldapMachineAdminGroupname->text() != "") && (ldapStandardUserGroupname->text() != "")) {
 			m_parentDialog->enableButton(KDialogBase::Ok, true);
 		}
 		else {
--- a/src/realmfinishpagedlg.ui
+++ b/src/realmfinishpagedlg.ui
@ -8,7 +8,7 @@
 			<property name="name">
 				<cstring>unnamed</cstring>
 			</property>
-			<widget class="TQLabel" row="0" column="0" rowspan="10" colspan="1">
+			<widget class="TQLabel" row="0" column="0" rowspan="11" colspan="1">
 				<property name="name">
 					<cstring>px_introSidebar</cstring>
 				</property>
@ -125,15 +125,28 @@
 					<cstring>unnamed</cstring>
 				</property>
 				<property name="text">
-					<string>LDAP Realm</string>
+					<string>Standard User Group</string>
 				</property>
 			</widget>
 			<widget class="KLineEdit" row="7" column="2">
+				<property name="name">
+					<cstring>ldapStandardUserGroupname</cstring>
+				</property>
+			</widget>
+			<widget class="TQLabel" row="8" column="1">
+				<property name="name">
+					<cstring>unnamed</cstring>
+				</property>
+				<property name="text">
+					<string>LDAP Realm</string>
+				</property>
+			</widget>
+			<widget class="KLineEdit" row="8" column="2">
 				<property name="name">
 					<cstring>ldapAdminRealm</cstring>
 				</property>
 			</widget>
-			<spacer row="8" column="1">
+			<spacer row="9" column="1">
 				<property name="name">
 					<cstring>Spacer6</cstring>
 				</property>
@ -150,7 +163,7 @@
 					</size>
 				</property>
 			</spacer>
-			<spacer row="9" column="1">
+			<spacer row="10" column="1">
 				<property name="name">
 					<cstring>Spacer5</cstring>
 				</property>
--- a/src/realmwizard.cpp
+++ b/src/realmwizard.cpp
@ -98,6 +98,7 @@ RealmWizard::RealmWizard(LDAPController* controller, TQString fqdn, LDAPCertConf
 	certpage->generateKeysEnabled->setChecked(true);
 	finishpage->ldapAdminGroupname->setText("realmadmins");
 	finishpage->ldapMachineAdminGroupname->setText("machineadmins");
+	finishpage->ldapStandardUserGroupname->setText("standardusers");

 	// Load certificate info
 	certpage->organizationName->setText(m_certconfig.organizationName);
@ -244,7 +245,7 @@ void RealmWizard::accept() {
 	nextButton()->setEnabled(false);
 	finishButton()->setEnabled(false);
 	cancelButton()->setEnabled(false);
-	if (m_controller->createNewLDAPRealm(this, m_realmconfig, finishpage->ldapAdminUsername->text(), finishpage->ldapAdminGroupname->text(), finishpage->ldapMachineAdminGroupname->text(), finishpage->ldapAdminPassword->password(), "admin", finishpage->ldapAdminPassword->password(), finishpage->ldapAdminRealm->text(), m_certconfig, &errorString) == 0) {
+	if (m_controller->createNewLDAPRealm(this, m_realmconfig, finishpage->ldapAdminUsername->text(), finishpage->ldapAdminGroupname->text(), finishpage->ldapMachineAdminGroupname->text(), finishpage->ldapStandardUserGroupname->text(), finishpage->ldapAdminPassword->password(), "admin", finishpage->ldapAdminPassword->password(), finishpage->ldapAdminRealm->text(), m_certconfig, &errorString) == 0) {
 		done(0);
 	}
 	else {