Store CRL expiry in LDAP

9 years ago · 62a8d5e8c2
parent d21c892313
commit 62a8d5e8c2
2 changed files with 18 additions and 11 deletions
--- a/confskel/openldap/ldif/tde-core.ldif
+++ b/confskel/openldap/ldif/tde-core.ldif
@ -29,10 +29,11 @@ olcAttributeTypes: {19} ( 1.3.6.1.4.1.40364.1.1.20 NAME 'publicRootCertificateOr
 # Used for storing PKI user certificates and certificate status
 olcAttributeTypes: {20} ( 1.3.6.1.4.1.40364.1.1.21 NAME 'pkiCertificate' DESC 'User PKI certificate and status encoded with text mode TQDataStream TQPair<uint32_t, TQByteArray>' SUP name )
 olcAttributeTypes: {21} ( 1.3.6.1.4.1.40364.1.1.22 NAME 'publicRootCertificateRevocationList' DESC 'Certificate authority root certificate revocation list' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 SINGLE-VALUE )
+olcAttributeTypes: {22} ( 1.3.6.1.4.1.40364.1.1.23 NAME 'publicRootCRLIntervalDays' DESC 'Certificate authority root CRL update interval in days' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
 olcObjectClasses: {0} ( 1.3.6.1.4.1.40364.1.2.1 NAME 'tdeExtendedUserData' SUP top AUXILIARY MAY ( website
 URL $ managerName $ secretaryName $ teletexId $ preferredDelivery $ locallyUniqueID $ notes $ pwdLastSet $ badPwdCount $ badPasswordTime $ lastLogon $ lastLogoff ) )
 olcObjectClasses: {1} ( 1.3.6.1.4.1.40364.1.2.2 NAME 'tdeAccountObject' SUP top AUXILIARY MAY ( tdeBuiltinAccount $ pkiCertificate ) )
-olcObjectClasses: {2} ( 1.3.6.1.4.1.40364.1.2.3 NAME 'tdeCertificateStore' SUP top AUXILIARY MAY ( tdeBuiltinAccount $ publicRootCertificate $ privateRootCertificateKey $ publicRootCertificateRevocationList $ publicRootCertificateOriginServer ) )
+olcObjectClasses: {2} ( 1.3.6.1.4.1.40364.1.2.3 NAME 'tdeCertificateStore' SUP top AUXILIARY MAY ( tdeBuiltinAccount $ publicRootCertificate $ privateRootCertificateKey $ publicRootCertificateRevocationList $ publicRootCRLIntervalDays $ publicRootCertificateOriginServer ) )
 olcObjectClasses: {3} ( 1.3.6.1.4.1.40364.1.2.4 NAME 'tdeBuiltinStore' SUP top AUXILIARY MAY ( tdeBuiltinAccount $ builtinRealmAdminAccount $ builtinRealmAdminGroup $ builtinMachineAdminGroup $ builtinStandardUserGroup ) )
 structuralObjectClass: olcSchemaConfig
 creatorsName: cn=config
--- a/src/ldapcontroller.cpp
+++ b/src/ldapcontroller.cpp
@ -147,7 +147,7 @@ LDAPController::LDAPController(TQWidget *parent, const char *name, const TQStrin
 	connect(m_base->multiMasterReplicationMappings, TQT_SIGNAL(executed(TQListViewItem*)), this, TQT_SLOT(modifySelectedMultiMasterReplication()));

 	connect(m_base->advancedCaCertExpiry, TQT_SIGNAL(valueChanged(int)), this, TQT_SLOT(caCertExpiryChanged()));
-	connect(m_base->advancedCaCrlExpiry, TQT_SIGNAL(valueChanged(int)), this, TQT_SLOT(caCrlCertExpiryChanged()));
+	connect(m_base->advancedCaCrlExpiry, TQT_SIGNAL(valueChanged(int)), this, TQT_SLOT(caCrlExpiryChanged()));
 	connect(m_base->advancedKerberosCertExpiry, TQT_SIGNAL(valueChanged(int)), this, TQT_SLOT(kerberosCertExpiryChanged()));
 	connect(m_base->advancedLdapCertExpiry, TQT_SIGNAL(valueChanged(int)), this, TQT_SLOT(ldapCertExpiryChanged()));

@ -767,7 +767,7 @@ void LDAPController::btncrlRegenerate() {
 	credentials->realm = realmname;
 	LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials);

-	if (ldap_mgr->generatePKICRL(m_certconfig.caCrlExpiryDays, m_realmconfig[m_defaultRealm], KERBEROS_PKI_PEMKEY_FILE, KERBEROS_PKI_CRLDB_FILE, &errstr) != 0) {
+	if (ldap_mgr->generatePKICRL(m_certconfig.caCrlExpiryDays, m_realmconfig[m_defaultRealm], KERBEROS_PKI_CRL_FILE, KERBEROS_PKI_PEMKEY_FILE, KERBEROS_PKI_CRLDB_FILE, &errstr) != 0) {
 		KMessageBox::error(this, i18n("<qt><b>Unable to regenerate CRL</b><p>Details: %1</qt>").arg(errstr), i18n("Unable to Regenerate CRL"));
 	}

@ -1039,17 +1039,21 @@ void LDAPController::save() {

 	m_systemconfig->sync();

-	// If role was not changed, update any role-specific advanced settings
-	if (prevRole == m_systemconfig->readEntry("LDAPRole", "Workstation")) {
-		if (m_base->systemRole->currentItem() == ROLE_PRIMARY_REALM_CONTROLLER) {
+	TQString errorstring;
 	TQString realmname = m_defaultRealm.upper();
 	LDAPCredentials* credentials = new LDAPCredentials;
 	credentials->username = "";
 	credentials->password = "";
 	credentials->realm = realmname;
 	LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials);
-			TQString errorstring;

+	if (ldap_mgr->setLdapCertificateStoreAttribute("publicRootCRLIntervalDays", TQString("%1").arg(m_certconfig.caCrlExpiryDays), &errorstring) != 0) {
+		KMessageBox::error(this, i18n("<qt><b>Unable to update CRL interval entry in LDAP database</b><p>Details: %1</qt>").arg(errorstring), i18n("LDAP Update Failure"));
+	}
+
+	// If role was not changed, update any role-specific advanced settings
+	if (prevRole == m_systemconfig->readEntry("LDAPRole", "Workstation")) {
+		if (m_base->systemRole->currentItem() == ROLE_PRIMARY_REALM_CONTROLLER) {
 			// Write multi-master replication settings
 			LDAPMasterReplicationInfo replicationSettings;
 			replicationSettings.enabled = m_base->advancedEnableMultiMasterReplication->isChecked();
@ -1079,6 +1083,8 @@ void LDAPController::save() {
 		}
 	}

+	delete ldap_mgr;
+
 	load();
 }