TDE
/
kcmldapcontroller
mirror of https://mirror.git.trinitydesktop.org/gitea/TDE/kcmldapcontroller
0
0
Fork 0
Code Issues Releases Wiki Activity

Add CRL support

Browse Source
pull/1/head
Timothy Pearson 9 years ago
parent 75a61a29a3
commit d21c892313
6 changed files with 158 additions and 22 deletions
Show Stats Download Patch File Download Diff File

12
cert-updater/main.cpp
Unescape View File

@ -90,6 +90,8 @@ int main(int argc, char *argv[])
force_update = true;
}
bool ca_modified = false;
//======================================================================================================================================================
//
// Updater code follows
@ -174,6 +176,13 @@ int main(int argc, char *argv[])
if (uploadKerberosCAFileToLDAP(ldap_mgr, &errorstring) != 0) {
printf("[ERROR] Unable to upload new certificate to LDAP server!\n%s\n", errorstring.ascii()); fflush(stdout);
}
// CRL
if (ldap_mgr->generatePKICRL(m_certconfig.caExpiryDays, m_realmconfig[m_defaultRealm], &errorstring) != 0) {
printf("[ERROR] Unable to generate CRL!\n%s\n", errorstring.ascii()); fflush(stdout);
}
ca_modified = true;
delete ldap_mgr;
}
@ -261,6 +270,9 @@ int main(int argc, char *argv[])
}
}
if (ca_modified)
force_update = true;
// Kerberos
if (TQFile::exists(kdc_certfile)) {
certExpiry = LDAPManager::getCertificateExpiration(kdc_certfile);

2
confskel/openldap/ldif/olcDatabase.ldif
Unescape View File

@ -4,7 +4,7 @@ objectClass: olcHdbConfig
olcDatabase: {@@@LDIFSCHEMANUMBER@@@}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: @@@REALM_DCNAME@@@
olcAccess: {0}to attrs=userPassword,shadowLastChange,krb5Key,krb5PrincipalName,krb5KeyVersionNumber,krb5MaxLife,krb5MaxRenew,krb5KDCFlags,privateRootCertificateKey
olcAccess: {0}to attrs=userPassword,shadowLastChange,krb5Key,krb5PrincipalName,krb5KeyVersionNumber,krb5MaxLife,krb5MaxRenew,krb5KDCFlags,privateRootCertificateKey,pkiCertificate
by group/groupOfNames/member.exact="cn=@@@ADMINGROUP@@@,ou=groups,ou=core,ou=realm,@@@REALM_DCNAME@@@" write
by dn.base="uid=@@@ADMINUSER@@@,ou=users,ou=core,ou=realm,@@@REALM_DCNAME@@@"
by sockurl.regex="^ldapi:///$" write

7
confskel/openldap/ldif/tde-core.ldif
Unescape View File

@ -26,10 +26,13 @@ olcAttributeTypes: {17} ( 1.3.6.1.4.1.40364.1.1.18 NAME 'builtinMachineAdminGrou
olcAttributeTypes: {18} ( 1.3.6.1.4.1.40364.1.1.19 NAME 'builtinStandardUserGroup' DESC 'Built-in standard user group distinguished name' SUP name )
# Used for storing certificate management settings
olcAttributeTypes: {19} ( 1.3.6.1.4.1.40364.1.1.20 NAME 'publicRootCertificateOriginServer' DESC 'Certificate authority root certificate origin server' SUP name )
# Used for storing PKI user certificates and certificate status
olcAttributeTypes: {20} ( 1.3.6.1.4.1.40364.1.1.21 NAME 'pkiCertificate' DESC 'User PKI certificate and status encoded with text mode TQDataStream TQPair<uint32_t, TQByteArray>' SUP name )
olcAttributeTypes: {21} ( 1.3.6.1.4.1.40364.1.1.22 NAME 'publicRootCertificateRevocationList' DESC 'Certificate authority root certificate revocation list' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 SINGLE-VALUE )
olcObjectClasses: {0} ( 1.3.6.1.4.1.40364.1.2.1 NAME 'tdeExtendedUserData' SUP top AUXILIARY MAY ( website
URL $ managerName $ secretaryName $ teletexId $ preferredDelivery $ locallyUniqueID $ notes $ pwdLastSet $ badPwdCount $ badPasswordTime $ lastLogon $ lastLogoff ) )
olcObjectClasses: {1} ( 1.3.6.1.4.1.40364.1.2.2 NAME 'tdeAccountObject' SUP top AUXILIARY MAY tdeBuiltinAccount )
olcObjectClasses: {2} ( 1.3.6.1.4.1.40364.1.2.3 NAME 'tdeCertificateStore' SUP top AUXILIARY MAY ( tdeBuiltinAccount $ publicRootCertificate $ privateRootCertificateKey $ publicRootCertificateOriginServer ) )
olcObjectClasses: {1} ( 1.3.6.1.4.1.40364.1.2.2 NAME 'tdeAccountObject' SUP top AUXILIARY MAY ( tdeBuiltinAccount $ pkiCertificate ) )
olcObjectClasses: {2} ( 1.3.6.1.4.1.40364.1.2.3 NAME 'tdeCertificateStore' SUP top AUXILIARY MAY ( tdeBuiltinAccount $ publicRootCertificate $ privateRootCertificateKey $ publicRootCertificateRevocationList $ publicRootCertificateOriginServer ) )
olcObjectClasses: {3} ( 1.3.6.1.4.1.40364.1.2.4 NAME 'tdeBuiltinStore' SUP top AUXILIARY MAY ( tdeBuiltinAccount $ builtinRealmAdminAccount $ builtinRealmAdminGroup $ builtinMachineAdminGroup $ builtinStandardUserGroup ) )
structuralObjectClass: olcSchemaConfig
creatorsName: cn=config

71
src/ldapcontroller.cpp
Unescape View File

@ -130,6 +130,8 @@ LDAPController::LDAPController(TQWidget *parent, const char *name, const TQStrin
connect(m_base->ldapExportKey, TQT_SIGNAL(clicked()), this, TQT_SLOT(btnldapExportKey()));
connect(m_base->ldapExportCert, TQT_SIGNAL(clicked()), this, TQT_SLOT(btnldapExportCert()));
connect(m_base->crlRegenerate, TQT_SIGNAL(clicked()), this, TQT_SLOT(btncrlRegenerate()));
connect(m_base->btnChangeLDAPRootPassword, TQT_SIGNAL(clicked()), this, TQT_SLOT(btnChangeLDAPRootPassword()));
connect(m_base->btnChangeRealmAdminPassword, TQT_SIGNAL(clicked()), this, TQT_SLOT(btnChangeRealmAdminPassword()));
@ -145,6 +147,7 @@ LDAPController::LDAPController(TQWidget *parent, const char *name, const TQStrin
connect(m_base->multiMasterReplicationMappings, TQT_SIGNAL(executed(TQListViewItem*)), this, TQT_SLOT(modifySelectedMultiMasterReplication()));
connect(m_base->advancedCaCertExpiry, TQT_SIGNAL(valueChanged(int)), this, TQT_SLOT(caCertExpiryChanged()));
connect(m_base->advancedCaCrlExpiry, TQT_SIGNAL(valueChanged(int)), this, TQT_SLOT(caCrlCertExpiryChanged()));
connect(m_base->advancedKerberosCertExpiry, TQT_SIGNAL(valueChanged(int)), this, TQT_SLOT(kerberosCertExpiryChanged()));
connect(m_base->advancedLdapCertExpiry, TQT_SIGNAL(valueChanged(int)), this, TQT_SLOT(ldapCertExpiryChanged()));
@ -384,6 +387,7 @@ void LDAPController::load() {
// Load cert config
m_systemconfig->setGroup("Certificates");
m_certconfig.caExpiryDays = m_systemconfig->readNumEntry("caExpiryDays", KERBEROS_PKI_PEMKEY_EXPIRY_DAYS);
m_certconfig.caCrlExpiryDays = m_systemconfig->readNumEntry("caCrlExpiryDays", KERBEROS_PKI_CRL_EXPIRY_DAYS);
m_certconfig.kerberosExpiryDays = m_systemconfig->readNumEntry("kerberosExpiryDays", KERBEROS_PKI_KRB_EXPIRY_DAYS);
m_certconfig.ldapExpiryDays = m_systemconfig->readNumEntry("ldapExpiryDays", KERBEROS_PKI_LDAP_EXPIRY_DAYS);
m_certconfig.countryName = m_systemconfig->readEntry("countryName");
@ -470,6 +474,7 @@ void LDAPController::load() {
}
m_base->advancedCaCertExpiry->setValue(m_certconfig.caExpiryDays);
m_base->advancedCaCrlExpiry->setValue(m_certconfig.caCrlExpiryDays);
m_base->advancedKerberosCertExpiry->setValue(m_certconfig.kerberosExpiryDays);
m_base->advancedLdapCertExpiry->setValue(m_certconfig.ldapExpiryDays);
@ -505,6 +510,13 @@ void LDAPController::updateCertDisplay() {
TQString ldap_certfile = LDAP_CERT_FILE;
ldap_certfile.replace("@@@ADMINSERVER@@@", m_realmconfig[m_defaultRealm].name.lower());
TQString realmname = m_defaultRealm.upper();
LDAPCredentials* credentials = new LDAPCredentials;
credentials->username = "";
credentials->password = "";
credentials->realm = realmname;
LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials);
// Certificate Authority
if (TQFile::exists(KERBEROS_PKI_PEM_FILE)) {
certExpiry = LDAPManager::getCertificateExpiration(KERBEROS_PKI_PEM_FILE);
@ -570,6 +582,38 @@ void LDAPController::updateCertDisplay() {
m_base->ldapExpiryString->setText("File not found");
m_base->ldapExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_NOTFOUND);
}
// Certificate Revocation List
// FIXME
// KSSLCertificate does not appear to understand the CRL format
// Debug and reactivate this code
#if 0
TQByteArray certificateContents;
if (ldap_mgr->getTDECertificate("publicRootCertificateRevocationList", &certificateContents, NULL) == 0) {
certExpiry = LDAPManager::getCertificateExpiration(certificateContents);
if (certExpiry >= now) {
m_base->crlExpiryString->setText("Expires " + certExpiry.toString());
if (certExpiry >= soon) {
m_base->crlExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_ACTIVE);
}
else {
m_base->crlExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_STALE);
}
}
else {
m_base->crlExpiryString->setText("Expired " + certExpiry.toString());
m_base->crlExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_EXPIRED);
}
}
else {
m_base->crlExpiryString->setText("File not found");
m_base->crlExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_NOTFOUND);
}
#else
m_base->crlExpiryString->setText("Unknown");
#endif
delete ldap_mgr;
}
void LDAPController::btncaSetMaster() {
@ -712,6 +756,26 @@ void LDAPController::btnldapExportCert() {
}
}
void LDAPController::btncrlRegenerate() {
TQString errstr;
// Bind to realm
TQString realmname = m_defaultRealm.upper();
LDAPCredentials* credentials = new LDAPCredentials;
credentials->username = "";
credentials->password = "";
credentials->realm = realmname;
LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials);
if (ldap_mgr->generatePKICRL(m_certconfig.caCrlExpiryDays, m_realmconfig[m_defaultRealm], KERBEROS_PKI_PEMKEY_FILE, KERBEROS_PKI_CRLDB_FILE, &errstr) != 0) {
KMessageBox::error(this, i18n("<qt><b>Unable to regenerate CRL</b><p>Details: %1</qt>").arg(errstr), i18n("Unable to Regenerate CRL"));
}
delete ldap_mgr;
load();
}
void LDAPController::slotCertCopyResult(TDEIO::Job* job) {
if (job->error()) {
job->showErrorDialog(this);
@ -927,6 +991,12 @@ void LDAPController::caCertExpiryChanged() {
emit(changed());
}
void LDAPController::caCrlExpiryChanged() {
m_certconfig.caCrlExpiryDays = m_base->advancedCaCrlExpiry->value();
emit(changed());
}
void LDAPController::kerberosCertExpiryChanged() {
m_certconfig.kerberosExpiryDays = m_base->advancedKerberosCertExpiry->value();
@ -954,6 +1024,7 @@ void LDAPController::save() {
// Write cert config
m_systemconfig->setGroup("Certificates");
m_systemconfig->writeEntry("caExpiryDays", m_certconfig.caExpiryDays);
m_systemconfig->writeEntry("caCrlExpiryDays", m_certconfig.caCrlExpiryDays);
m_systemconfig->writeEntry("kerberosExpiryDays", m_certconfig.kerberosExpiryDays);
m_systemconfig->writeEntry("ldapExpiryDays", m_certconfig.ldapExpiryDays);
m_systemconfig->writeEntry("countryName", m_certconfig.countryName);

2
src/ldapcontroller.h
Unescape View File

@ -78,6 +78,7 @@ class LDAPController: public TDECModule
void btnldapRegenerate();
void btnldapExportKey();
void btnldapExportCert();
void btncrlRegenerate();
void slotCertCopyResult(TDEIO::Job*);
void btnChangeLDAPRootPassword();
@ -91,6 +92,7 @@ class LDAPController: public TDECModule
void modifySelectedMultiMasterReplication();
void caCertExpiryChanged();
void caCrlExpiryChanged();
void kerberosCertExpiryChanged();
void ldapCertExpiryChanged();

86
src/ldapcontrollerconfigbase.ui
Unescape View File

@ -215,15 +215,36 @@
<cstring>unnamed</cstring>
</property>
<property name="text">
<cstring>Certificate Authority:</cstring>
<cstring>Certificate Revocation List:</cstring>
</property>
</widget>
<widget class="TQLabel" row="2" column="0" colspan="1">
<property name="name">
<cstring>crlExpiryString</cstring>
</property>
</widget>
<widget class="TQPushButton" row="1" column="3" colspan="2" rowspan="2">
<property name="name">
<cstring>crlRegenerate</cstring>
</property>
<property name="text">
<cstring>Regenerate</cstring>
</property>
</widget>
<widget class="TQLabel" row="3" column="0" colspan="1">
<property name="name">
<cstring>unnamed</cstring>
</property>
<property name="text">
<cstring>Certificate Authority:</cstring>
</property>
</widget>
<widget class="TQLabel" row="4" column="0" colspan="1">
<property name="name">
<cstring>caExpiryString</cstring>
</property>
</widget>
<widget class="TQPushButton" row="1" column="2" colspan="1" rowspan="2">
<widget class="TQPushButton" row="3" column="2" colspan="1" rowspan="2">
<property name="name">
<cstring>caRegenerate</cstring>
</property>
@ -231,7 +252,7 @@
<cstring>Regenerate Certificate</cstring>
</property>
</widget>
<widget class="TQPushButton" row="1" column="3" colspan="1" rowspan="2">
<widget class="TQPushButton" row="3" column="3" colspan="1" rowspan="2">
<property name="name">
<cstring>caExportKey</cstring>
</property>
@ -239,7 +260,7 @@
<cstring>Export Private Key</cstring>
</property>
</widget>
<widget class="TQPushButton" row="1" column="4" colspan="1" rowspan="2">
<widget class="TQPushButton" row="3" column="4" colspan="1" rowspan="2">
<property name="name">
<cstring>caExportCert</cstring>
</property>
@ -247,7 +268,7 @@
<cstring>Export Public Certificate</cstring>
</property>
</widget>
<widget class="TQLabel" row="3" column="0" colspan="1">
<widget class="TQLabel" row="5" column="0" colspan="1">
<property name="name">
<cstring>unnamed</cstring>
</property>
@ -255,12 +276,12 @@
<cstring>Kerberos:</cstring>
</property>
</widget>
<widget class="TQLabel" row="4" column="0" colspan="1">
<widget class="TQLabel" row="6" column="0" colspan="1">
<property name="name">
<cstring>krbExpiryString</cstring>
</property>
</widget>
<widget class="TQPushButton" row="3" column="2" colspan="1" rowspan="2">
<widget class="TQPushButton" row="5" column="2" colspan="1" rowspan="2">
<property name="name">
<cstring>krbRegenerate</cstring>
</property>
@ -268,7 +289,7 @@
<cstring>Regenerate Certificate</cstring>
</property>
</widget>
<widget class="TQPushButton" row="3" column="3" colspan="1" rowspan="2">
<widget class="TQPushButton" row="5" column="3" colspan="1" rowspan="2">
<property name="name">
<cstring>krbExportKey</cstring>
</property>
@ -276,7 +297,7 @@
<cstring>Export Private Key</cstring>
</property>
</widget>
<widget class="TQPushButton" row="3" column="4" colspan="1" rowspan="2">
<widget class="TQPushButton" row="5" column="4" colspan="1" rowspan="2">
<property name="name">
<cstring>krbExportCert</cstring>
</property>
@ -284,7 +305,7 @@
<cstring>Export Public Certificate</cstring>
</property>
</widget>
<widget class="TQLabel" row="5" column="0" colspan="1">
<widget class="TQLabel" row="7" column="0" colspan="1">
<property name="name">
<cstring>unnamed</cstring>
</property>
@ -292,12 +313,12 @@
<cstring>LDAP TLS:</cstring>
</property>
</widget>
<widget class="TQLabel" row="6" column="0" colspan="1">
<widget class="TQLabel" row="8" column="0" colspan="1">
<property name="name">
<cstring>ldapExpiryString</cstring>
</property>
</widget>
<widget class="TQPushButton" row="5" column="2" colspan="1" rowspan="2">
<widget class="TQPushButton" row="7" column="2" colspan="1" rowspan="2">
<property name="name">
<cstring>ldapRegenerate</cstring>
</property>
@ -305,7 +326,7 @@
<cstring>Regenerate Certificate</cstring>
</property>
</widget>
<widget class="TQPushButton" row="5" column="3" colspan="1" rowspan="2">
<widget class="TQPushButton" row="7" column="3" colspan="1" rowspan="2">
<property name="name">
<cstring>ldapExportKey</cstring>
</property>
@ -313,7 +334,7 @@
<cstring>Export Private Key</cstring>
</property>
</widget>
<widget class="TQPushButton" row="5" column="4" colspan="1" rowspan="2">
<widget class="TQPushButton" row="7" column="4" colspan="1" rowspan="2">
<property name="name">
<cstring>ldapExportCert</cstring>
</property>
@ -468,12 +489,12 @@
<cstring>unnamed</cstring>
</property>
<property name="text">
<string>Certificate Authority:</string>
<string>Certificate Revocation List:</string>
</property>
</widget>
<widget class="KIntNumInput" row="0" column="1" >
<property name="name">
<cstring>advancedCaCertExpiry</cstring>
<cstring>advancedCaCrlExpiry</cstring>
</property>
<property name="minValue">
<number>1</number>
@ -495,12 +516,12 @@
<cstring>unnamed</cstring>
</property>
<property name="text">
<string>Kerberos:</string>
<string>Certificate Authority:</string>
</property>
</widget>
<widget class="KIntNumInput" row="1" column="1" >
<property name="name">
<cstring>advancedKerberosCertExpiry</cstring>
<cstring>advancedCaCertExpiry</cstring>
</property>
<property name="minValue">
<number>1</number>
@ -522,10 +543,37 @@
<cstring>unnamed</cstring>
</property>
<property name="text">
<string>LDAP TLS:</string>
<string>Kerberos:</string>
</property>
</widget>
<widget class="KIntNumInput" row="2" column="1" >
<property name="name">
<cstring>advancedKerberosCertExpiry</cstring>
</property>
<property name="minValue">
<number>1</number>
</property>
<property name="maxValue">
<number>7200</number>
</property>
<property name="sizePolicy">
<sizepolicy>
<hsizetype>0</hsizetype>
<vsizetype>0</vsizetype>
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
</widget>
<widget class="TQLabel" row="3" column="0">
<property name="name">
<cstring>unnamed</cstring>
</property>
<property name="text">
<string>LDAP TLS:</string>
</property>
</widget>
<widget class="KIntNumInput" row="3" column="1" >
<property name="name">
<cstring>advancedLdapCertExpiry</cstring>
</property>

Write Preview
Loading…
Cancel
Save