|
|
|
|
@ -155,6 +155,14 @@ int main(int argc, char *argv[])
|
|
|
|
|
else {
|
|
|
|
|
if (realmCAMaster == fqdn) {
|
|
|
|
|
printf("This server is the realm CA master\n"); fflush(stdout);
|
|
|
|
|
|
|
|
|
|
TQString realmname = m_defaultRealm.upper();
|
|
|
|
|
LDAPCredentials* credentials = new LDAPCredentials;
|
|
|
|
|
credentials->username = "";
|
|
|
|
|
credentials->password = "";
|
|
|
|
|
credentials->realm = realmname;
|
|
|
|
|
LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials);
|
|
|
|
|
|
|
|
|
|
if (TQFile::exists(KERBEROS_PKI_PEM_FILE)) {
|
|
|
|
|
certExpiry = LDAPManager::getCertificateExpiration(KERBEROS_PKI_PEM_FILE);
|
|
|
|
|
if (certExpiry >= now) {
|
|
|
|
|
@ -164,27 +172,13 @@ int main(int argc, char *argv[])
|
|
|
|
|
printf("Regenerating certificate %s...\n", TQString(KERBEROS_PKI_PEM_FILE).ascii()); fflush(stdout);
|
|
|
|
|
LDAPManager::generatePublicKerberosCACertificate(m_certconfig, m_realmconfig[m_defaultRealm]);
|
|
|
|
|
|
|
|
|
|
TQString realmname = m_defaultRealm.upper();
|
|
|
|
|
LDAPCredentials* credentials = new LDAPCredentials;
|
|
|
|
|
credentials->username = "";
|
|
|
|
|
credentials->password = "";
|
|
|
|
|
credentials->realm = realmname;
|
|
|
|
|
LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials);
|
|
|
|
|
|
|
|
|
|
// Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server
|
|
|
|
|
TQString errorstring;
|
|
|
|
|
if (uploadKerberosCAFileToLDAP(ldap_mgr, &errorstring) != 0) {
|
|
|
|
|
printf("[ERROR] Unable to upload new certificate to LDAP server!\n%s\n", errorstring.ascii()); fflush(stdout);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// CRL
|
|
|
|
|
if (ldap_mgr->generatePKICRL(m_certconfig.caExpiryDays, m_realmconfig[m_defaultRealm], KERBEROS_PKI_CRL_FILE, KERBEROS_PKI_PEMKEY_FILE, KERBEROS_PKI_CRLDB_FILE, &errorstring) != 0) {
|
|
|
|
|
printf("[ERROR] Unable to generate CRL!\n%s\n", errorstring.ascii()); fflush(stdout);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ca_modified = true;
|
|
|
|
|
|
|
|
|
|
delete ldap_mgr;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Set permissions
|
|
|
|
|
@ -196,6 +190,28 @@ int main(int argc, char *argv[])
|
|
|
|
|
else {
|
|
|
|
|
printf("[WARNING] Certificate file %s not found!\n", TQString(KERBEROS_PKI_PEM_FILE).ascii()); fflush(stdout);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Check CRL expiry
|
|
|
|
|
TQByteArray certificateContents;
|
|
|
|
|
if (ldap_mgr->getTDECertificate("publicRootCertificateRevocationList", &certificateContents, NULL) == 0) {
|
|
|
|
|
certExpiry = LDAPManager::getCertificateExpiration(certificateContents);
|
|
|
|
|
if (certExpiry >= now) {
|
|
|
|
|
printf("CRL expires %s\n", certExpiry.toString().ascii()); fflush(stdout);
|
|
|
|
|
}
|
|
|
|
|
if (force_update || (certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
|
|
|
|
|
printf("Regenerating CRL...\n"); fflush(stdout);
|
|
|
|
|
LDAPManager::generatePublicKerberosCACertificate(m_certconfig, m_realmconfig[m_defaultRealm]);
|
|
|
|
|
|
|
|
|
|
// Upload the new CRL to the LDAP server
|
|
|
|
|
if (ldap_mgr->generatePKICRL(m_certconfig.caCrlExpiryDays, m_realmconfig[m_defaultRealm], KERBEROS_PKI_CRL_FILE, KERBEROS_PKI_PEMKEY_FILE, KERBEROS_PKI_CRLDB_FILE, &errorstring) != 0) {
|
|
|
|
|
printf("[ERROR] Unable to generate CRL!\n%s\n", errorstring.ascii()); fflush(stdout);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ca_modified = true;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
delete ldap_mgr;
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
printf("This server is a realm CA slave\n"); fflush(stdout);
|
|
|
|
|
@ -270,8 +286,9 @@ int main(int argc, char *argv[])
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (ca_modified)
|
|
|
|
|
if (ca_modified) {
|
|
|
|
|
force_update = true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Kerberos
|
|
|
|
|
if (TQFile::exists(kdc_certfile)) {
|
|
|
|
|
|
Timothy Pearson
10 years ago