/***************************************************************************
* Copyright ( C ) 2012 by Timothy Pearson *
* kb9vqf @ pearsoncomputing . net *
* *
* This program is free software ; you can redistribute it and / or modify *
* it under the terms of the GNU General Public License as published by *
* the Free Software Foundation ; either version 2 of the License , or *
* ( at your option ) any later version . *
* *
* This program is distributed in the hope that it will be useful , *
* but WITHOUT ANY WARRANTY ; without even the implied warranty of *
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the *
* GNU General Public License for more details . *
* *
* You should have received a copy of the GNU General Public License *
* along with this program ; if not , write to the *
* Free Software Foundation , Inc . , *
* 59 Temple Place - Suite 330 , Boston , MA 02111 - 1307 , USA . *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
# include <sys/types.h>
# include <sys/stat.h>
# include <sys/socket.h>
# include <netdb.h>
# include <pwd.h>
# include <tqfile.h>
# include <tqcheckbox.h>
# include <kapplication.h>
# include <klocale.h>
# include <kmessagebox.h>
# include <klineedit.h>
# include <kpassdlg.h>
# include <ksimpleconfig.h>
# include <tdesu/process.h>
# include <ksslcertificate.h>
# include <krfcdate.h>
# include <ldap.h>
# include <stdlib.h>
# include <sys/time.h>
# include "libtdeldap.h"
# include "ldaplogindlg.h"
# include "ldappasswddlg.h"
# define LDAP_INSECURE_PORT 389
# define LDAP_SECURE_PORT 636
// FIXME
// Connect this to CMake/Automake
# define KDE_CONFDIR " / etc / trinity"
// FIXME
// This assumes Debian!
# define LDAP_FILE " / etc / ldap / ldap.conf"
# define LDAP_SECONDARY_FILE " / etc / ldap.conf"
# define TDELDAP_SUDO_D_FILE " / etc / sudoers.d / tde-realm-admins"
# define CRON_UPDATE_NSS_FILE " / etc / cron.daily / upd-local-nss-db"
# define CRON_UPDATE_NSS_COMMAND " / usr / sbin / nss_updatedb ldap"
int requested_ldap_version = LDAP_VERSION3 ;
char * ldap_user_and_operational_attributes [ 2 ] = { " * " , " + " } ;
enum ErrorCauseLocation {
ERRORCAUSE_LOCATION_BIND = 0
} ;
LDAPManager : : LDAPManager ( TQString realm , TQString host , TQObject * parent , const char * name ) : TQObject ( parent , name ) , m_realm ( realm ) , m_host ( host ) , m_port ( 0 ) , m_creds ( 0 ) , m_ldap ( 0 )
{
TQStringList domainChunks = TQStringList : : split ( " . " , realm . lower ( ) ) ;
m_basedc = " dc= " + domainChunks . join ( " ,dc= " ) ;
}
LDAPManager : : LDAPManager ( TQString realm , TQString host , LDAPCredentials * creds , TQObject * parent , const char * name ) : TQObject ( parent , name ) , m_realm ( realm ) , m_host ( host ) , m_port ( 0 ) , m_creds ( creds ) , m_ldap ( 0 )
{
TQStringList domainChunks = TQStringList : : split ( " . " , realm . lower ( ) ) ;
m_basedc = " dc= " + domainChunks . join ( " ,dc= " ) ;
}
LDAPManager : : ~ LDAPManager ( ) {
unbind ( true ) ;
}
TQString LDAPManager : : ldapdnForRealm ( TQString realm ) {
TQStringList domainChunks = TQStringList : : split ( " . " , realm . lower ( ) ) ;
TQString basedc = " dc= " + domainChunks . join ( " ,dc= " ) ;
return basedc ;
}
TQString LDAPManager : : cnFromDn ( TQString dn ) {
int eqpos = dn . find ( " = " ) + 1 ;
int cmpos = dn . find ( " , " , eqpos ) ;
if ( ( eqpos < 0 ) | | ( cmpos < 0 ) ) {
return dn ;
}
dn . truncate ( cmpos ) ;
dn . remove ( 0 , eqpos ) ;
return dn ;
}
TQString LDAPManager : : basedn ( ) {
return m_basedc ;
}
TQString LDAPManager : : realm ( ) {
return m_realm ;
}
LDAPCredentials LDAPManager : : currentLDAPCredentials ( ) {
if ( m_creds ) {
return * m_creds ;
}
else {
return LDAPCredentials ( ) ;
}
}
TQString ldapLikelyErrorCause ( int errcode , int location ) {
TQString ret ;
if ( location = = ERRORCAUSE_LOCATION_BIND ) {
if ( errcode = = LDAP_SERVER_DOWN ) {
ret = " * LDAP server down<br> * Invalid LDAP Certificate Authority file on client " ;
}
if ( LDAP_NAME_ERROR ( errcode ) ) {
ret = " Unknown user name or incorrect user name format " ;
}
}
if ( ret ! = " " ) {
if ( ret . contains ( " <br> " ) ) {
ret . prepend ( " <p> " + i18n ( " Potential causes " ) + " :<br> " ) ;
}
else {
ret . prepend ( " <p> " + i18n ( " Potential cause " ) + " :<br> " ) ;
}
}
return ret ;
}
int sasl_bind_interact_callback ( LDAP * ld , unsigned flags , void * defaults , void * sasl_interact ) {
// FIXME
// This currently does nothing and hopes for the best!
return LDAP_SUCCESS ;
}
int LDAPManager : : bind ( TQString * errstr ) {
if ( m_ldap ) {
return 0 ;
}
KerberosTicketInfoList m_krbTickets = LDAPManager : : getKerberosTicketList ( ) ;
bool using_ldapi = false ;
if ( m_host . startsWith ( " ldapi:// " ) ) {
using_ldapi = true ;
}
bool havepass = false ;
if ( m_creds | | using_ldapi ) {
havepass = true ;
}
else {
LDAPPasswordDialog passdlg ( 0 , 0 , ( m_krbTickets . count ( ) > 0 ) ) ;
passdlg . m_base - > ldapAdminRealm - > setEnabled ( false ) ;
passdlg . m_base - > ldapAdminRealm - > insertItem ( m_realm ) ;
passdlg . m_base - > ldapUseTLS - > setChecked ( true ) ;
if ( passdlg . exec ( ) = = TQDialog : : Accepted ) {
havepass = true ;
if ( ! m_creds ) {
m_creds = new LDAPCredentials ( ) ;
m_creds - > username = passdlg . m_base - > ldapAdminUsername - > text ( ) ;
m_creds - > password = passdlg . m_base - > ldapAdminPassword - > password ( ) ;
m_creds - > realm = passdlg . m_base - > ldapAdminRealm - > currentText ( ) ;
m_creds - > use_tls = passdlg . m_base - > ldapUseTLS - > isOn ( ) ;
m_creds - > use_gssapi = passdlg . use_gssapi ;
}
}
else {
return - 1 ;
}
}
TQString uri ;
if ( m_host . contains ( " :// " ) ) {
uri = m_host ;
if ( ! m_creds ) {
m_creds = new LDAPCredentials ( ) ;
m_creds - > username = " " ;
m_creds - > password = " " ;
m_creds - > realm = m_realm ;
}
}
else {
if ( m_creds - > use_tls ) {
m_port = LDAP_SECURE_PORT ;
uri = TQString ( " ldaps://%1:%2 " ) . arg ( m_host ) . arg ( m_port ) ;
}
else {
m_port = LDAP_INSECURE_PORT ;
uri = TQString ( " ldap://%1:%2 " ) . arg ( m_host ) . arg ( m_port ) ;
}
}
int retcode = ldap_initialize ( & m_ldap , uri . ascii ( ) ) ;
if ( retcode < 0 ) {
if ( errstr ) * errstr = i18n ( " <qt>Unable to connect to LDAP server %1 on port %2<p>Reason: [%3] %4%5</qt> " ) . arg ( m_host ) . arg ( m_port ) . arg ( retcode ) . arg ( ldap_err2string ( retcode ) ) . arg ( ldapLikelyErrorCause ( retcode , ERRORCAUSE_LOCATION_BIND ) ) ;
else KMessageBox : : error ( 0 , i18n ( " <qt>Unable to connect to LDAP server %1 on port %2<p>Reason: [%3] %4%5</qt> " ) . arg ( m_host ) . arg ( m_port ) . arg ( retcode ) . arg ( ldap_err2string ( retcode ) ) . arg ( ldapLikelyErrorCause ( retcode , ERRORCAUSE_LOCATION_BIND ) ) , i18n ( " Unable to connect to server! " ) ) ;
return - 1 ;
}
retcode = ldap_set_option ( m_ldap , LDAP_OPT_PROTOCOL_VERSION , & requested_ldap_version ) ;
if ( retcode ! = LDAP_OPT_SUCCESS ) {
if ( errstr ) * errstr = i18n ( " <qt>Unable to connect to LDAP server %1 on port %2<p>Reason: [%3] %4%5</qt> " ) . arg ( m_host ) . arg ( m_port ) . arg ( retcode ) . arg ( ldap_err2string ( retcode ) ) . arg ( ldapLikelyErrorCause ( retcode , ERRORCAUSE_LOCATION_BIND ) ) ;
else KMessageBox : : error ( 0 , i18n ( " <qt>Unable to connect to LDAP server %1 on port %2<p>Reason: [%3] %4%5</qt> " ) . arg ( m_host ) . arg ( m_port ) . arg ( retcode ) . arg ( ldap_err2string ( retcode ) ) . arg ( ldapLikelyErrorCause ( retcode , ERRORCAUSE_LOCATION_BIND ) ) , i18n ( " Unable to connect to server! " ) ) ;
return - 1 ;
}
TQString errorString ;
if ( havepass = = true ) {
char * mechanism = NULL ;
struct berval cred ;
TQString ldap_dn = m_creds - > username ;
TQCString pass = m_creds - > password ;
cred . bv_val = pass . data ( ) ;
cred . bv_len = pass . length ( ) ;
if ( ( ! using_ldapi & & ! m_creds - > use_gssapi ) ) {
if ( ! ldap_dn . contains ( " , " ) ) {
// Look for a POSIX account with anonymous bind and the specified account name
TQString uri ;
LDAP * ldapconn ;
if ( m_host . contains ( " :// " ) ) {
uri = m_host ;
}
else {
if ( m_creds - > use_tls ) {
m_port = LDAP_SECURE_PORT ;
uri = TQString ( " ldaps://%1:%2 " ) . arg ( m_host ) . arg ( m_port ) ;
}
else {
m_port = LDAP_INSECURE_PORT ;
uri = TQString ( " ldap://%1:%2 " ) . arg ( m_host ) . arg ( m_port ) ;
}
}
int retcode = ldap_initialize ( & ldapconn , uri . ascii ( ) ) ;
if ( retcode < 0 ) {
if ( errstr ) * errstr = i18n ( " <qt>Unable to connect to LDAP server %1 on port %2<p>Reason: [%3] %4</qt> " ) . arg ( m_host ) . arg ( m_port ) . arg ( retcode ) . arg ( ldap_err2string ( retcode ) ) ;
else KMessageBox : : error ( 0 , i18n ( " <qt>Unable to connect to LDAP server %1 on port %2<p>Reason: [%3] %4</qt> " ) . arg ( m_host ) . arg ( m_port ) . arg ( retcode ) . arg ( ldap_err2string ( retcode ) ) , i18n ( " Unable to connect to server! " ) ) ;
return - 1 ;
}
retcode = ldap_set_option ( ldapconn , LDAP_OPT_PROTOCOL_VERSION , & requested_ldap_version ) ;
if ( retcode ! = LDAP_OPT_SUCCESS ) {
if ( errstr ) * errstr = i18n ( " <qt>Unable to connect to LDAP server %1 on port %2<p>Reason: [%3] %4</qt> " ) . arg ( m_host ) . arg ( m_port ) . arg ( retcode ) . arg ( ldap_err2string ( retcode ) ) ;
else KMessageBox : : error ( 0 , i18n ( " <qt>Unable to connect to LDAP server %1 on port %2<p>Reason: [%3] %4</qt> " ) . arg ( m_host ) . arg ( m_port ) . arg ( retcode ) . arg ( ldap_err2string ( retcode ) ) , i18n ( " Unable to connect to server! " ) ) ;
return - 1 ;
}
struct berval anoncred ;
anoncred . bv_val = " " ;
anoncred . bv_len = strlen ( " " ) ;
retcode = ldap_sasl_bind_s ( ldapconn , " " , mechanism , & anoncred , NULL , NULL , NULL ) ;
if ( retcode = = LDAP_SUCCESS ) {
// Look for the DN for the specified user
LDAPMessage * msg ;
TQString ldap_base_dn = m_basedc ;
TQString ldap_filter = TQString ( " (&(objectclass=posixAccount)(uid=%1)) " ) . arg ( m_creds - > username ) ;
retcode = ldap_search_ext_s ( ldapconn , ldap_base_dn . ascii ( ) , LDAP_SCOPE_SUBTREE , ldap_filter . ascii ( ) , NULL , 0 , NULL , NULL , NULL , 0 , & msg ) ;
if ( retcode ! = LDAP_SUCCESS ) {
if ( errstr ) * errstr = i18n ( " <qt>LDAP search failure<p>Reason: [%3] %4</qt> " ) . arg ( retcode ) . arg ( ldap_err2string ( retcode ) ) ;
else KMessageBox : : error ( 0 , i18n ( " <qt>LDAP search failure<p>Reason: [%3] %4</qt> " ) . arg ( retcode ) . arg ( ldap_err2string ( retcode ) ) , i18n ( " LDAP Error " ) ) ;
}
else {
// Iterate through the returned entries
char * dn = NULL ;
LDAPMessage * entry ;
for ( entry = ldap_first_entry ( ldapconn , msg ) ; entry ! = NULL ; entry = ldap_next_entry ( ldapconn , entry ) ) {
if ( ( dn = ldap_get_dn ( ldapconn , entry ) ) ! = NULL ) {
ldap_dn = dn ;
ldap_memfree ( dn ) ;
}
}
}
// clean up
ldap_msgfree ( msg ) ;
// All done!
ldap_unbind_ext_s ( ldapconn , NULL , NULL ) ;
}
}
}
if ( m_creds - > use_gssapi ) {
retcode = ldap_sasl_interactive_bind_s ( m_ldap , " " , " GSSAPI " , NULL , NULL , LDAP_SASL_AUTOMATIC , sasl_bind_interact_callback , NULL ) ;
}
else {
retcode = ldap_sasl_bind_s ( m_ldap , ldap_dn . ascii ( ) , mechanism , & cred , NULL , NULL , NULL ) ;
}
if ( retcode ! = LDAP_SUCCESS ) {
if ( errstr ) * errstr = i18n ( " <qt>Unable to connect to LDAP server %1 on port %2<p>Reason: [%3] %4%5</qt> " ) . arg ( m_host ) . arg ( m_port ) . arg ( retcode ) . arg ( ldap_err2string ( retcode ) ) . arg ( ldapLikelyErrorCause ( retcode , ERRORCAUSE_LOCATION_BIND ) ) ;
else KMessageBox : : error ( 0 , i18n ( " <qt>Unable to connect to LDAP server %1 on port %2<p>Reason: [%3] %4%5</qt> " ) . arg ( m_host ) . arg ( m_port ) . arg ( retcode ) . arg ( ldap_err2string ( retcode ) ) . arg ( ldapLikelyErrorCause ( retcode , ERRORCAUSE_LOCATION_BIND ) ) , i18n ( " Unable to connect to server! " ) ) ;
return - 1 ;
}
return 0 ;
}
else {
return - 2 ;
}
return - 3 ;
}
int LDAPManager : : unbind ( bool force , TQString * errstr ) {
if ( ! m_ldap ) {
return 0 ;
}
int retcode = ldap_unbind_ext_s ( m_ldap , NULL , NULL ) ;
if ( ( retcode < 0 ) & & ( force = = false ) ) {
if ( errstr ) * errstr = i18n ( " <qt>Unable to disconnect from LDAP server %1 on port %2<p>Reason: [%3] %4</qt> " ) . arg ( m_host ) . arg ( m_port ) . arg ( retcode ) . arg ( ldap_err2string ( retcode ) ) ;
else KMessageBox : : error ( 0 , i18n ( " <qt>Unable to disconnect from LDAP server %1 on port %2<p>Reason: [%3] %4</qt> " ) . arg ( m_host ) . arg ( m_port ) . arg ( retcode ) . arg ( ldap_err2string ( retcode ) ) , i18n ( " Unable to disconnect from server! " ) ) ;
return retcode ;
}
else {
m_ldap = 0 ;
}
return retcode ;
}
LDAPUserInfo LDAPManager : : parseLDAPUserRecord ( LDAPMessage * entry ) {
int i ;
char * dn = NULL ;
char * attr ;
struct berval * * vals ;
BerElement * ber ;
LDAPUserInfo userinfo ;
if ( ( dn = ldap_get_dn ( m_ldap , entry ) ) ! = NULL ) {
userinfo . distinguishedName = dn ;
TQStringList dnParts = TQStringList : : split ( " , " , dn ) ;
TQString id = dnParts [ 0 ] ;
if ( id . startsWith ( " uid= " ) ) {
id = id . remove ( 0 , 4 ) ;
userinfo . name = id ;
}
ldap_memfree ( dn ) ;
}
for ( attr = ldap_first_attribute ( m_ldap , entry , & ber ) ; attr ! = NULL ; attr = ldap_next_attribute ( m_ldap , entry , ber ) ) {
if ( ( vals = ldap_get_values_len ( m_ldap , entry , attr ) ) ! = NULL ) {
userinfo . informationValid = true ;
TQString ldap_field = attr ;
i = 0 ;
if ( ldap_field = = " creatorsName " ) {
userinfo . creatorsName = vals [ i ] - > bv_val ;
}
else if ( ldap_field = = " uidNumber " ) {
userinfo . uid = atoi ( vals [ i ] - > bv_val ) ;
}
else if ( ldap_field = = " loginShell " ) {
userinfo . shell = vals [ i ] - > bv_val ;
}
else if ( ldap_field = = " homeDirectory " ) {
userinfo . homedir = vals [ i ] - > bv_val ;
}
else if ( ldap_field = = " gidNumber " ) {
userinfo . primary_gid = atoi ( vals [ i ] - > bv_val ) ;
}
else if ( ldap_field = = " tdeBuiltinAccount " ) {
userinfo . tde_builtin_account = ( TQString ( vals [ i ] - > bv_val ) . upper ( ) = = " TRUE " ) ? true : false ;
}
else if ( ldap_field = = " krb5KDCFlags " ) {
userinfo . status = ( LDAPKRB5Flags ) ( atoi ( vals [ i ] - > bv_val ) ) ;
}
else if ( ldap_field = = " createTimestamp " ) { // YYYYMMDD000000Z
TQString formattedDate = vals [ i ] - > bv_val ;
formattedDate . insert ( 4 , " - " ) ;
formattedDate . insert ( 7 , " - " ) ;
formattedDate . insert ( 10 , " T " ) ;
formattedDate . insert ( 13 , " : " ) ;
formattedDate . insert ( 16 , " : " ) ;
formattedDate . remove ( 19 , 1 ) ;
userinfo . account_created = TQDateTime : : fromString ( formattedDate , TQt : : ISODate ) ;
}
else if ( ldap_field = = " modifyTimestamp " ) { // YYYYMMDD000000Z
TQString formattedDate = vals [ i ] - > bv_val ;
formattedDate . insert ( 4 , " - " ) ;
formattedDate . insert ( 7 , " - " ) ;
formattedDate . insert ( 10 , " T " ) ;
formattedDate . insert ( 13 , " : " ) ;
formattedDate . insert ( 16 , " : " ) ;
formattedDate . remove ( 19 , 1 ) ;
userinfo . account_modified = TQDateTime : : fromString ( formattedDate , TQt : : ISODate ) ;
}
// FIXME
// These two attributes do not seem to be available with a Heimdal KDC
// userinfo.password_last_changed = vals[i]->bv_val;
// userinfo.password_expires = vals[i]->bv_val;
else if ( ldap_field = = " krb5PasswordEnd " ) { // YYYYMMDD000000Z
TQString formattedDate = vals [ i ] - > bv_val ;
formattedDate . insert ( 4 , " - " ) ;
formattedDate . insert ( 7 , " - " ) ;
formattedDate . insert ( 10 , " T " ) ;
formattedDate . insert ( 13 , " : " ) ;
formattedDate . insert ( 16 , " : " ) ;
formattedDate . remove ( 19 , 1 ) ;
userinfo . password_expiration = TQDateTime : : fromString ( formattedDate , TQt : : ISODate ) ;
}
// FIXME
// These six(!) attributes do not seem to be available with a Heimdal KDC
// userinfo.password_ages = vals[i]->bv_val;
// userinfo.new_password_interval = vals[i]->bv_val;
// userinfo.new_password_warn_interval = vals[i]->bv_val;
// userinfo.new_password_lockout_delay = vals[i]->bv_val;
// userinfo.password_has_minimum_age = vals[i]->bv_val;
// userinfo.password_minimum_age = vals[i]->bv_val;
else if ( ldap_field = = " krb5MaxLife " ) { // units: hours
userinfo . maximum_ticket_lifetime = atoi ( vals [ i ] - > bv_val ) ;
}
else if ( ldap_field = = " cn " ) {
userinfo . commonName = vals [ i ] - > bv_val ;
}
else if ( ldap_field = = " givenName " ) {
userinfo . givenName = vals [ i ] - > bv_val ;
}
else if ( ldap_field = = " sn " ) {
userinfo . surName = vals [ i ] - > bv_val ;
}
else if ( ldap_field = = " initials " ) {
userinfo . initials = vals [ i ] - > bv_val ;
}
else if ( ldap_field = = " title " ) {
userinfo . title = vals [ i ] - > bv_val ;
}
else if ( ldap_field = = " mail " ) {
userinfo . email = vals [ i ] - > bv_val ;
}
else if ( ldap_field = = " description " ) {
userinfo . description = vals [ i ] - > bv_val ;
}
else if ( ldap_field = = " l " ) {
userinfo . locality = vals [ i ] - > bv_val ;
}
else if ( ldap_field = = " telephoneNumber " ) {
userinfo . telephoneNumber = vals [ i ] - > bv_val ;
}
else if ( ldap_field = = " facsimileTelephoneNumber " ) {
userinfo . faxNumber = vals [ i ] - > bv_val ;
}
else if ( ldap_field = = " homePhone " ) {
userinfo . homePhone = vals [ i ] - > bv_val ;
}
else if ( ldap_field = = " mobile " ) {
userinfo . mobilePhone = vals [ i ] - > bv_val ;
}
else if ( ldap_field = = " pager " ) {
userinfo . pagerNumber = vals [ i ] - > bv_val ;
}
else if ( ldap_field = = " websiteURL " ) {
userinfo . website = vals [ i ] - > bv_val ;
}
else if ( ldap_field = = " postOfficeBox " ) {
userinfo . poBox = vals [ i ] - > bv_val ;
}
else if ( ldap_field = = " street " ) {
userinfo . street = vals [ i ] - > bv_val ;
}
else if ( ldap_field = = " postalAddress " ) {
userinfo . address = vals [ i ] - > bv_val ;
}
else if ( ldap_field = = " st " ) {
userinfo . state = vals [ i ] - > bv_val ;
}
else if ( ldap_field = = " postalCode " ) {
userinfo . postcode = vals [ i ] - > bv_val ;
}
else if ( ldap_field = = " registeredAddress " ) {
userinfo . registeredAddress = vals [ i ] - > bv_val ;
}
else if ( ldap_field = = " homePostalAddress " ) {
userinfo . homeAddress = vals [ i ] - > bv_val ;
}
else if ( ldap_field = = " seeAlso " ) {
userinfo . seeAlso = vals [ i ] - > bv_val ;
}
else if ( ldap_field = = " physicalDeliveryOfficeName " ) {
userinfo . deliveryOffice = vals [ i ] - > bv_val ;
}
else if ( ldap_field = = " departmentNumber " ) {
userinfo . department = vals [ i ] - > bv_val ;
}
else if ( ldap_field = = " roomNumber " ) {
userinfo . roomNumber = vals [ i ] - > bv_val ;
}
else if ( ldap_field = = " employeeType " ) {
userinfo . employeeType = vals [ i ] - > bv_val ;
}
else if ( ldap_field = = " employeeNumber " ) {
userinfo . employeeNumber = vals [ i ] - > bv_val ;
}
else if ( ldap_field = = " managerName " ) {
userinfo . manager = vals [ i ] - > bv_val ;
}
else if ( ldap_field = = " secretaryName " ) {
userinfo . secretary = vals [ i ] - > bv_val ;
}
else if ( ldap_field = = " internationaliSDNNumber " ) {
userinfo . isdnNumber = vals [ i ] - > bv_val ;
}
else if ( ldap_field = = " teletexId " ) {
userinfo . teletexID = vals [ i ] - > bv_val ;
}
else if ( ldap_field = = " telexNumber " ) {
userinfo . telexNumber = vals [ i ] - > bv_val ;
}
else if ( ldap_field = = " preferredDelivery " ) {
userinfo . preferredDelivery = vals [ i ] - > bv_val ;
}
else if ( ldap_field = = " destinationIndicator " ) {
userinfo . destinationIndicator = vals [ i ] - > bv_val ;
}
else if ( ldap_field = = " x121Address " ) {
userinfo . x121Address = vals [ i ] - > bv_val ;
}
else if ( ldap_field = = " displayName " ) {
userinfo . displayName = vals [ i ] - > bv_val ;
}
else if ( ldap_field = = " preferredLanguage " ) {
userinfo . preferredLanguage = vals [ i ] - > bv_val ;
}
else if ( ldap_field = = " locallyUniqueID " ) {
userinfo . uniqueIdentifier = vals [ i ] - > bv_val ;
}
else if ( ldap_field = = " businessCategory " ) {
userinfo . businessCategory = vals [ i ] - > bv_val ;
}
else if ( ldap_field = = " carLicense " ) {
userinfo . carLicense = vals [ i ] - > bv_val ;
}
else if ( ldap_field = = " notes " ) {
userinfo . notes = vals [ i ] - > bv_val ;
}
ldap_value_free_len ( vals ) ;
}
ldap_memfree ( attr ) ;
}
if ( ber ! = NULL ) {
ber_free ( ber , 0 ) ;
}
return userinfo ;
}
LDAPUserInfoList LDAPManager : : users ( int * mretcode ) {
int retcode ;
LDAPUserInfoList users ;
if ( bind ( ) < 0 ) {
if ( mretcode ) * mretcode = - 1 ;
return LDAPUserInfoList ( ) ;
}
else {
LDAPMessage * msg ;
TQString ldap_base_dn = m_basedc ;
TQString ldap_filter = " (objectClass=posixAccount) " ;
retcode = ldap_search_ext_s ( m_ldap , ldap_base_dn . ascii ( ) , LDAP_SCOPE_SUBTREE , ldap_filter . ascii ( ) , ldap_user_and_operational_attributes , 0 , NULL , NULL , NULL , 0 , & msg ) ;
if ( retcode ! = LDAP_SUCCESS ) {
KMessageBox : : error ( 0 , i18n ( " <qt>LDAP search failure<p>Reason: [%3] %4</qt> " ) . arg ( retcode ) . arg ( ldap_err2string ( retcode ) ) , i18n ( " LDAP Error " ) ) ;
if ( mretcode ) * mretcode = - 1 ;
return LDAPUserInfoList ( ) ;
}
// Iterate through the returned entries
LDAPMessage * entry ;
for ( entry = ldap_first_entry ( m_ldap , msg ) ; entry ! = NULL ; entry = ldap_next_entry ( m_ldap , entry ) ) {
users . append ( parseLDAPUserRecord ( entry ) ) ;
}
// clean up
ldap_msgfree ( msg ) ;
if ( mretcode ) * mretcode = 0 ;
return users ;
}
return LDAPUserInfoList ( ) ;
}
LDAPUserInfo LDAPManager : : getUserByDistinguishedName ( TQString dn ) {
int retcode ;
LDAPUserInfo userinfo ;
if ( bind ( ) < 0 ) {
return LDAPUserInfo ( ) ;
}
else {
LDAPMessage * msg ;
retcode = ldap_search_ext_s ( m_ldap , dn . ascii ( ) , LDAP_SCOPE_SUBTREE , NULL , ldap_user_and_operational_attributes , 0 , NULL , NULL , NULL , 0 , & msg ) ;
if ( retcode ! = LDAP_SUCCESS ) {
KMessageBox : : error ( 0 , i18n ( " <qt>LDAP search failure<p>Reason: [%3] %4</qt> " ) . arg ( retcode ) . arg ( ldap_err2string ( retcode ) ) , i18n ( " LDAP Error " ) ) ;
return LDAPUserInfo ( ) ;
}
// Iterate through the returned entries
LDAPMessage * entry ;
for ( entry = ldap_first_entry ( m_ldap , msg ) ; entry ! = NULL ; entry = ldap_next_entry ( m_ldap , entry ) ) {
userinfo = parseLDAPUserRecord ( entry ) ;
}
// clean up
ldap_msgfree ( msg ) ;
return userinfo ;
}
return LDAPUserInfo ( ) ;
}
LDAPGroupInfo LDAPManager : : getGroupByDistinguishedName ( TQString dn , TQString * errstr ) {
int retcode ;
LDAPGroupInfo groupinfo ;
if ( bind ( errstr ) < 0 ) {
return LDAPGroupInfo ( ) ;
}
else {
LDAPMessage * msg ;
retcode = ldap_search_ext_s ( m_ldap , dn . ascii ( ) , LDAP_SCOPE_SUBTREE , NULL , ldap_user_and_operational_attributes , 0 , NULL , NULL , NULL , 0 , & msg ) ;
if ( retcode ! = LDAP_SUCCESS ) {
if ( errstr ) * errstr = i18n ( " <qt>LDAP search failure<p>Reason: [%3] %4</qt> " ) . arg ( retcode ) . arg ( ldap_err2string ( retcode ) ) ;
else KMessageBox : : error ( 0 , i18n ( " <qt>LDAP search failure<p>Reason: [%3] %4</qt> " ) . arg ( retcode ) . arg ( ldap_err2string ( retcode ) ) , i18n ( " LDAP Error " ) ) ;
return LDAPGroupInfo ( ) ;
}
// Iterate through the returned entries
LDAPMessage * entry ;
for ( entry = ldap_first_entry ( m_ldap , msg ) ; entry ! = NULL ; entry = ldap_next_entry ( m_ldap , entry ) ) {
groupinfo = parseLDAPGroupRecord ( entry ) ;
}
// clean up
ldap_msgfree ( msg ) ;
return groupinfo ;
}
return LDAPGroupInfo ( ) ;
}
void create_single_attribute_operation ( LDAPMod * * mods , int * i , TQString attr , TQString value ) {
if ( value ! = " " ) {
char * * values = ( char * * ) malloc ( 2 * sizeof ( char * ) ) ;
values [ 0 ] = strdup ( value . ascii ( ) ) ;
values [ 1 ] = NULL ;
mods [ * i ] - > mod_op = LDAP_MOD_ADD ;
mods [ * i ] - > mod_type = strdup ( attr . ascii ( ) ) ;
mods [ * i ] - > mod_values = values ;
( * i ) + + ;
}
}
void create_multiple_attributes_operation ( LDAPMod * * mods , int * i , TQString attr , TQStringList strings ) {
int j = 0 ;
char * * values = ( char * * ) malloc ( ( strings . count ( ) + 1 ) * sizeof ( char * ) ) ;
for ( TQStringList : : Iterator it = strings . begin ( ) ; it ! = strings . end ( ) ; + + it ) {
if ( ( * it ) ! = " " ) {
values [ j ] = strdup ( ( * it ) . ascii ( ) ) ;
j + + ;
}
}
values [ j ] = NULL ;
mods [ * i ] - > mod_op = LDAP_MOD_ADD ;
mods [ * i ] - > mod_type = strdup ( attr . ascii ( ) ) ;
mods [ * i ] - > mod_values = values ;
( * i ) + + ;
}
void add_single_attribute_operation ( LDAPMod * * mods , int * i , TQString attr , TQString value ) {
if ( value ! = " " ) {
char * * values = ( char * * ) malloc ( 2 * sizeof ( char * ) ) ;
values [ 0 ] = strdup ( value . ascii ( ) ) ;
values [ 1 ] = NULL ;
mods [ * i ] - > mod_op = LDAP_MOD_REPLACE ;
mods [ * i ] - > mod_type = strdup ( attr . ascii ( ) ) ;
mods [ * i ] - > mod_values = values ;
( * i ) + + ;
}
}
void add_single_binary_attribute_operation ( LDAPMod * * mods , int * i , TQString attr , TQByteArray & ba ) {
if ( ba . size ( ) > 0 ) {
struct berval * * values = ( berval * * ) malloc ( 2 * sizeof ( berval * ) ) ;
values [ 0 ] = new berval ;
values [ 0 ] - > bv_len = ba . size ( ) ;
values [ 0 ] - > bv_val = ba . data ( ) ;
values [ 1 ] = NULL ;
mods [ * i ] - > mod_op = LDAP_MOD_REPLACE | LDAP_MOD_BVALUES ;
mods [ * i ] - > mod_type = strdup ( attr . ascii ( ) ) ;
mods [ * i ] - > mod_bvalues = values ;
( * i ) + + ;
}
}
void add_multiple_attributes_operation ( LDAPMod * * mods , int * i , TQString attr , TQStringList strings ) {
int j = 0 ;
char * * values = ( char * * ) malloc ( ( strings . count ( ) + 1 ) * sizeof ( char * ) ) ;
for ( TQStringList : : Iterator it = strings . begin ( ) ; it ! = strings . end ( ) ; + + it ) {
if ( ( * it ) ! = " " ) {
values [ j ] = strdup ( ( * it ) . ascii ( ) ) ;
j + + ;
}
}
values [ j ] = NULL ;
mods [ * i ] - > mod_op = LDAP_MOD_REPLACE ;
mods [ * i ] - > mod_type = strdup ( attr . ascii ( ) ) ;
mods [ * i ] - > mod_values = values ;
( * i ) + + ;
}
int LDAPManager : : updateUserInfo ( LDAPUserInfo user ) {
int retcode ;
int i ;
LDAPUserInfo userinfo ;
if ( bind ( ) < 0 ) {
return - 1 ;
}
else {
// Assemble the LDAPMod structure
// We will replace any existing attributes with the new values
int number_of_parameters = 40 ; // 40 primary attributes
LDAPMod * mods [ number_of_parameters + 1 ] ;
for ( i = 0 ; i < number_of_parameters ; i + + ) {
mods [ i ] = new LDAPMod ;
mods [ i ] - > mod_type = NULL ;
mods [ i ] - > mod_values = NULL ;
}
mods [ number_of_parameters ] = NULL ;
// Load LDAP modification requests from provided data structure
i = 0 ;
add_single_attribute_operation ( mods , & i , " uidNumber " , TQString ( " %1 " ) . arg ( user . uid ) ) ;
add_single_attribute_operation ( mods , & i , " loginShell " , user . shell ) ;
add_single_attribute_operation ( mods , & i , " homeDirectory " , user . homedir ) ;
add_single_attribute_operation ( mods , & i , " userPassword " , " {SASL} " + user . name + " @ " + m_realm . upper ( ) ) ;
add_single_attribute_operation ( mods , & i , " gidNumber " , TQString ( " %1 " ) . arg ( user . primary_gid ) ) ;
add_single_attribute_operation ( mods , & i , " krb5KDCFlags " , TQString ( " %1 " ) . arg ( user . status ) ) ; // Default active user is 586 [KRB5_ACTIVE_DEFAULT] and locked out user is 7586 [KRB5_DISABLED_ACCOUNT]
// add_single_attribute_operation(mods, &i, "", user.password_expires);
// add_single_attribute_operation(mods, &i, "", user.password_expiration);
// add_single_attribute_operation(mods, &i, "", user.password_ages);
// add_single_attribute_operation(mods, &i, "", user.new_password_interval);
// add_single_attribute_operation(mods, &i, "", user.new_password_warn_interval);
// add_single_attribute_operation(mods, &i, "", user.new_password_lockout_delay);
// add_single_attribute_operation(mods, &i, "", user.password_has_minimum_age);
// add_single_attribute_operation(mods, &i, "", user.password_minimum_age);
add_single_attribute_operation ( mods , & i , " krb5MaxLife " , TQString ( " %1 " ) . arg ( user . maximum_ticket_lifetime ) ) ;
add_single_attribute_operation ( mods , & i , " cn " , user . commonName ) ;
add_single_attribute_operation ( mods , & i , " givenName " , user . givenName ) ;
add_single_attribute_operation ( mods , & i , " sn " , user . surName ) ;
add_single_attribute_operation ( mods , & i , " initials " , user . initials ) ;
add_single_attribute_operation ( mods , & i , " title " , user . title ) ;
add_single_attribute_operation ( mods , & i , " mail " , user . email ) ;
add_single_attribute_operation ( mods , & i , " description " , user . description ) ;
add_single_attribute_operation ( mods , & i , " l " , user . locality ) ;
add_single_attribute_operation ( mods , & i , " telephoneNumber " , user . telephoneNumber ) ;
add_single_attribute_operation ( mods , & i , " facsimileTelephoneNumber " , user . faxNumber ) ;
add_single_attribute_operation ( mods , & i , " homePhone " , user . homePhone ) ;
add_single_attribute_operation ( mods , & i , " mobile " , user . mobilePhone ) ;
add_single_attribute_operation ( mods , & i , " pager " , user . pagerNumber ) ;
add_single_attribute_operation ( mods , & i , " websiteURL " , user . website ) ;
add_single_attribute_operation ( mods , & i , " postOfficeBox " , user . poBox ) ;
add_single_attribute_operation ( mods , & i , " street " , user . street ) ;
add_single_attribute_operation ( mods , & i , " postalAddress " , user . address ) ;
add_single_attribute_operation ( mods , & i , " st " , user . state ) ;
add_single_attribute_operation ( mods , & i , " postalCode " , user . postcode ) ;
add_single_attribute_operation ( mods , & i , " registeredAddress " , user . registeredAddress ) ;
add_single_attribute_operation ( mods , & i , " homePostalAddress " , user . homeAddress ) ;
add_single_attribute_operation ( mods , & i , " seeAlso " , user . seeAlso ) ;
add_single_attribute_operation ( mods , & i , " physicalDeliveryOfficeName " , user . deliveryOffice ) ;
add_single_attribute_operation ( mods , & i , " departmentNumber " , user . department ) ;
add_single_attribute_operation ( mods , & i , " roomNumber " , user . roomNumber ) ;
add_single_attribute_operation ( mods , & i , " employeeType " , user . employeeType ) ;
add_single_attribute_operation ( mods , & i , " employeeNumber " , user . employeeNumber ) ;
add_single_attribute_operation ( mods , & i , " managerName " , user . manager ) ;
add_single_attribute_operation ( mods , & i , " secretaryName " , user . secretary ) ;
add_single_attribute_operation ( mods , & i , " internationaliSDNNumber " , user . isdnNumber ) ;
add_single_attribute_operation ( mods , & i , " teletexId " , user . teletexID ) ;
add_single_attribute_operation ( mods , & i , " telexNumber " , user . telexNumber ) ;
add_single_attribute_operation ( mods , & i , " preferredDelivery " , user . preferredDelivery ) ;
add_single_attribute_operation ( mods , & i , " destinationIndicator " , user . destinationIndicator ) ;
add_single_attribute_operation ( mods , & i , " x121Address " , user . x121Address ) ;
add_single_attribute_operation ( mods , & i , " displayName " , user . displayName ) ;
add_single_attribute_operation ( mods , & i , " preferredLanguage " , user . preferredLanguage ) ;
add_single_attribute_operation ( mods , & i , " locallyUniqueID " , user . uniqueIdentifier ) ;
add_single_attribute_operation ( mods , & i , " businessCategory " , user . businessCategory ) ;
add_single_attribute_operation ( mods , & i , " carLicense " , user . carLicense ) ;
add_single_attribute_operation ( mods , & i , " notes " , user . notes ) ;
LDAPMod * prevterm = mods [ i ] ;
mods [ i ] = NULL ;
// Perform LDAP update
retcode = ldap_modify_ext_s ( m_ldap , user . distinguishedName . ascii ( ) , mods , NULL , NULL ) ;
// Clean up
mods [ i ] = prevterm ;
for ( i = 0 ; i < number_of_parameters ; i + + ) {
if ( mods [ i ] - > mod_type ! = NULL ) {
free ( mods [ i ] - > mod_type ) ;
}
if ( mods [ i ] - > mod_values ! = NULL ) {
int j = 0 ;
while ( mods [ i ] - > mod_values [ j ] ! = NULL ) {
free ( mods [ i ] - > mod_values [ j ] ) ;
j + + ;
}
free ( mods [ i ] - > mod_values ) ;
}
delete mods [ i ] ;
}
if ( retcode ! = LDAP_SUCCESS ) {
KMessageBox : : error ( 0 , i18n ( " <qt>LDAP modification failure<p>Reason: [%3] %4</qt> " ) . arg ( retcode ) . arg ( ldap_err2string ( retcode ) ) , i18n ( " LDAP Error " ) ) ;
return - 2 ;
}
else {
return 0 ;
}
}
}
TQString readFullLineFromPtyProcess ( PtyProcess * proc ) {
TQString result = " " ;
while ( ( ! result . contains ( " \r " ) ) & & ( ! result . contains ( " : " ) ) & & ( ! result . contains ( " > " ) ) ) {
result = result + TQString ( proc - > readLine ( false ) ) ;
tqApp - > processEvents ( ) ;
}
result . replace ( " \n " , " " ) ;
result . replace ( " \r " , " " ) ;
return result ;
}
int LDAPManager : : setPasswordForUser ( LDAPUserInfo user , TQString * errstr ) {
if ( user . new_password = = " " ) {
return 0 ;
}
LDAPCredentials admincreds = currentLDAPCredentials ( ) ;
if ( ( admincreds . username = = " " ) & & ( admincreds . password = = " " ) ) {
// Probably GSSAPI
// Get active ticket principal...
KerberosTicketInfoList tickets = LDAPManager : : getKerberosTicketList ( ) ;
TQStringList principalParts = TQStringList : : split ( " @ " , tickets [ 0 ] . cachePrincipal , false ) ;
admincreds . username = principalParts [ 0 ] ;
admincreds . realm = principalParts [ 1 ] ;
}
TQCString command = " kadmin " ;
QCStringList args ;
if ( m_host . startsWith ( " ldapi:// " ) ) {
args < < TQCString ( " -l " ) < < TQCString ( " -r " ) < < TQCString ( admincreds . realm . upper ( ) ) ;
}
else {
if ( admincreds . username = = " " ) {
args < < TQCString ( " -r " ) < < TQCString ( admincreds . realm . upper ( ) ) ;
}
else {
args < < TQCString ( " -p " ) < < TQCString ( admincreds . username . lower ( ) + " @ " + ( admincreds . realm . upper ( ) ) ) < < TQCString ( " -r " ) < < TQCString ( admincreds . realm . upper ( ) ) ;
}
}
TQString prompt ;
PtyProcess kadminProc ;
kadminProc . exec ( command , args ) ;
prompt = readFullLineFromPtyProcess ( & kadminProc ) ;
prompt = prompt . stripWhiteSpace ( ) ;
if ( prompt = = " kadmin> " ) {
command = TQCString ( " passwd " + user . name ) ;
kadminProc . writeLine ( command , true ) ;
do { // Discard our own input
prompt = readFullLineFromPtyProcess ( & kadminProc ) ;
printf ( " (kadmin) '%s' \n \r " , prompt . ascii ( ) ) ;
} while ( prompt = = TQString ( command ) ) ;
prompt = prompt . stripWhiteSpace ( ) ;
if ( ( prompt . endsWith ( " Password: " ) ) & & ( prompt . startsWith ( TQString ( user . name + " @ " ) ) ) ) {
kadminProc . writeLine ( user . new_password , true ) ;
do { // Discard our own input
prompt = readFullLineFromPtyProcess ( & kadminProc ) ;
printf ( " (kadmin) '%s' \n \r " , prompt . ascii ( ) ) ;
} while ( prompt = = " " ) ;
prompt = prompt . stripWhiteSpace ( ) ;
if ( ( prompt . endsWith ( " Password: " ) ) & & ( prompt . startsWith ( " Verify " ) ) ) {
kadminProc . writeLine ( user . new_password , true ) ;
do { // Discard our own input
prompt = readFullLineFromPtyProcess ( & kadminProc ) ;
printf ( " (kadmin) '%s' \n \r " , prompt . ascii ( ) ) ;
} while ( prompt = = " " ) ;
prompt = prompt . stripWhiteSpace ( ) ;
}
if ( prompt . endsWith ( " Password: " ) ) {
if ( admincreds . password = = " " ) {
TQCString password ;
int result = KPasswordDialog : : getPassword ( password , prompt ) ;
if ( result = = KPasswordDialog : : Accepted ) {
admincreds . password = password ;
}
}
if ( admincreds . password ! = " " ) {
kadminProc . writeLine ( admincreds . password , true ) ;
do { // Discard our own input
prompt = readFullLineFromPtyProcess ( & kadminProc ) ;
printf ( " (kadmin) '%s' \n \r " , prompt . ascii ( ) ) ;
} while ( prompt = = " " ) ;
prompt = prompt . stripWhiteSpace ( ) ;
}
}
if ( prompt ! = " kadmin> " ) {
if ( errstr ) * errstr = prompt ;
kadminProc . writeLine ( " quit " , true ) ;
return 1 ;
}
// Success!
kadminProc . writeLine ( " quit " , true ) ;
return 0 ;
}
else if ( prompt = = " kadmin> " ) {
// Success!
kadminProc . writeLine ( " quit " , true ) ;
return 0 ;
}
// Failure
if ( errstr ) * errstr = prompt ;
kadminProc . writeLine ( " quit " , true ) ;
return 1 ;
}
if ( errstr ) * errstr = " Internal error. Verify that kadmin exists and can be executed. " ;
return 1 ; // Failure
}
TQString klistDateTimeToRFCDateTime ( TQString datetime ) {
// HACK HACK HACK
// FIXME
TQString ret ;
TQString command = TQString ( " date -R -d \" %1 \" " ) . arg ( datetime ) ;
FILE * output = popen ( command . ascii ( ) , " r " ) ;
TQFile f ;
f . open ( IO_ReadOnly , output ) ;
TQTextStream stream ( & f ) ;
ret = stream . readLine ( ) ;
f . close ( ) ;
pclose ( output ) ;
return ret ;
}
# define KLIST_CREDENTIALS_CACHE_STRING "Credentials cache: "
# define KLIST_PRINCIPAL_STRING "Principal: "
# define KLIST_CACHE_VERSION_STRING "Cache version: "
# define KLIST_SERVER_STRING "Server: "
# define KLIST_CLIENT_STRING "Client: "
# define KLIST_ENCTYPE_STRING "Ticket etype: "
# define KLIST_TICKET_LENGTH_STRING "Ticket length: "
# define KLIST_AUTHTIME_STRING "Auth time: "
# define KLIST_STARTTIME_STRING "Start time: "
# define KLIST_STOPTIME_STRING "End time: "
# define KLIST_FLAGS_STRING "Ticket flags: "
# define KLIST_ADDRESSES_STRING "Ticket flags: "
# define KLIST_NO_TICKET_FILE "klist: No ticket file: "
# define KLIST_KVNO_STRING "kvno"
# define KLIST_ADDRESSLESS_STRING "addressless"
# define KLIST_KRB5_TICKET_RESERVED "reserved"
# define KLIST_KRB5_TICKET_FORWARDABLE "forwardable"
# define KLIST_KRB5_TICKET_FORWARDED "forwarded"
# define KLIST_KRB5_TICKET_PROXIABLE "proxiable"
# define KLIST_KRB5_TICKET_PROXY "proxy"
# define KLIST_KRB5_TICKET_MAY_POSTDATE "may-postdate"
# define KLIST_KRB5_TICKET_POSTDATED "postdated"
# define KLIST_KRB5_TICKET_INVALID "invalid"
# define KLIST_KRB5_TICKET_RENEWABLE "renewable"
# define KLIST_KRB5_TICKET_INITIAL "initial"
# define KLIST_KRB5_TICKET_PREAUTHENT "pre-authent"
# define KLIST_KRB5_TICKET_HW_AUTHENT "hw-authent"
# define KLIST_KRB5_TICKET_TRANSIT_CHECKED "transited-policy-checked"
# define KLIST_KRB5_TICKET_OK_AS_DELEGATE "ok-as-delegate"
# define KLIST_KRB5_TICKET_ANONYMOUS "anonymous"
# define KLIST_KRB5_TICKET_ENC_PA_REP "enc-pa-rep"
KerberosTicketInfoList LDAPManager : : getKerberosTicketList ( TQString cache , TQString * cacheFileName ) {
KerberosTicketInfo ticket ;
KerberosTicketInfoList list ;
TQString global_ccache ;
TQString global_principal ;
TQString global_cachevers ;
TQString line ;
FILE * output = popen ( " klist -v 2>&1 " , " r " ) ;
TQFile f ;
f . open ( IO_ReadOnly , output ) ;
TQTextStream stream ( & f ) ;
while ( ! stream . atEnd ( ) ) {
line = stream . readLine ( ) ;
line = line . stripWhiteSpace ( ) ;
if ( line = = " " ) {
if ( ticket . informationValid ) {
ticket . cacheURL = global_ccache ;
ticket . cachePrincipal = global_principal ;
ticket . cacheVersion = global_cachevers . toInt ( ) ;
list . append ( ticket ) ;
}
ticket = KerberosTicketInfo ( ) ;
}
else if ( line . startsWith ( KLIST_NO_TICKET_FILE ) ) {
line . remove ( 0 , strlen ( KLIST_NO_TICKET_FILE ) ) ;
line . prepend ( " FILE: " ) ;
if ( cacheFileName ) * cacheFileName = line ;
}
else if ( line . startsWith ( KLIST_CREDENTIALS_CACHE_STRING ) ) {
line . remove ( 0 , strlen ( KLIST_CREDENTIALS_CACHE_STRING ) ) ;
global_ccache = line ;
if ( cacheFileName ) * cacheFileName = line ;
}
else if ( line . startsWith ( KLIST_PRINCIPAL_STRING ) ) {
line . remove ( 0 , strlen ( KLIST_PRINCIPAL_STRING ) ) ;
global_principal = line ;
}
else if ( line . startsWith ( KLIST_CACHE_VERSION_STRING ) ) {
line . remove ( 0 , strlen ( KLIST_CACHE_VERSION_STRING ) ) ;
global_cachevers = line ;
}
else if ( line . startsWith ( KLIST_SERVER_STRING ) ) {
line . remove ( 0 , strlen ( KLIST_SERVER_STRING ) ) ;
ticket . serverPrincipal = line ;
ticket . informationValid = true ;
}
else if ( line . startsWith ( KLIST_CLIENT_STRING ) ) {
line . remove ( 0 , strlen ( KLIST_CLIENT_STRING ) ) ;
ticket . clientPrincipal = line ;
ticket . informationValid = true ;
}
else if ( line . startsWith ( KLIST_ENCTYPE_STRING ) ) {
line . remove ( 0 , strlen ( KLIST_ENCTYPE_STRING ) ) ;
TQString kvno = line ;
int commaloc = line . find ( " , " ) ;
kvno . remove ( 0 , commaloc + 1 ) ;
kvno . replace ( KLIST_KVNO_STRING , " " ) ;
kvno = kvno . stripWhiteSpace ( ) ;
line . truncate ( commaloc ) ;
ticket . encryptionType = line ;
ticket . keyVersionNumber = kvno . toInt ( ) ;
ticket . informationValid = true ;
}
else if ( line . startsWith ( KLIST_TICKET_LENGTH_STRING ) ) {
line . remove ( 0 , strlen ( KLIST_TICKET_LENGTH_STRING ) ) ;
ticket . ticketSize = line . toInt ( ) ;
ticket . informationValid = true ;
}
else if ( line . startsWith ( KLIST_AUTHTIME_STRING ) ) {
line . remove ( 0 , strlen ( KLIST_AUTHTIME_STRING ) ) ;
line . replace ( " (expired) " , " " ) ;
line = line . simplifyWhiteSpace ( ) ;
line = klistDateTimeToRFCDateTime ( line ) ;
ticket . authenticationTime . setTime_t ( KRFCDate : : parseDate ( line ) ) ;
ticket . informationValid = true ;
}
else if ( line . startsWith ( KLIST_STARTTIME_STRING ) ) {
line . remove ( 0 , strlen ( KLIST_STARTTIME_STRING ) ) ;
line . replace ( " (expired) " , " " ) ;
line = line . simplifyWhiteSpace ( ) ;
line = klistDateTimeToRFCDateTime ( line ) ;
ticket . validStartTime . setTime_t ( KRFCDate : : parseDate ( line ) ) ;
ticket . informationValid = true ;
}
else if ( line . startsWith ( KLIST_STOPTIME_STRING ) ) {
line . remove ( 0 , strlen ( KLIST_STOPTIME_STRING ) ) ;
line . replace ( " (expired) " , " " ) ;
line = line . simplifyWhiteSpace ( ) ;
line = klistDateTimeToRFCDateTime ( line ) ;
ticket . validEndTime . setTime_t ( KRFCDate : : parseDate ( line ) ) ;
ticket . informationValid = true ;
}
else if ( line . startsWith ( KLIST_FLAGS_STRING ) ) {
line . remove ( 0 , strlen ( KLIST_FLAGS_STRING ) ) ;
TQStringList flags = TQStringList : : split ( " , " , line , FALSE ) ;
for ( TQStringList : : Iterator it = flags . begin ( ) ; it ! = flags . end ( ) ; + + it ) {
if ( ( * it ) = = KLIST_KRB5_TICKET_RESERVED ) {
ticket . flags = ticket . flags | KRB5_TICKET_RESERVED ;
}
else if ( ( * it ) = = KLIST_KRB5_TICKET_FORWARDABLE ) {
ticket . flags = ticket . flags | KRB5_TICKET_FORWARDABLE ;
}
else if ( ( * it ) = = KLIST_KRB5_TICKET_FORWARDED ) {
ticket . flags = ticket . flags | KRB5_TICKET_FORWARDED ;
}
else if ( ( * it ) = = KLIST_KRB5_TICKET_PROXIABLE ) {
ticket . flags = ticket . flags | KRB5_TICKET_PROXIABLE ;
}
else if ( ( * it ) = = KLIST_KRB5_TICKET_PROXY ) {
ticket . flags = ticket . flags | KRB5_TICKET_PROXY ;
}
else if ( ( * it ) = = KLIST_KRB5_TICKET_MAY_POSTDATE ) {
ticket . flags = ticket . flags | KRB5_TICKET_MAY_POSTDATE ;
}
else if ( ( * it ) = = KLIST_KRB5_TICKET_POSTDATED ) {
ticket . flags = ticket . flags | KRB5_TICKET_POSTDATED ;
}
else if ( ( * it ) = = KLIST_KRB5_TICKET_INVALID ) {
ticket . flags = ticket . flags | KRB5_TICKET_INVALID ;
}
else if ( ( * it ) = = KLIST_KRB5_TICKET_RENEWABLE ) {
ticket . flags = ticket . flags | KRB5_TICKET_RENEWABLE ;
}
else if ( ( * it ) = = KLIST_KRB5_TICKET_INITIAL ) {
ticket . flags = ticket . flags | KRB5_TICKET_INITIAL ;
}
else if ( ( * it ) = = KLIST_KRB5_TICKET_PREAUTHENT ) {
ticket . flags = ticket . flags | KRB5_TICKET_PREAUTHENT ;
}
else if ( ( * it ) = = KLIST_KRB5_TICKET_HW_AUTHENT ) {
ticket . flags = ticket . flags | KRB5_TICKET_HW_AUTHENT ;
}
else if ( ( * it ) = = KLIST_KRB5_TICKET_TRANSIT_CHECKED ) {
ticket . flags = ticket . flags | KRB5_TICKET_TRANSIT_CHECKED ;
}
else if ( ( * it ) = = KLIST_KRB5_TICKET_OK_AS_DELEGATE ) {
ticket . flags = ticket . flags | KRB5_TICKET_OK_AS_DELEGATE ;
}
else if ( ( * it ) = = KLIST_KRB5_TICKET_ANONYMOUS ) {
ticket . flags = ticket . flags | KRB5_TICKET_ANONYMOUS ;
}
else if ( ( * it ) = = KLIST_KRB5_TICKET_ENC_PA_REP ) {
ticket . flags = ticket . flags | KRB5_TICKET_ENC_PA_REP ;
}
}
ticket . informationValid = true ;
}
else if ( line . startsWith ( KLIST_ADDRESSES_STRING ) ) {
line . remove ( 0 , strlen ( KLIST_ADDRESSES_STRING ) ) ;
if ( line ! = KLIST_ADDRESSLESS_STRING ) {
// FIXME
// What is the separator?
ticket . addresses = TQStringList ( line ) ;
}
ticket . informationValid = true ;
}
}
f . close ( ) ;
pclose ( output ) ;
return list ;
}
int LDAPManager : : getKerberosPassword ( LDAPCredentials & creds , TQString prompt , bool requestServicePrincipal , TQWidget * parent )
{
int i ;
KSimpleConfig * systemconfig = new KSimpleConfig ( TQString : : fromLatin1 ( KDE_CONFDIR " /ldap/ldapconfigrc " ) ) ;
systemconfig - > setGroup ( NULL ) ;
TQString defaultRealm = systemconfig - > readEntry ( " DefaultRealm " , TQString : : null ) ;
LDAPRealmConfigList realms = LDAPManager : : readTDERealmList ( systemconfig , false ) ;
delete systemconfig ;
if ( creds . realm ! = " " ) {
defaultRealm = creds . realm ;
}
LDAPPasswordDialog passdlg ( parent , 0 , false ) ;
passdlg . m_base - > ldapAdminRealm - > setEnabled ( true ) ;
LDAPRealmConfigList : : Iterator it ;
i = 0 ;
for ( it = realms . begin ( ) ; it ! = realms . end ( ) ; + + it ) {
passdlg . m_base - > ldapAdminRealm - > insertItem ( ( * it ) . name ) ;
if ( ( * it ) . name = = defaultRealm ) {
passdlg . m_base - > ldapAdminRealm - > setCurrentItem ( i ) ;
}
i + + ;
}
passdlg . m_base - > passprompt - > setText ( prompt ) ;
passdlg . m_base - > ldapUseTLS - > hide ( ) ;
if ( requestServicePrincipal ) {
passdlg . m_base - > kerberosOtherInfoString - > show ( ) ;
passdlg . m_base - > kerberosServicePrincipal - > show ( ) ;
}
if ( creds . username ! = " " ) {
passdlg . m_base - > ldapAdminUsername - > setText ( creds . username ) ;
passdlg . m_base - > ldapAdminPassword - > setFocus ( ) ;
}
const int ret = passdlg . exec ( ) ;
if ( ret = = KDialog : : Accepted ) {
creds . username = passdlg . m_base - > ldapAdminUsername - > text ( ) ;
creds . password = passdlg . m_base - > ldapAdminPassword - > password ( ) ;
creds . realm = passdlg . m_base - > ldapAdminRealm - > currentText ( ) ;
creds . service = passdlg . m_base - > kerberosServicePrincipal - > text ( ) ;
creds . use_tls = passdlg . m_base - > ldapUseTLS - > isOn ( ) ;
}
return ret ;
}
int LDAPManager : : obtainKerberosTicket ( LDAPCredentials creds , TQString principal , TQString * errstr ) {
TQCString command = " kinit " ;
QCStringList args ;
if ( principal = = " " ) {
args < < TQCString ( creds . username + " @ " + creds . realm . upper ( ) ) ;
}
else {
args < < TQCString ( " -S " ) < < TQCString ( principal ) < < TQCString ( creds . username + " @ " + creds . realm . upper ( ) ) ;
}
TQString prompt ;
PtyProcess kadminProc ;
kadminProc . exec ( command , args ) ;
prompt = readFullLineFromPtyProcess ( & kadminProc ) ;
prompt = prompt . stripWhiteSpace ( ) ;
if ( prompt . endsWith ( " Password: " ) ) {
kadminProc . writeLine ( creds . password , true ) ;
do { // Discard our own input
prompt = readFullLineFromPtyProcess ( & kadminProc ) ;
printf ( " (kadmin) '%s' \n \r " , prompt . ascii ( ) ) ;
} while ( prompt = = " " ) ;
prompt = prompt . stripWhiteSpace ( ) ;
}
if ( prompt ! = " " ) {
if ( errstr ) * errstr = prompt ;
return 1 ;
}
// Success!
return 0 ;
}
int LDAPManager : : obtainKerberosServiceTicket ( TQString principal , TQString * errstr ) {
TQString ret ;
TQString command = TQString ( " kgetcred \" %1 \" " ) . arg ( principal ) ;
FILE * output = popen ( command . ascii ( ) , " r " ) ;
TQFile f ;
f . open ( IO_ReadOnly , output ) ;
TQTextStream stream ( & f ) ;
ret = stream . readLine ( ) ;
f . close ( ) ;
pclose ( output ) ;
if ( ret ! = " " ) {
if ( errstr ) * errstr = ret ;
return - 1 ;
}
return 0 ;
}
int LDAPManager : : destroyKerberosTicket ( TQString principal , TQString * errstr ) {
TQString ret ;
TQString command = TQString ( " kdestroy --credential= \" %1 \" " ) . arg ( principal ) ;
FILE * output = popen ( command . ascii ( ) , " r " ) ;
TQFile f ;
f . open ( IO_ReadOnly , output ) ;
TQTextStream stream ( & f ) ;
ret = stream . readLine ( ) ;
f . close ( ) ;
pclose ( output ) ;
if ( ret ! = " " ) {
if ( errstr ) * errstr = ret ;
return - 1 ;
}
return 0 ;
}
int LDAPManager : : updateGroupInfo ( LDAPGroupInfo group ) {
int retcode ;
int i ;
LDAPGroupInfo groupinfo ;
if ( bind ( ) < 0 ) {
return - 1 ;
}
else {
// Assemble the LDAPMod structure
// We will replace any existing attributes with the new values
int number_of_parameters = 3 ; // 3 primary attributes
LDAPMod * mods [ number_of_parameters + 1 ] ;
for ( i = 0 ; i < number_of_parameters ; i + + ) {
mods [ i ] = new LDAPMod ;
mods [ i ] - > mod_type = NULL ;
mods [ i ] - > mod_values = NULL ;
}
mods [ number_of_parameters ] = NULL ;
// Load LDAP modification requests from provided data structure
i = 0 ;
add_single_attribute_operation ( mods , & i , " gidNumber " , TQString ( " %1 " ) . arg ( group . gid ) ) ;
TQStringList completeGroupList = group . userlist ;
TQString placeholderGroup = " cn=placeholder, " + m_basedc ;
if ( ! completeGroupList . contains ( placeholderGroup ) ) {
completeGroupList . prepend ( placeholderGroup ) ;
}
add_multiple_attributes_operation ( mods , & i , " member " , completeGroupList ) ;
// Also populate memberUid attribute from the above list (minus the cn=,dc=... stuff, i.e. just the username)
TQStringList posixGroupList ;
for ( TQStringList : : Iterator it = group . userlist . begin ( ) ; it ! = group . userlist . end ( ) ; + + it ) {
TQString plainUserName = * it ;
int eqpos = plainUserName . find ( " = " ) + 1 ;
int cmpos = plainUserName . find ( " , " , eqpos ) ;
plainUserName . truncate ( cmpos ) ;
plainUserName . remove ( 0 , eqpos ) ;
posixGroupList . append ( plainUserName ) ;
}
add_multiple_attributes_operation ( mods , & i , " memberUid " , posixGroupList ) ;
LDAPMod * prevterm = mods [ i ] ;
mods [ i ] = NULL ;
// Perform LDAP update
retcode = ldap_modify_ext_s ( m_ldap , group . distinguishedName . ascii ( ) , mods , NULL , NULL ) ;
// Clean up
mods [ i ] = prevterm ;
for ( i = 0 ; i < number_of_parameters ; i + + ) {
if ( mods [ i ] - > mod_type ! = NULL ) {
free ( mods [ i ] - > mod_type ) ;
}
if ( mods [ i ] - > mod_values ! = NULL ) {
int j = 0 ;
while ( mods [ i ] - > mod_values [ j ] ! = NULL ) {
free ( mods [ i ] - > mod_values [ j ] ) ;
j + + ;
}
free ( mods [ i ] - > mod_values ) ;
}
delete mods [ i ] ;
}
if ( retcode ! = LDAP_SUCCESS ) {
KMessageBox : : error ( 0 , i18n ( " <qt>LDAP modification failure<p>Reason: [%3] %4</qt> " ) . arg ( retcode ) . arg ( ldap_err2string ( retcode ) ) , i18n ( " LDAP Error " ) ) ;
return - 2 ;
}
else {
return 0 ;
}
}
}
int LDAPManager : : addUserInfo ( LDAPUserInfo user ) {
int retcode ;
int i ;
LDAPUserInfo userinfo ;
if ( bind ( ) < 0 ) {
return - 1 ;
}
else {
// Create the base DN entry
int number_of_parameters = 14 ; // 14 primary attributes
LDAPMod * mods [ number_of_parameters + 1 ] ;
for ( i = 0 ; i < number_of_parameters ; i + + ) {
mods [ i ] = new LDAPMod ;
mods [ i ] - > mod_type = NULL ;
mods [ i ] - > mod_values = NULL ;
}
mods [ number_of_parameters ] = NULL ;
// Load initial required LDAP object attributes
i = 0 ;
create_single_attribute_operation ( mods , & i , " uidNumber " , TQString ( " %1 " ) . arg ( user . uid ) ) ;
create_single_attribute_operation ( mods , & i , " gidNumber " , TQString ( " %1 " ) . arg ( user . primary_gid ) ) ;
create_multiple_attributes_operation ( mods , & i , " objectClass " , TQStringList : : split ( " " , " inetOrgPerson krb5Realm krb5Principal krb5KDCEntry emsUser posixAccount " ) ) ;
create_single_attribute_operation ( mods , & i , " uid " , user . name ) ;
create_single_attribute_operation ( mods , & i , " cn " , user . commonName ) ;
create_single_attribute_operation ( mods , & i , " sn " , user . surName ) ;
create_single_attribute_operation ( mods , & i , " homeDirectory " , user . homedir ) ;
create_single_attribute_operation ( mods , & i , " userPassword " , " {SASL} " + user . name + " @ " + m_realm . upper ( ) ) ;
// Kerberos
create_single_attribute_operation ( mods , & i , " krb5KeyVersionNumber " , " 1 " ) ;
create_single_attribute_operation ( mods , & i , " krb5PrincipalName " , TQString ( user . name . lower ( ) ) + " @ " + m_realm . upper ( ) ) ;
create_single_attribute_operation ( mods , & i , " krb5RealmName " , m_realm . upper ( ) ) ;
// Zivios specific
create_single_attribute_operation ( mods , & i , " emsdescription " , " None " ) ;
create_single_attribute_operation ( mods , & i , " emsprimarygroupdn " , " None " ) ;
create_single_attribute_operation ( mods , & i , " emstype " , " UserEntry " ) ;
LDAPMod * prevterm = mods [ i ] ;
mods [ i ] = NULL ;
// Add new object
retcode = ldap_add_ext_s ( m_ldap , user . distinguishedName . ascii ( ) , mods , NULL , NULL ) ;
// Clean up
mods [ i ] = prevterm ;
for ( i = 0 ; i < number_of_parameters ; i + + ) {
if ( mods [ i ] - > mod_type ! = NULL ) {
free ( mods [ i ] - > mod_type ) ;
}
if ( mods [ i ] - > mod_values ! = NULL ) {
int j = 0 ;
while ( mods [ i ] - > mod_values [ j ] ! = NULL ) {
free ( mods [ i ] - > mod_values [ j ] ) ;
j + + ;
}
free ( mods [ i ] - > mod_values ) ;
}
delete mods [ i ] ;
}
if ( retcode ! = LDAP_SUCCESS ) {
KMessageBox : : error ( 0 , i18n ( " <qt>LDAP addition failure<p>Reason: [%3] %4</qt> " ) . arg ( retcode ) . arg ( ldap_err2string ( retcode ) ) , i18n ( " LDAP Error " ) ) ;
return - 2 ;
}
else {
return updateUserInfo ( user ) ;
}
}
}
int LDAPManager : : addGroupInfo ( LDAPGroupInfo group ) {
int retcode ;
int i ;
LDAPGroupInfo groupinfo ;
if ( bind ( ) < 0 ) {
return - 1 ;
}
else {
// Create the base DN entry
int number_of_parameters = 6 ; // 6 primary attributes
LDAPMod * mods [ number_of_parameters + 1 ] ;
for ( i = 0 ; i < number_of_parameters ; i + + ) {
mods [ i ] = new LDAPMod ;
mods [ i ] - > mod_type = NULL ;
mods [ i ] - > mod_values = NULL ;
}
mods [ number_of_parameters ] = NULL ;
TQString placeholderGroup = " cn=placeholder, " + m_basedc ;
// Load initial required LDAP object attributes
i = 0 ;
create_single_attribute_operation ( mods , & i , " gidNumber " , TQString ( " %1 " ) . arg ( group . gid ) ) ;
create_multiple_attributes_operation ( mods , & i , " objectClass " , TQStringList : : split ( " " , " emsGroup groupOfNames posixGroup " ) ) ;
create_single_attribute_operation ( mods , & i , " cn " , group . name ) ;
create_multiple_attributes_operation ( mods , & i , " member " , TQStringList ( placeholderGroup ) ) ;
// Zivios specific
create_single_attribute_operation ( mods , & i , " emsdescription " , " None " ) ;
create_single_attribute_operation ( mods , & i , " emstype " , " GroupEntry " ) ;
LDAPMod * prevterm = mods [ i ] ;
mods [ i ] = NULL ;
// Add new object
retcode = ldap_add_ext_s ( m_ldap , group . distinguishedName . ascii ( ) , mods , NULL , NULL ) ;
// Clean up
mods [ i ] = prevterm ;
for ( i = 0 ; i < number_of_parameters ; i + + ) {
if ( mods [ i ] - > mod_type ! = NULL ) {
free ( mods [ i ] - > mod_type ) ;
}
if ( mods [ i ] - > mod_values ! = NULL ) {
int j = 0 ;
while ( mods [ i ] - > mod_values [ j ] ! = NULL ) {
free ( mods [ i ] - > mod_values [ j ] ) ;
j + + ;
}
free ( mods [ i ] - > mod_values ) ;
}
delete mods [ i ] ;
}
if ( retcode ! = LDAP_SUCCESS ) {
KMessageBox : : error ( 0 , i18n ( " <qt>LDAP addition failure<p>Reason: [%3] %4</qt> " ) . arg ( retcode ) . arg ( ldap_err2string ( retcode ) ) , i18n ( " LDAP Error " ) ) ;
return - 2 ;
}
else {
return updateGroupInfo ( group ) ;
}
}
}
int LDAPManager : : addServiceInfo ( LDAPServiceInfo service , TQString * errstr ) {
int retcode ;
int i ;
LDAPGroupInfo serviceinfo ;
if ( bind ( ) < 0 ) {
return - 1 ;
}
else {
// Use Kerberos kadmin to actually add the service
LDAPCredentials admincreds = currentLDAPCredentials ( ) ;
if ( ( admincreds . username = = " " ) & & ( admincreds . password = = " " ) ) {
// Probably GSSAPI
// Get active ticket principal...
KerberosTicketInfoList tickets = LDAPManager : : getKerberosTicketList ( ) ;
TQStringList principalParts = TQStringList : : split ( " @ " , tickets [ 0 ] . cachePrincipal , false ) ;
admincreds . username = principalParts [ 0 ] ;
admincreds . realm = principalParts [ 1 ] ;
}
TQCString command = " kadmin " ;
QCStringList args ;
if ( m_host . startsWith ( " ldapi:// " ) ) {
args < < TQCString ( " -l " ) < < TQCString ( " -r " ) < < TQCString ( admincreds . realm . upper ( ) ) ;
}
else {
if ( admincreds . username = = " " ) {
args < < TQCString ( " -r " ) < < TQCString ( admincreds . realm . upper ( ) ) ;
}
else {
args < < TQCString ( " -p " ) < < TQCString ( admincreds . username . lower ( ) + " @ " + ( admincreds . realm . upper ( ) ) ) < < TQCString ( " -r " ) < < TQCString ( admincreds . realm . upper ( ) ) ;
}
}
TQString hoststring = service . name + " / " + service . machine ;
TQString prompt ;
PtyProcess kadminProc ;
kadminProc . exec ( command , args ) ;
prompt = readFullLineFromPtyProcess ( & kadminProc ) ;
prompt = prompt . stripWhiteSpace ( ) ;
if ( prompt = = " kadmin> " ) {
command = TQCString ( " ank --random-key " + hoststring ) ;
kadminProc . writeLine ( command , true ) ;
do { // Discard our own input
prompt = readFullLineFromPtyProcess ( & kadminProc ) ;
printf ( " (kadmin) '%s' \n \r " , prompt . ascii ( ) ) ;
} while ( prompt = = TQString ( command ) ) ;
prompt = prompt . stripWhiteSpace ( ) ;
// Use all defaults
while ( prompt ! = " kadmin> " ) {
if ( prompt . endsWith ( " Password: " ) ) {
if ( admincreds . password = = " " ) {
TQCString password ;
int result = KPasswordDialog : : getPassword ( password , prompt ) ;
if ( result = = KPasswordDialog : : Accepted ) {
admincreds . password = password ;
}
}
if ( admincreds . password ! = " " ) {
kadminProc . writeLine ( admincreds . password , true ) ;
do { // Discard our own input
prompt = readFullLineFromPtyProcess ( & kadminProc ) ;
printf ( " (kadmin) '%s' \n \r " , prompt . ascii ( ) ) ;
} while ( prompt = = " " ) ;
prompt = prompt . stripWhiteSpace ( ) ;
}
}
if ( prompt . contains ( " authentication failed " ) ) {
if ( errstr ) * errstr = prompt ;
kadminProc . writeLine ( " quit " , true ) ;
return 1 ;
}
else {
// Extract whatever default is in the [brackets] and feed it back to kadmin
TQString defaultParam ;
int leftbracket = prompt . find ( " [ " ) ;
int rightbracket = prompt . find ( " ] " ) ;
if ( ( leftbracket > = 0 ) & & ( rightbracket > = 0 ) ) {
leftbracket + + ;
defaultParam = prompt . mid ( leftbracket , rightbracket - leftbracket ) ;
}
command = TQCString ( defaultParam ) ;
kadminProc . writeLine ( command , true ) ;
do { // Discard our own input
prompt = readFullLineFromPtyProcess ( & kadminProc ) ;
printf ( " (kadmin) '%s' \n \r " , prompt . ascii ( ) ) ;
} while ( prompt = = TQString ( command ) ) ;
prompt = prompt . stripWhiteSpace ( ) ;
}
}
if ( prompt ! = " kadmin> " ) {
if ( errstr ) * errstr = prompt ;
kadminProc . writeLine ( " quit " , true ) ;
return 1 ;
}
// Success!
kadminProc . writeLine ( " quit " , true ) ;
unbind ( true ) ; // Using kadmin can disrupt our LDAP connection
// Move Kerberos entries
return moveKerberosEntries ( " o=kerberos,cn=kerberos control,ou=master services,ou=core,ou=realm, " + m_basedc , errstr ) ;
}
if ( errstr ) * errstr = " Internal error. Verify that kadmin exists and can be executed. " ;
return 1 ; // Failure
}
}
int LDAPManager : : deleteUserInfo ( LDAPUserInfo user ) {
int retcode ;
LDAPUserInfo userinfo ;
if ( bind ( ) < 0 ) {
return - 1 ;
}
else {
// Delete the base DN entry
retcode = ldap_delete_ext_s ( m_ldap , user . distinguishedName . ascii ( ) , NULL , NULL ) ;
if ( retcode ! = LDAP_SUCCESS ) {
KMessageBox : : error ( 0 , i18n ( " <qt>LDAP deletion failure<p>Reason: [%3] %4</qt> " ) . arg ( retcode ) . arg ( ldap_err2string ( retcode ) ) , i18n ( " LDAP Error " ) ) ;
return - 2 ;
}
else {
return 0 ;
}
}
}
int LDAPManager : : deleteGroupInfo ( LDAPGroupInfo group ) {
int retcode ;
LDAPGroupInfo groupinfo ;
if ( bind ( ) < 0 ) {
return - 1 ;
}
else {
// Delete the base DN entry
retcode = ldap_delete_ext_s ( m_ldap , group . distinguishedName . ascii ( ) , NULL , NULL ) ;
if ( retcode ! = LDAP_SUCCESS ) {
KMessageBox : : error ( 0 , i18n ( " <qt>LDAP deletion failure<p>Reason: [%3] %4</qt> " ) . arg ( retcode ) . arg ( ldap_err2string ( retcode ) ) , i18n ( " LDAP Error " ) ) ;
return - 2 ;
}
else {
return 0 ;
}
}
}
int LDAPManager : : deleteMachineInfo ( LDAPMachineInfo machine ) {
int retcode ;
LDAPMachineInfo machineinfo ;
if ( bind ( ) < 0 ) {
return - 1 ;
}
else {
// Delete the base DN entry
retcode = ldap_delete_ext_s ( m_ldap , machine . distinguishedName . ascii ( ) , NULL , NULL ) ;
if ( retcode ! = LDAP_SUCCESS ) {
KMessageBox : : error ( 0 , i18n ( " <qt>LDAP deletion failure<p>Reason: [%3] %4</qt> " ) . arg ( retcode ) . arg ( ldap_err2string ( retcode ) ) , i18n ( " LDAP Error " ) ) ;
return - 2 ;
}
else {
return 0 ;
}
}
}
int LDAPManager : : deleteServiceInfo ( LDAPServiceInfo service ) {
int retcode ;
LDAPServiceInfo serviceinfo ;
if ( bind ( ) < 0 ) {
return - 1 ;
}
else {
// Delete the base DN entry
retcode = ldap_delete_ext_s ( m_ldap , service . distinguishedName . ascii ( ) , NULL , NULL ) ;
if ( retcode ! = LDAP_SUCCESS ) {
KMessageBox : : error ( 0 , i18n ( " <qt>LDAP deletion failure<p>Reason: [%3] %4</qt> " ) . arg ( retcode ) . arg ( ldap_err2string ( retcode ) ) , i18n ( " LDAP Error " ) ) ;
return - 2 ;
}
else {
return 0 ;
}
}
}
LDAPGroupInfo LDAPManager : : parseLDAPGroupRecord ( LDAPMessage * entry ) {
char * dn = NULL ;
char * attr ;
struct berval * * vals ;
BerElement * ber ;
int i ;
LDAPGroupInfo groupinfo ;
if ( ( dn = ldap_get_dn ( m_ldap , entry ) ) ! = NULL ) {
groupinfo . distinguishedName = dn ;
TQStringList dnParts = TQStringList : : split ( " , " , dn ) ;
TQString id = dnParts [ 0 ] ;
if ( id . startsWith ( " cn= " ) ) {
id = id . remove ( 0 , 3 ) ;
groupinfo . name = id ;
}
ldap_memfree ( dn ) ;
}
for ( attr = ldap_first_attribute ( m_ldap , entry , & ber ) ; attr ! = NULL ; attr = ldap_next_attribute ( m_ldap , entry , ber ) ) {
if ( ( vals = ldap_get_values_len ( m_ldap , entry , attr ) ) ! = NULL ) {
groupinfo . informationValid = true ;
TQString ldap_field = attr ;
i = 0 ;
if ( ldap_field = = " creatorsName " ) {
groupinfo . creatorsName = vals [ i ] - > bv_val ;
}
else if ( ldap_field = = " member " ) {
TQStringList members ;
for ( i = 0 ; vals [ i ] ! = NULL ; i + + ) {
TQString userdn = vals [ i ] - > bv_val ;
if ( userdn . startsWith ( " cn=placeholder,dc= " ) ) {
continue ;
}
members . append ( userdn ) ;
}
groupinfo . userlist = members ;
}
else if ( ldap_field = = " gidNumber " ) {
groupinfo . gid = atoi ( vals [ i ] - > bv_val ) ;
}
else if ( ldap_field = = " tdeBuiltinAccount " ) {
groupinfo . tde_builtin_account = ( TQString ( vals [ i ] - > bv_val ) . upper ( ) = = " TRUE " ) ? true : false ;
}
ldap_value_free_len ( vals ) ;
}
ldap_memfree ( attr ) ;
}
if ( ber ! = NULL ) {
ber_free ( ber , 0 ) ;
}
return groupinfo ;
}
LDAPMachineInfo LDAPManager : : parseLDAPMachineRecord ( LDAPMessage * entry ) {
char * dn = NULL ;
char * attr ;
struct berval * * vals ;
BerElement * ber ;
int i ;
LDAPMachineInfo machineinfo ;
if ( ( dn = ldap_get_dn ( m_ldap , entry ) ) ! = NULL ) {
machineinfo . distinguishedName = dn ;
TQStringList dnParts = TQStringList : : split ( " , " , dn ) ;
TQString id = dnParts [ 0 ] ;
if ( id . startsWith ( " krb5PrincipalName=host/ " ) ) {
id = id . remove ( 0 , 23 ) ;
id . replace ( " @ " + m_realm , " " ) ;
machineinfo . name = id ;
}
ldap_memfree ( dn ) ;
}
for ( attr = ldap_first_attribute ( m_ldap , entry , & ber ) ; attr ! = NULL ; attr = ldap_next_attribute ( m_ldap , entry , ber ) ) {
if ( ( vals = ldap_get_values_len ( m_ldap , entry , attr ) ) ! = NULL ) {
machineinfo . informationValid = true ;
TQString ldap_field = attr ;
i = 0 ;
if ( ldap_field = = " creatorsName " ) {
machineinfo . creatorsName = vals [ i ] - > bv_val ;
}
else if ( ldap_field = = " tdeBuiltinAccount " ) {
machineinfo . tde_builtin_account = ( TQString ( vals [ i ] - > bv_val ) . upper ( ) = = " TRUE " ) ? true : false ;
}
else if ( ldap_field = = " krb5KDCFlags " ) {
machineinfo . status = ( LDAPKRB5Flags ) ( atoi ( vals [ i ] - > bv_val ) ) ;
}
ldap_value_free_len ( vals ) ;
}
ldap_memfree ( attr ) ;
}
if ( ber ! = NULL ) {
ber_free ( ber , 0 ) ;
}
return machineinfo ;
}
LDAPServiceInfo LDAPManager : : parseLDAPMachineServiceRecord ( LDAPMessage * entry ) {
char * dn = NULL ;
char * attr ;
struct berval * * vals ;
BerElement * ber ;
int i ;
LDAPServiceInfo machineserviceinfo ;
if ( ( dn = ldap_get_dn ( m_ldap , entry ) ) ! = NULL ) {
machineserviceinfo . distinguishedName = dn ;
TQStringList dnParts = TQStringList : : split ( " , " , dn ) ;
TQString id = dnParts [ 0 ] ;
dnParts = TQStringList : : split ( " / " , id ) ;
id = dnParts [ 0 ] ;
dnParts = TQStringList : : split ( " = " , id ) ;
machineserviceinfo . name = dnParts [ 1 ] ;
ldap_memfree ( dn ) ;
}
for ( attr = ldap_first_attribute ( m_ldap , entry , & ber ) ; attr ! = NULL ; attr = ldap_next_attribute ( m_ldap , entry , ber ) ) {
if ( ( vals = ldap_get_values_len ( m_ldap , entry , attr ) ) ! = NULL ) {
machineserviceinfo . informationValid = true ;
TQString ldap_field = attr ;
i = 0 ;
if ( ldap_field = = " creatorsName " ) {
machineserviceinfo . creatorsName = vals [ i ] - > bv_val ;
}
else if ( ldap_field = = " tdeBuiltinAccount " ) {
machineserviceinfo . tde_builtin_account = ( TQString ( vals [ i ] - > bv_val ) . upper ( ) = = " TRUE " ) ? true : false ;
}
else if ( ldap_field = = " krb5KDCFlags " ) {
machineserviceinfo . status = ( LDAPKRB5Flags ) ( atoi ( vals [ i ] - > bv_val ) ) ;
}
ldap_value_free_len ( vals ) ;
}
ldap_memfree ( attr ) ;
}
if ( ber ! = NULL ) {
ber_free ( ber , 0 ) ;
}
return machineserviceinfo ;
}
LDAPGroupInfoList LDAPManager : : groups ( int * mretcode ) {
int retcode ;
LDAPGroupInfoList groups ;
if ( bind ( ) < 0 ) {
if ( mretcode ) * mretcode = - 1 ;
return LDAPGroupInfoList ( ) ;
}
else {
LDAPMessage * msg ;
TQString ldap_base_dn = m_basedc ;
TQString ldap_filter = " (objectClass=posixGroup) " ;
retcode = ldap_search_ext_s ( m_ldap , ldap_base_dn . ascii ( ) , LDAP_SCOPE_SUBTREE , ldap_filter . ascii ( ) , ldap_user_and_operational_attributes , 0 , NULL , NULL , NULL , 0 , & msg ) ;
if ( retcode ! = LDAP_SUCCESS ) {
KMessageBox : : error ( 0 , i18n ( " <qt>LDAP search failure<p>Reason: [%3] %4</qt> " ) . arg ( retcode ) . arg ( ldap_err2string ( retcode ) ) , i18n ( " LDAP Error " ) ) ;
if ( mretcode ) * mretcode = - 1 ;
return LDAPGroupInfoList ( ) ;
}
// Iterate through the returned entries
LDAPMessage * entry ;
for ( entry = ldap_first_entry ( m_ldap , msg ) ; entry ! = NULL ; entry = ldap_next_entry ( m_ldap , entry ) ) {
groups . append ( parseLDAPGroupRecord ( entry ) ) ;
}
// clean up
ldap_msgfree ( msg ) ;
if ( mretcode ) * mretcode = 0 ;
return groups ;
}
return LDAPGroupInfoList ( ) ;
}
LDAPMachineInfoList LDAPManager : : machines ( int * mretcode ) {
int retcode ;
LDAPMachineInfoList machines ;
if ( bind ( ) < 0 ) {
if ( mretcode ) * mretcode = - 1 ;
return LDAPMachineInfoList ( ) ;
}
else {
LDAPMessage * msg ;
TQString ldap_base_dn = m_basedc ;
TQString ldap_filter = " (&(objectClass=krb5Principal)(uid=host/*)) " ;
retcode = ldap_search_ext_s ( m_ldap , ldap_base_dn . ascii ( ) , LDAP_SCOPE_SUBTREE , ldap_filter . ascii ( ) , ldap_user_and_operational_attributes , 0 , NULL , NULL , NULL , 0 , & msg ) ;
if ( retcode ! = LDAP_SUCCESS ) {
KMessageBox : : error ( 0 , i18n ( " <qt>LDAP search failure<p>Reason: [%3] %4</qt> " ) . arg ( retcode ) . arg ( ldap_err2string ( retcode ) ) , i18n ( " LDAP Error " ) ) ;
if ( mretcode ) * mretcode = - 1 ;
return LDAPMachineInfoList ( ) ;
}
// Iterate through the returned entries
LDAPMessage * entry ;
for ( entry = ldap_first_entry ( m_ldap , msg ) ; entry ! = NULL ; entry = ldap_next_entry ( m_ldap , entry ) ) {
machines . append ( parseLDAPMachineRecord ( entry ) ) ;
}
// clean up
ldap_msgfree ( msg ) ;
if ( mretcode ) * mretcode = 0 ;
return machines ;
}
return LDAPMachineInfoList ( ) ;
}
LDAPServiceInfoList LDAPManager : : services ( int * mretcode ) {
int retcode ;
LDAPServiceInfoList services ;
if ( bind ( ) < 0 ) {
if ( mretcode ) * mretcode = - 1 ;
return LDAPServiceInfoList ( ) ;
}
else {
int machineSearchRet ;
LDAPMachineInfoList machineList = machines ( & machineSearchRet ) ;
if ( machineSearchRet ! = 0 ) {
if ( mretcode ) * mretcode = - 1 ;
return LDAPServiceInfoList ( ) ;
}
LDAPMachineInfoList : : Iterator it ;
for ( it = machineList . begin ( ) ; it ! = machineList . end ( ) ; + + it ) {
LDAPMachineInfo machine = * it ;
LDAPServiceInfoList thisMachineServiceList = machineServices ( machine . distinguishedName ) ;
LDAPServiceInfoList : : Iterator it2 ;
for ( it2 = thisMachineServiceList . begin ( ) ; it2 ! = thisMachineServiceList . end ( ) ; + + it2 ) {
services . append ( * it2 ) ;
}
}
if ( mretcode ) * mretcode = 0 ;
return services ;
}
return LDAPServiceInfoList ( ) ;
}
LDAPServiceInfoList LDAPManager : : machineServices ( TQString machine_dn , int * mretcode ) {
int retcode ;
LDAPServiceInfoList services ;
if ( bind ( ) < 0 ) {
if ( mretcode ) * mretcode = - 1 ;
return LDAPServiceInfoList ( ) ;
}
else {
LDAPMessage * msg ;
TQString ldap_base_dn = m_basedc ;
TQStringList machinednParts = TQStringList : : split ( " , " , machine_dn ) ;
TQString machine_name = machinednParts [ 0 ] ;
if ( machine_name . startsWith ( " krb5PrincipalName=host/ " ) ) {
machine_name = machine_name . remove ( 0 , 23 ) ;
machine_name . replace ( " @ " + m_realm , " " ) ;
}
TQString ldap_filter = TQString ( " (&(objectClass=krb5Principal)(uid=*/%1)) " ) . arg ( machine_name ) ;
retcode = ldap_search_ext_s ( m_ldap , ldap_base_dn . ascii ( ) , LDAP_SCOPE_SUBTREE , ldap_filter . ascii ( ) , ldap_user_and_operational_attributes , 0 , NULL , NULL , NULL , 0 , & msg ) ;
if ( retcode ! = LDAP_SUCCESS ) {
KMessageBox : : error ( 0 , i18n ( " <qt>LDAP search failure<p>Reason: [%3] %4</qt> " ) . arg ( retcode ) . arg ( ldap_err2string ( retcode ) ) , i18n ( " LDAP Error " ) ) ;
if ( mretcode ) * mretcode = - 1 ;
return LDAPServiceInfoList ( ) ;
}
// Iterate through the returned entries
LDAPMessage * entry ;
for ( entry = ldap_first_entry ( m_ldap , msg ) ; entry ! = NULL ; entry = ldap_next_entry ( m_ldap , entry ) ) {
LDAPServiceInfo sinfo = parseLDAPMachineServiceRecord ( entry ) ;
sinfo . machine_dn = machine_dn ;
sinfo . machine = machine_name ;
if ( sinfo . name ! = " host " ) {
services . append ( sinfo ) ;
}
}
// clean up
ldap_msgfree ( msg ) ;
if ( mretcode ) * mretcode = 0 ;
return services ;
}
return LDAPServiceInfoList ( ) ;
}
int LDAPManager : : writeCertificateFileIntoDirectory ( TQByteArray cert , TQString attr , TQString * errstr ) {
int retcode ;
int i ;
if ( bind ( ) < 0 ) {
return - 1 ;
}
else {
// Assemble the LDAPMod structure
// We will replace any existing attributes with the new values
int number_of_parameters = 1 ; // 1 primary attribute
LDAPMod * mods [ number_of_parameters + 1 ] ;
for ( i = 0 ; i < number_of_parameters ; i + + ) {
mods [ i ] = new LDAPMod ;
mods [ i ] - > mod_type = NULL ;
mods [ i ] - > mod_values = NULL ;
}
mods [ number_of_parameters ] = NULL ;
// Load LDAP modification requests from provided data structure
i = 0 ;
add_single_binary_attribute_operation ( mods , & i , attr , cert ) ;
LDAPMod * prevterm = mods [ i ] ;
mods [ i ] = NULL ;
// Perform LDAP update
retcode = ldap_modify_ext_s ( m_ldap , TQString ( " cn=certificate store,o=tde,cn=tde realm data,ou=master services,ou=core,ou=realm,%1 " ) . arg ( m_basedc ) . ascii ( ) , mods , NULL , NULL ) ;
// Clean up
mods [ i ] = prevterm ;
for ( i = 0 ; i < number_of_parameters ; i + + ) {
if ( mods [ i ] - > mod_type ! = NULL ) {
free ( mods [ i ] - > mod_type ) ;
}
if ( mods [ i ] - > mod_values ! = NULL ) {
int j = 0 ;
while ( mods [ i ] - > mod_values [ j ] ! = NULL ) {
delete mods [ i ] - > mod_values [ j ] ;
j + + ;
}
free ( mods [ i ] - > mod_values ) ;
}
delete mods [ i ] ;
}
if ( retcode ! = LDAP_SUCCESS ) {
if ( errstr ) * errstr = i18n ( " <qt>LDAP certificate upload failure<p>Reason: [%3] %4</qt> " ) . arg ( retcode ) . arg ( ldap_err2string ( retcode ) ) ;
else KMessageBox : : error ( 0 , i18n ( " <qt>LDAP certificate upload failure<p>Reason: [%3] %4</qt> " ) . arg ( retcode ) . arg ( ldap_err2string ( retcode ) ) , i18n ( " LDAP Error " ) ) ;
return - 2 ;
}
else {
return 0 ;
}
}
}
// Special method, used when creating a new Kerberos realm
int LDAPManager : : moveKerberosEntries ( TQString newSuffix , TQString * errstr ) {
int retcode ;
if ( bind ( errstr ) < 0 ) {
return - 1 ;
}
else {
LDAPMessage * msg ;
TQString ldap_base_dn = m_basedc ;
TQString ldap_filter = " (&(objectClass=krb5Principal)(!(objectClass=posixAccount))) " ;
retcode = ldap_search_ext_s ( m_ldap , ldap_base_dn . ascii ( ) , LDAP_SCOPE_SUBTREE , ldap_filter . ascii ( ) , ldap_user_and_operational_attributes , 0 , NULL , NULL , NULL , 0 , & msg ) ;
if ( retcode ! = LDAP_SUCCESS ) {
KMessageBox : : error ( 0 , i18n ( " <qt>LDAP search failure<p>Reason: [%3] %4</qt> " ) . arg ( retcode ) . arg ( ldap_err2string ( retcode ) ) , i18n ( " LDAP Error " ) ) ;
return - 1 ;
}
// Iterate through the returned entries
LDAPMessage * entry ;
for ( entry = ldap_first_entry ( m_ldap , msg ) ; entry ! = NULL ; entry = ldap_next_entry ( m_ldap , entry ) ) {
char * dn = NULL ;
LDAPMachineInfo machineinfo ;
if ( ( dn = ldap_get_dn ( m_ldap , entry ) ) ! = NULL ) {
TQStringList dnParts = TQStringList : : split ( " , " , dn ) ;
TQString id = dnParts [ 0 ] ;
retcode = ldap_rename_s ( m_ldap , dn , id , newSuffix , 0 , NULL , NULL ) ;
if ( retcode ! = LDAP_SUCCESS ) {
if ( errstr ) * errstr = i18n ( " LDAP rename failure<p>Reason: [%3] %4 " ) . arg ( retcode ) . arg ( ldap_err2string ( retcode ) ) ;
return - 1 ;
}
}
}
// clean up
ldap_msgfree ( msg ) ;
return 0 ;
}
return - 1 ;
}
void LDAPManager : : writeLDAPConfFile ( LDAPRealmConfig realmcfg ) {
KSimpleConfig * systemconfig ;
TQString m_defaultRealm ;
int m_ticketLifetime ;
int m_ldapVersion ;
int m_ldapTimeout ;
TQString m_bindPolicy ;
int m_ldapBindTimeout ;
TQString m_passwordHash ;
TQString m_ignoredUsers ;
systemconfig = new KSimpleConfig ( TQString : : fromLatin1 ( KDE_CONFDIR " /ldap/ldapconfigrc " ) ) ;
systemconfig - > setGroup ( NULL ) ;
m_defaultRealm = systemconfig - > readEntry ( " DefaultRealm " , TQString : : null ) ;
m_ticketLifetime = systemconfig - > readNumEntry ( " TicketLifetime " , 86400 ) ;
m_ldapVersion = systemconfig - > readNumEntry ( " ConnectionLDAPVersion " , 3 ) ;
m_ldapTimeout = systemconfig - > readNumEntry ( " ConnectionLDAPTimeout " , 2 ) ;
m_bindPolicy = systemconfig - > readEntry ( " ConnectionBindPolicy " , " soft " ) ;
m_ldapBindTimeout = systemconfig - > readNumEntry ( " ConnectionBindTimeout " , 2 ) ;
m_passwordHash = systemconfig - > readEntry ( " ConnectionPasswordHash " , " exop " ) ;
m_ignoredUsers = systemconfig - > readEntry ( " ConnectionIgnoredUsers " , DEFAULT_IGNORED_USERS_LIST ) ;
TQFile file ( LDAP_FILE ) ;
if ( file . open ( IO_WriteOnly ) ) {
TQTextStream stream ( & file ) ;
stream < < " # This file was automatically generated by TDE \n " ;
stream < < " # All changes will be lost! \n " ;
stream < < " \n " ;
if ( realmcfg . bonded ) {
stream < < " host " < < realmcfg . admin_server < < " \n " ;
TQStringList domainChunks = TQStringList : : split ( " . " , realmcfg . name . lower ( ) ) ;
stream < < " base dc= " < < domainChunks . join ( " ,dc= " ) < < " \n " ;
stream < < " ldap_version " < < m_ldapVersion < < " \n " ;
stream < < " timelimit " < < m_ldapTimeout < < " \n " ;
stream < < " bind_timelimit " < < m_ldapBindTimeout < < " \n " ;
stream < < " bind_policy " < < m_bindPolicy . lower ( ) < < " \n " ;
stream < < " pam_password " < < m_passwordHash . lower ( ) < < " \n " ;
stream < < " nss_initgroups_ignoreusers " < < m_ignoredUsers < < " \n " ;
stream < < " tls_cacert " < < KERBEROS_PKI_PUBLICDIR < < realmcfg . admin_server < < " .ldap.crt " < < " \n " ;
}
file . close ( ) ;
}
chmod ( LDAP_FILE , S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH ) ;
system ( TQString ( " ln -s %1 %2 " ) . arg ( LDAP_FILE ) . arg ( LDAP_SECONDARY_FILE ) . ascii ( ) ) ;
delete systemconfig ;
}
LDAPTDEBuiltinsInfo LDAPManager : : parseLDAPTDEBuiltinsRecord ( LDAPMessage * entry ) {
char * dn = NULL ;
char * attr ;
struct berval * * vals ;
BerElement * ber ;
int i ;
LDAPTDEBuiltinsInfo builtininfo ;
if ( ( dn = ldap_get_dn ( m_ldap , entry ) ) ! = NULL ) {
ldap_memfree ( dn ) ;
}
for ( attr = ldap_first_attribute ( m_ldap , entry , & ber ) ; attr ! = NULL ; attr = ldap_next_attribute ( m_ldap , entry , ber ) ) {
if ( ( vals = ldap_get_values_len ( m_ldap , entry , attr ) ) ! = NULL ) {
builtininfo . informationValid = true ;
TQString ldap_field = attr ;
i = 0 ;
if ( ldap_field = = " builtinRealmAdminAccount " ) {
builtininfo . builtinRealmAdminAccount = vals [ i ] - > bv_val ;
}
else if ( ldap_field = = " builtinRealmAdminGroup " ) {
builtininfo . builtinRealmAdminGroup = vals [ i ] - > bv_val ;
}
else if ( ldap_field = = " builtinMachineAdminGroup " ) {
builtininfo . builtinMachineAdminGroup = vals [ i ] - > bv_val ;
}
else if ( ldap_field = = " builtinStandardUserGroup " ) {
builtininfo . builtinStandardUserGroup = vals [ i ] - > bv_val ;
}
ldap_value_free_len ( vals ) ;
}
ldap_memfree ( attr ) ;
}
if ( ber ! = NULL ) {
ber_free ( ber , 0 ) ;
}
return builtininfo ;
}
LDAPTDEBuiltinsInfo LDAPManager : : getTDEBuiltinMappings ( TQString * errstr ) {
int retcode ;
LDAPTDEBuiltinsInfo builtininfo ;
TQString dn = TQString ( " cn=builtin mappings,o=tde,cn=tde realm data,ou=master services,ou=core,ou=realm,%1 " ) . arg ( m_basedc ) ;
if ( bind ( errstr ) < 0 ) {
return LDAPTDEBuiltinsInfo ( ) ;
}
else {
LDAPMessage * msg ;
retcode = ldap_search_ext_s ( m_ldap , dn . ascii ( ) , LDAP_SCOPE_SUBTREE , NULL , ldap_user_and_operational_attributes , 0 , NULL , NULL , NULL , 0 , & msg ) ;
if ( retcode ! = LDAP_SUCCESS ) {
if ( errstr ) * errstr = i18n ( " <qt>LDAP search failure<p>Reason: [%3] %4</qt> " ) . arg ( retcode ) . arg ( ldap_err2string ( retcode ) ) ;
else KMessageBox : : error ( 0 , i18n ( " <qt>LDAP search failure<p>Reason: [%3] %4</qt> " ) . arg ( retcode ) . arg ( ldap_err2string ( retcode ) ) , i18n ( " LDAP Error " ) ) ;
return LDAPTDEBuiltinsInfo ( ) ;
}
// Iterate through the returned entries
LDAPMessage * entry ;
for ( entry = ldap_first_entry ( m_ldap , msg ) ; entry ! = NULL ; entry = ldap_next_entry ( m_ldap , entry ) ) {
builtininfo = parseLDAPTDEBuiltinsRecord ( entry ) ;
}
// clean up
ldap_msgfree ( msg ) ;
return builtininfo ;
}
return LDAPTDEBuiltinsInfo ( ) ;
}
int LDAPManager : : getTDECertificate ( TQString certificateName , TQString fileName , TQString * errstr ) {
int retcode ;
int returncode ;
LDAPTDEBuiltinsInfo builtininfo ;
TQString dn = TQString ( " cn=certificate store,o=tde,cn=tde realm data,ou=master services,ou=core,ou=realm,%1 " ) . arg ( m_basedc ) ;
if ( bind ( errstr ) < 0 ) {
return - 1 ;
}
else {
LDAPMessage * msg ;
retcode = ldap_search_ext_s ( m_ldap , dn . ascii ( ) , LDAP_SCOPE_SUBTREE , NULL , ldap_user_and_operational_attributes , 0 , NULL , NULL , NULL , 0 , & msg ) ;
if ( retcode ! = LDAP_SUCCESS ) {
if ( errstr ) * errstr = i18n ( " <qt>LDAP search failure<p>Reason: [%3] %4</qt> " ) . arg ( retcode ) . arg ( ldap_err2string ( retcode ) ) ;
else KMessageBox : : error ( 0 , i18n ( " <qt>LDAP search failure<p>Reason: [%3] %4</qt> " ) . arg ( retcode ) . arg ( ldap_err2string ( retcode ) ) , i18n ( " LDAP Error " ) ) ;
return - 1 ;
}
returncode = - 2 ;
// Iterate through the returned entries
LDAPMessage * entry ;
for ( entry = ldap_first_entry ( m_ldap , msg ) ; entry ! = NULL ; entry = ldap_next_entry ( m_ldap , entry ) ) {
char * attr ;
struct berval * * vals ;
BerElement * ber ;
int i ;
LDAPTDEBuiltinsInfo builtininfo ;
for ( attr = ldap_first_attribute ( m_ldap , entry , & ber ) ; attr ! = NULL ; attr = ldap_next_attribute ( m_ldap , entry , ber ) ) {
if ( ( vals = ldap_get_values_len ( m_ldap , entry , attr ) ) ! = NULL ) {
builtininfo . informationValid = true ;
TQString ldap_field = attr ;
i = 0 ;
if ( ldap_field = = certificateName ) {
TQFile file ( fileName ) ;
if ( file . open ( IO_WriteOnly ) ) {
TQByteArray ba ;
ba . duplicate ( vals [ i ] - > bv_val , vals [ i ] - > bv_len ) ;
file . writeBlock ( ba ) ;
returncode = 0 ;
}
}
ldap_value_free_len ( vals ) ;
}
ldap_memfree ( attr ) ;
}
if ( ber ! = NULL ) {
ber_free ( ber , 0 ) ;
}
}
// clean up
ldap_msgfree ( msg ) ;
return returncode ;
}
return - 1 ;
}
int LDAPManager : : writeSudoersConfFile ( TQString * errstr ) {
LDAPTDEBuiltinsInfo tdebuiltins = getTDEBuiltinMappings ( errstr ) ;
if ( ! tdebuiltins . informationValid ) {
if ( errstr ) * errstr = i18n ( " Unable to read builtin TDE user/group mappings " ) ;
return - 1 ;
}
TQString localadmingroup = tdebuiltins . builtinMachineAdminGroup ;
int eqpos = localadmingroup . find ( " = " ) + 1 ;
int cmpos = localadmingroup . find ( " , " , eqpos ) ;
localadmingroup . truncate ( cmpos ) ;
localadmingroup . remove ( 0 , eqpos ) ;
TQFile file ( TDELDAP_SUDO_D_FILE ) ;
if ( file . open ( IO_WriteOnly ) ) {
TQTextStream stream ( & file ) ;
stream < < " # This file was automatically generated by TDE \n " ;
stream < < " # All changes will be lost! \n " ;
stream < < " \n " ;
stream < < " # Realm local machine administrators \n " ;
stream < < " % " < < localadmingroup < < " ALL=NOPASSWD: ALL " < < " \n " ;
file . close ( ) ;
}
chown ( TDELDAP_SUDO_D_FILE , 0 , 0 ) ;
chmod ( TDELDAP_SUDO_D_FILE , S_IRUSR | S_IRGRP ) ;
return 0 ;
}
void LDAPManager : : writeCronFiles ( ) {
TQFile file ( CRON_UPDATE_NSS_FILE ) ;
if ( file . open ( IO_WriteOnly ) ) {
TQTextStream stream ( & file ) ;
stream < < " # This file was automatically generated by TDE \n " ;
stream < < " # All changes will be lost! \n " ;
stream < < " \n " ;
stream < < " #!/bin/sh " < < " \n " ;
stream < < CRON_UPDATE_NSS_COMMAND < < " \n " ;
file . close ( ) ;
}
system ( CRON_UPDATE_NSS_COMMAND ) ;
}
void LDAPManager : : writePrimaryRealmCertificateUpdateCronFile ( ) {
TQFile file ( CRON_UPDATE_PRIMARY_REALM_CERTIFICATES_FILE ) ;
if ( file . open ( IO_WriteOnly ) ) {
TQTextStream stream ( & file ) ;
stream < < " # This file was automatically generated by TDE \n " ;
stream < < " # All changes will be lost! \n " ;
stream < < " \n " ;
stream < < " #!/bin/sh " < < " \n " ;
stream < < CRON_UPDATE_PRIMARY_REALM_CERTIFICATES_COMMAND < < " \n " ;
file . close ( ) ;
}
system ( CRON_UPDATE_PRIMARY_REALM_CERTIFICATES_COMMAND ) ;
}
LDAPRealmConfigList LDAPManager : : readTDERealmList ( KSimpleConfig * config , bool disableAllBonds ) {
LDAPRealmConfigList realms ;
TQStringList cfgRealms = config - > groupList ( ) ;
for ( TQStringList : : Iterator it ( cfgRealms . begin ( ) ) ; it ! = cfgRealms . end ( ) ; + + it ) {
if ( ( * it ) . startsWith ( " LDAPRealm- " ) ) {
config - > setGroup ( * it ) ;
TQString realmName = * it ;
realmName . remove ( 0 , strlen ( " LDAPRealm- " ) ) ;
if ( ! realms . contains ( realmName ) ) {
// Read in realm data
LDAPRealmConfig realmcfg ;
realmcfg . name = realmName ;
if ( ! disableAllBonds ) {
realmcfg . bonded = config - > readBoolEntry ( " bonded " ) ;
}
else {
realmcfg . bonded = false ;
}
realmcfg . uid_offset = config - > readNumEntry ( " uid_offset " ) ;
realmcfg . gid_offset = config - > readNumEntry ( " gid_offset " ) ;
realmcfg . domain_mappings = config - > readListEntry ( " domain_mappings " ) ;
realmcfg . kdc = config - > readEntry ( " kdc " ) ;
realmcfg . kdc_port = config - > readNumEntry ( " kdc_port " ) ;
realmcfg . admin_server = config - > readEntry ( " admin_server " ) ;
realmcfg . admin_server_port = config - > readNumEntry ( " admin_server_port " ) ;
realmcfg . pkinit_require_eku = config - > readBoolEntry ( " pkinit_require_eku " ) ;
realmcfg . pkinit_require_krbtgt_otherName = config - > readBoolEntry ( " pkinit_require_krbtgt_otherName " ) ;
realmcfg . win2k_pkinit = config - > readBoolEntry ( " win2k_pkinit " ) ;
realmcfg . win2k_pkinit_require_binding = config - > readBoolEntry ( " win2k_pkinit_require_binding " ) ;
// Add realm to list
realms . insert ( realmName , realmcfg ) ;
}
}
}
return realms ;
}
void LDAPManager : : writeTDERealmList ( LDAPRealmConfigList realms , KSimpleConfig * config ) {
LDAPRealmConfigList : : Iterator it ;
for ( it = realms . begin ( ) ; it ! = realms . end ( ) ; + + it ) {
LDAPRealmConfig realmcfg = it . data ( ) ;
TQString configRealmName = realmcfg . name ;
configRealmName . prepend ( " LDAPRealm- " ) ;
config - > setGroup ( configRealmName ) ;
// Save realm settings
config - > writeEntry ( " bonded " , realmcfg . bonded ) ;
config - > writeEntry ( " uid_offset " , realmcfg . uid_offset ) ;
config - > writeEntry ( " gid_offset " , realmcfg . gid_offset ) ;
config - > writeEntry ( " domain_mappings " , realmcfg . domain_mappings ) ;
config - > writeEntry ( " kdc " , realmcfg . kdc ) ;
config - > writeEntry ( " kdc_port " , realmcfg . kdc_port ) ;
config - > writeEntry ( " admin_server " , realmcfg . admin_server ) ;
config - > writeEntry ( " admin_server_port " , realmcfg . admin_server_port ) ;
config - > writeEntry ( " pkinit_require_eku " , realmcfg . pkinit_require_eku ) ;
config - > writeEntry ( " pkinit_require_krbtgt_otherName " , realmcfg . pkinit_require_krbtgt_otherName ) ;
config - > writeEntry ( " win2k_pkinit " , realmcfg . win2k_pkinit ) ;
config - > writeEntry ( " win2k_pkinit_require_binding " , realmcfg . win2k_pkinit_require_binding ) ;
}
// Delete any realms that do not exist in the realms database
TQStringList cfgRealms = config - > groupList ( ) ;
for ( TQStringList : : Iterator it ( cfgRealms . begin ( ) ) ; it ! = cfgRealms . end ( ) ; + + it ) {
if ( ( * it ) . startsWith ( " LDAPRealm- " ) ) {
config - > setGroup ( * it ) ;
TQString realmName = * it ;
realmName . remove ( 0 , strlen ( " LDAPRealm- " ) ) ;
if ( ! realms . contains ( realmName ) ) {
config - > deleteGroup ( * it ) ;
}
}
}
}
TQDateTime LDAPManager : : getCertificateExpiration ( TQString certfile ) {
TQDateTime ret ;
TQFile file ( certfile ) ;
if ( file . open ( IO_ReadOnly ) ) {
TQByteArray ba = file . readAll ( ) ;
file . close ( ) ;
TQCString ssldata ( ba ) ;
ssldata . replace ( " -----BEGIN CERTIFICATE----- " , " " ) ;
ssldata . replace ( " -----END CERTIFICATE----- " , " " ) ;
ssldata . replace ( " \n " , " " ) ;
KSSLCertificate * cert = KSSLCertificate : : fromString ( ssldata ) ;
if ( cert ) {
ret = cert - > getQDTNotAfter ( ) ;
delete cert ;
}
}
return ret ;
}
int LDAPManager : : generatePublicKerberosCACertificate ( LDAPCertConfig certinfo ) {
TQString command ;
command = TQString ( " openssl req -key %1 -new -x509 -out %2 -subj \" /C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9 \" " ) . arg ( KERBEROS_PKI_PEMKEY_FILE ) . arg ( KERBEROS_PKI_PEM_FILE ) . arg ( certinfo . countryName ) . arg ( certinfo . stateOrProvinceName ) . arg ( certinfo . localityName ) . arg ( certinfo . organizationName ) . arg ( certinfo . orgUnitName ) . arg ( certinfo . commonName ) . arg ( certinfo . emailAddress ) ;
system ( command ) ;
chmod ( KERBEROS_PKI_PEM_FILE , S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH ) ;
chown ( KERBEROS_PKI_PEM_FILE , 0 , 0 ) ;
return 0 ;
}
int LDAPManager : : generatePublicKerberosCertificate ( LDAPCertConfig certinfo , LDAPRealmConfig realmcfg ) {
TQString command ;
TQString kdc_certfile = KERBEROS_PKI_KDC_FILE ;
TQString kdc_keyfile = KERBEROS_PKI_KDCKEY_FILE ;
TQString kdc_reqfile = KERBEROS_PKI_KDCREQ_FILE ;
kdc_certfile . replace ( " @@@KDCSERVER@@@ " , realmcfg . kdc ) ;
kdc_keyfile . replace ( " @@@KDCSERVER@@@ " , realmcfg . kdc ) ;
kdc_reqfile . replace ( " @@@KDCSERVER@@@ " , realmcfg . kdc ) ;
command = TQString ( " openssl req -new -out %1 -key %2 -subj \" /C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9 \" " ) . arg ( kdc_reqfile ) . arg ( kdc_keyfile ) . arg ( certinfo . countryName ) . arg ( certinfo . stateOrProvinceName ) . arg ( certinfo . localityName ) . arg ( certinfo . organizationName ) . arg ( certinfo . orgUnitName ) . arg ( certinfo . commonName ) . arg ( certinfo . emailAddress ) ;
system ( command ) ;
command = TQString ( " openssl x509 -req -in %1 -CAkey %2 -CA %3 -out %4 -extfile %5 -extensions kdc_cert -CAcreateserial " ) . arg ( kdc_reqfile ) . arg ( KERBEROS_PKI_PEMKEY_FILE ) . arg ( KERBEROS_PKI_PEM_FILE ) . arg ( kdc_certfile ) . arg ( OPENSSL_EXTENSIONS_FILE ) ;
system ( command ) ;
chmod ( kdc_certfile . ascii ( ) , S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH ) ;
chown ( kdc_certfile . ascii ( ) , 0 , 0 ) ;
unlink ( kdc_reqfile . ascii ( ) ) ;
return 0 ;
}
int LDAPManager : : generatePublicLDAPCertificate ( LDAPCertConfig certinfo , LDAPRealmConfig realmcfg , uid_t ldap_uid , gid_t ldap_gid ) {
TQString command ;
TQString ldap_certfile = LDAP_CERT_FILE ;
TQString ldap_keyfile = LDAP_CERTKEY_FILE ;
TQString ldap_reqfile = LDAP_CERTREQ_FILE ;
ldap_certfile . replace ( " @@@ADMINSERVER@@@ " , realmcfg . admin_server ) ;
ldap_keyfile . replace ( " @@@ADMINSERVER@@@ " , realmcfg . admin_server ) ;
ldap_reqfile . replace ( " @@@ADMINSERVER@@@ " , realmcfg . admin_server ) ;
command = TQString ( " openssl req -new -out %1 -key %2 -subj \" /C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9 \" " ) . arg ( ldap_reqfile ) . arg ( ldap_keyfile ) . arg ( certinfo . countryName ) . arg ( certinfo . stateOrProvinceName ) . arg ( certinfo . localityName ) . arg ( certinfo . organizationName ) . arg ( certinfo . orgUnitName ) . arg ( realmcfg . admin_server ) . arg ( certinfo . emailAddress ) ;
system ( command ) ;
command = TQString ( " openssl x509 -req -in %1 -CAkey %2 -CA %3 -out %4 -CAcreateserial " ) . arg ( ldap_reqfile ) . arg ( KERBEROS_PKI_PEMKEY_FILE ) . arg ( KERBEROS_PKI_PEM_FILE ) . arg ( ldap_certfile ) ;
system ( command ) ;
chmod ( ldap_certfile . ascii ( ) , S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH ) ;
chown ( ldap_certfile . ascii ( ) , ldap_uid , ldap_gid ) ;
unlink ( ldap_reqfile . ascii ( ) ) ;
return 0 ;
}
TQString LDAPManager : : getMachineFQDN ( ) {
struct addrinfo hints , * info , * p ;
int gai_result ;
char hostname [ 1024 ] ;
hostname [ 1023 ] = ' \0 ' ;
gethostname ( hostname , 1023 ) ;
memset ( & hints , 0 , sizeof hints ) ;
hints . ai_family = AF_UNSPEC ; // IPV4 or IPV6
hints . ai_socktype = SOCK_STREAM ;
hints . ai_flags = AI_CANONNAME ;
if ( ( gai_result = getaddrinfo ( hostname , NULL , & hints , & info ) ) ! = 0 ) {
return TQString ( hostname ) ;
}
TQString fqdn = TQString ( hostname ) ;
for ( p = info ; p ! = NULL ; p = p - > ai_next ) {
fqdn = TQString ( p - > ai_canonname ) ;
}
freeaddrinfo ( info ) ;
return fqdn ;
}
// ===============================================================================================================
//
// DATA CLASS CONSTRUCTORS AND DESTRUCTORS
//
// ===============================================================================================================
LDAPCredentials : : LDAPCredentials ( ) {
// TQStrings are always initialized to TQString::null, so they don't need initialization here...
use_tls = true ;
use_gssapi = false ;
}
LDAPCredentials : : ~ LDAPCredentials ( ) {
//
}
LDAPUserInfo : : LDAPUserInfo ( ) {
// TQStrings are always initialized to TQString::null, so they don't need initialization here...
informationValid = false ;
uid = - 1 ;
primary_gid = - 1 ;
tde_builtin_account = false ;
status = ( LDAPKRB5Flags ) 0 ;
account_created = TQDateTime : : fromString ( " 1970-01-01T00:00:00 " , TQt : : ISODate ) ;
account_modified = TQDateTime : : fromString ( " 1970-01-01T00:00:00 " , TQt : : ISODate ) ;
password_last_changed = TQDateTime : : fromString ( " 1970-01-01T00:00:00 " , TQt : : ISODate ) ;
password_expires = false ;
password_expiration = TQDateTime : : fromString ( " 1970-01-01T00:00:00 " , TQt : : ISODate ) ;
password_ages = false ;
new_password_interval = - 1 ;
new_password_warn_interval = - 1 ;
new_password_lockout_delay = - 1 ;
password_has_minimum_age = false ;
password_minimum_age = - 1 ;
maximum_ticket_lifetime = - 1 ;
}
LDAPUserInfo : : ~ LDAPUserInfo ( ) {
//
}
LDAPGroupInfo : : LDAPGroupInfo ( ) {
// TQStrings are always initialized to TQString::null, so they don't need initialization here...
informationValid = false ;
gid = - 1 ;
tde_builtin_account = false ;
}
LDAPGroupInfo : : ~ LDAPGroupInfo ( ) {
//
}
LDAPMachineInfo : : LDAPMachineInfo ( ) {
// TQStrings are always initialized to TQString::null, so they don't need initialization here...
informationValid = false ;
tde_builtin_account = false ;
status = ( LDAPKRB5Flags ) 0 ;
}
LDAPMachineInfo : : ~ LDAPMachineInfo ( ) {
//
}
LDAPServiceInfo : : LDAPServiceInfo ( ) {
// TQStrings are always initialized to TQString::null, so they don't need initialization here...
informationValid = false ;
tde_builtin_account = false ;
status = ( LDAPKRB5Flags ) 0 ;
}
LDAPServiceInfo : : ~ LDAPServiceInfo ( ) {
//
}
LDAPTDEBuiltinsInfo : : LDAPTDEBuiltinsInfo ( ) {
// TQStrings are always initialized to TQString::null, so they don't need initialization here...
informationValid = false ;
}
LDAPTDEBuiltinsInfo : : ~ LDAPTDEBuiltinsInfo ( ) {
//
}
KerberosTicketInfo : : KerberosTicketInfo ( ) {
// TQStrings are always initialized to TQString::null, so they don't need initialization here...
informationValid = false ;
cacheVersion = - 1 ;
keyVersionNumber = - 1 ;
ticketSize = - 1 ;
flags = ( KRB5TicketFlags ) 0 ;
}
KerberosTicketInfo : : ~ KerberosTicketInfo ( ) {
//
}
# include "libtdeldap.moc"
