Start working on kerberos

confskel/openldap/ldif/olcDatabase.ldif

@@ -4,11 +4,9 @@ objectClass: olcHdbConfig
 olcDatabase: {@@@LDIFSCHEMANUMBER@@@}hdb
 olcDbDirectory: /var/lib/ldap
 olcSuffix: @@@REALM_DCNAME@@@
-olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou
+olcAccess: {0}to attrs=userPassword,shadowLastChange,krb5Key,krb5PrincipalName,krb5KeyVersionNumber,krb5MaxLife,krb5MaxRenew,krb5KDCFlags by self write by anonymous auth by dn="cn=@@@ROOTUSER@@@,@@@REALM_DCNAME@@@" write by * none
- s auth by dn="cn=@@@ROOTUSER@@@,@@@REALM_DCNAME@@@" write by * none
 olcAccess: {1}to dn.base="" by * read
-olcAccess: {2}to * by self write by dn="cn=@@@ROOTUSER@@@,@@@REALM_DCNAME@@@" write by 
+olcAccess: {2}to * by self write by dn="cn=@@@ROOTUSER@@@,@@@REALM_DCNAME@@@" write by * read
- * read
 olcLastMod: TRUE
 olcRootDN: cn=@@@ROOTUSER@@@,@@@REALM_DCNAME@@@
 olcRootPW: {SHA}@@@ROOTPW_SHA@@@
@@ -18,6 +16,12 @@ olcDbConfig: {1}set_lk_max_objects 1500
 olcDbConfig: {2}set_lk_max_locks 1500
 olcDbConfig: {3}set_lk_max_lockers 1500
 olcDbIndex: objectClass eq
+olcDbIndex: krb5PrincipalName eq,pres
+olcDbIndex: cn eq,pres,subinitial
+olcDbIndex: mail eq,pres
+olcDbIndex: uid pres,eq
+olcDbIndex: uidNumber eq
+olcDbIndex: gidNumber eq
 structuralObjectClass: olcHdbConfig
 creatorsName: cn=config
 createTimestamp: @@@TIMESTAMP@@@Z

src/ldapcontroller.cpp

@@ -294,6 +294,24 @@ void replacePlaceholdersInFile(TQString infile, TQString outfile, LDAPRealmConfi
 	tqApp->processEvents();
 }
 
+int LDAPController::controlHeimdalServer(sc_command command) {
+	if (command == SC_START) {
+		// FIXME
+		// This assumes Debian!
+		return system("/etc/init.d/heimdal-kdc start");
+	}
+	if (command == SC_STOP) {
+		// FIXME
+		// This assumes Debian!
+		return system("/etc/init.d/heimdal-kdc stop");
+	}
+	if (command == SC_RESTART) {
+		// FIXME
+		// This assumes Debian!
+		return system("/etc/init.d/heimdal-kdc restart");
+	}
+}
+
 int LDAPController::controlLDAPServer(sc_command command, uid_t userid, gid_t groupid) {
 	if (command == SC_START) {
 		// FIXME
@@ -318,6 +336,8 @@ int LDAPController::controlLDAPServer(sc_command command, uid_t userid, gid_t gr
 	}
 	if (command == SC_SETDBPERMS) {
 		if ((userid > 0) && (groupid > 0)) {
+			// FIXME
+			// This assumes Debian!
 			TQString command;
 			command = TQString("chown -R %1 /var/lib/ldap/*").arg(userid);
 			system(command.ascii());
@@ -357,7 +377,7 @@ configTempDir.setAutoDelete(false);	// RAJA DEBUG ONLY
 
 	replacePlaceholdersInFile(templateDir + "heimdal/heimdal.defaults", destDir + "heimdal.defaults", realmconfig, adminUserName, adminGroupName, adminPassword, rootUserName, rootPassword);
 	replacePlaceholdersInFile(templateDir + "heimdal/kadmind.acl", destDir + "kadmind.acl", realmconfig, adminUserName, adminGroupName, adminPassword, rootUserName, rootPassword);
-	replacePlaceholdersInFile(templateDir + "heimdal/kdc.conf", destDir + "kdc.conf", realmconfig, adminUserName, adminGroupName, adminPassword, rootUserName, rootPassword);
+	replacePlaceholdersInFile(templateDir + "heimdal/kdc.conf", destDir + "heimdal-kdc/kdc.conf", realmconfig, adminUserName, adminGroupName, adminPassword, rootUserName, rootPassword);
 	replacePlaceholdersInFile(templateDir + "heimdal/krb5.conf", destDir + "krb5.conf", realmconfig, adminUserName, adminGroupName, adminPassword, rootUserName, rootPassword);
 
 	replacePlaceholdersInFile(templateDir + "openldap/skel.ldif", configTempDir.name() + "skel.ldif", realmconfig, adminUserName, adminGroupName, adminPassword, rootUserName, rootPassword);
@@ -387,20 +407,21 @@ configTempDir.setAutoDelete(false);	// RAJA DEBUG ONLY
 	// Set permissions
 	chmod(TQString(destDir + "heimdal.defaults").ascii(), S_IRUSR|S_IWUSR|S_IRGRP);
 	chmod(TQString(destDir + "kadmind.acl").ascii(), S_IRUSR|S_IWUSR|S_IRGRP);
-	chmod(TQString(destDir + "kdc.conf").ascii(), S_IRUSR|S_IWUSR|S_IRGRP);
+	chmod(TQString(destDir + "heimdal-kdc/kdc.conf").ascii(), S_IRUSR|S_IWUSR|S_IRGRP);
 	chmod(TQString(destDir + "krb5.conf").ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
 
 	chmod(TQString(configTempDir.name() + "skel.ldif").ascii(), S_IRUSR|S_IWUSR);
 	chmod(TQString(destDir + "ldap/slapd.conf").ascii(), S_IRUSR|S_IWUSR);
 	chmod(TQString(destDir + "ldap/slapd.defaults").ascii(), S_IRUSR|S_IWUSR|S_IRGRP);
 
-	pdialog.setStatusMessage(i18n("Purging existing LDAP database..."));
+	pdialog.setStatusMessage(i18n("Stopping servers..."));
-	tqApp->processEvents();
-	controlLDAPServer(SC_PURGE);
-
-	pdialog.setStatusMessage(i18n("Loading initial database into LDAP..."));
-	tqApp->processEvents();
 
+	// Stop Heimdal
+	if (controlHeimdalServer(SC_STOP) != 0) {
+		if (errstr) *errstr = i18n("Unable to stop Kerberos server");
+		pdialog.closeDialog();
+		return -1;
+	}
 	// Stop slapd
 	if (controlLDAPServer(SC_STOP) != 0) {
 		if (errstr) *errstr = i18n("Unable to stop LDAP server");
@@ -408,6 +429,13 @@ configTempDir.setAutoDelete(false);	// RAJA DEBUG ONLY
 		return -1;
 	}
 
+	pdialog.setStatusMessage(i18n("Purging existing LDAP database..."));
+	tqApp->processEvents();
+	controlLDAPServer(SC_PURGE);
+
+	pdialog.setStatusMessage(i18n("Loading initial database into LDAP..."));
+	tqApp->processEvents();
+
 	// Load database
 	KProcess slapadd;
 	slapadd << "slapadd" << "-l" << configTempDir.name() + "skel.ldif";
@@ -432,6 +460,12 @@ configTempDir.setAutoDelete(false);	// RAJA DEBUG ONLY
 		pdialog.closeDialog();
 		return -1;
 	}
+	// Start Heimdal
+	if (controlHeimdalServer(SC_START) != 0) {
+		if (errstr) *errstr = i18n("Unable to start Kerberos server");
+		pdialog.closeDialog();
+		return -1;
+	}
 
 	// RAJA FIXME
 	pdialog.closeDialog();

src/ldapcontroller.h

@@ -86,6 +86,7 @@ class LDAPController: public KCModule
 		void processLockouts();
 
 	private:
+		int controlHeimdalServer(sc_command command);
 		int controlLDAPServer(sc_command command, uid_t userid=-1, gid_t groupid=-1);
 
 	private: