@ -1140,13 +1140,19 @@ TQString LDAPManager::readFullLineFromPtyProcess(PtyProcess* proc) {
return result ;
return result ;
} }
int LDAPManager : : bindKAdmin ( * errstr ) { int LDAPManager : : bindKAdmin ( LDAPCredentials * administrativeCredentials , TQString * errstr ) {
int retcode = 1 ;
int retcode = 1 ;
kadm5_ret_t krb5adm_ret ;
kadm5_ret_t krb5adm_ret ;
kadm5_config_params params ;
kadm5_config_params params ;
LDAPCredentials admincreds = currentLDAPCredentials ( ) ;
LDAPCredentials admincreds ;
if ( administrativeCredentials ) {
admincreds = * administrativeCredentials ;
}
else {
admincreds = currentLDAPCredentials ( ) ;
}
if ( admincreds . use_gssapi ) {
if ( admincreds . use_gssapi ) {
// FIXME
// FIXME
// Heimdal has issues parsing the keytab file, so for now just prompt for password
// Heimdal has issues parsing the keytab file, so for now just prompt for password
@ -1291,7 +1297,14 @@ int LDAPManager::setPasswordForUser(LDAPUserInfo user, TQString *errstr) {
int retcode ;
int retcode ;
kadm5_ret_t krb5adm_ret ;
kadm5_ret_t krb5adm_ret ;
retcode = bindKAdmin ( errstr ) ;
bool kadmin_unbind_needed = false ;
if ( m_krb5admHandle ) {
retcode = 0 ;
}
else {
retcode = bindKAdmin ( NULL , errstr ) ;
kadmin_unbind_needed = true ;
}
if ( retcode = = 0 ) {
if ( retcode = = 0 ) {
retcode = 1 ;
retcode = 1 ;
krb5_principal user_kadm5_principal ;
krb5_principal user_kadm5_principal ;
@ -1313,8 +1326,10 @@ int LDAPManager::setPasswordForUser(LDAPUserInfo user, TQString *errstr) {
krb5_free_principal ( m_krb5admContext , user_kadm5_principal ) ;
krb5_free_principal ( m_krb5admContext , user_kadm5_principal ) ;
}
}
unbindKAdmin ( ) ;
if ( kadmin_unbind_needed ) {
unbind ( true ) ; // Using kadmin can disrupt our LDAP connection
unbindKAdmin ( ) ;
unbind ( true ) ; // Using kadmin can disrupt our LDAP connection
}
}
}
return retcode ;
return retcode ;
@ -1843,147 +1858,151 @@ int LDAPManager::addGroupInfo(LDAPGroupInfo group, TQString *errstr) {
} }
int LDAPManager : : kAdminAddNewPrincipal ( TQString principalName , TQString newPassword , TQString * errstr ) { int LDAPManager : : kAdminAddNewPrincipal ( TQString principalName , TQString newPassword , TQString * errstr ) {
if ( bind ( ) < 0 ) {
int retcode ;
return - 1 ;
kadm5_ret_t krb5adm_ret ;
int i ;
char * password = NULL ;
bool kadmin_unbind_needed = false ;
if ( m_krb5admHandle ) {
retcode = 0 ;
}
}
else {
else {
int retcode ;
retcode = bindKAdmin ( NULL , errstr ) ;
kadm5_ret_t krb5adm_ret ;
kadmin_unbind_needed = true ;
int i ;
}
char * password = NULL ;
if ( retcode = = 0 ) {
retcode = 1 ;
retcode = bindKAdmin ( errstr ) ;
bool generate_password ;
if ( retcode = = 0 ) {
if ( newPassword = = " " ) {
retcode = 1 ;
generate_password = true ;
bool generate_password ;
}
if ( newPassword = = " " ) {
else {
generate_password = true ;
generate_password = false ;
}
password = strdup ( newPassword . ascii ( ) ) ;
else {
}
generate_password = false ;
password = strdup ( newPassword . ascii ( ) ) ;
}
// Construct and add new principal record
// Construct and add new principal record
kadm5_principal_ent_rec principal_record ;
kadm5_principal_ent_rec principal_record ;
kadm5_principal_ent_rec default_record ;
kadm5_principal_ent_rec default_record ;
kadm5_principal_ent_rec * default_entry = NULL ;
kadm5_principal_ent_rec * default_entry = NULL ;
krb5_principal principal_entry = NULL ;
krb5_principal principal_entry = NULL ;
int mask = 0 ;
int mask = 0 ;
memset ( & principal_record , 0 , sizeof ( principal_record ) ) ;
memset ( & principal_record , 0 , sizeof ( principal_record ) ) ;
krb5adm_ret = krb5_parse_name ( m_krb5admContext , principalName . ascii ( ) , & principal_entry ) ;
krb5adm_ret = krb5_parse_name ( m_krb5admContext , principalName . ascii ( ) , & principal_entry ) ;
if ( krb5adm_ret ) {
if ( krb5adm_ret ) {
if ( errstr ) * errstr = i18n ( " %1<p>Details:<br>Failed to execute krb5_parse_name (code %2) " ) . arg ( krb5_get_error_message ( m_krb5admContext , krb5adm_ret ) ) . arg ( krb5adm_ret ) ;
if ( errstr ) * errstr = i18n ( " %1<p>Details:<br>Failed to execute krb5_parse_name (code %2) " ) . arg ( krb5_get_error_message ( m_krb5admContext , krb5adm_ret ) ) . arg ( krb5adm_ret ) ;
}
}
principal_record . principal = principal_entry ;
principal_record . principal = principal_entry ;
mask | = KADM5_PRINCIPAL ;
mask | = KADM5_PRINCIPAL ;
default_entry = & default_record ;
default_entry = & default_record ;
krb5adm_ret = kadm5_get_default_principal_info ( m_krb5admContext , m_krb5admHandle , principal_entry , default_entry ) ;
krb5adm_ret = kadm5_get_default_principal_info ( m_krb5admContext , m_krb5admHandle , principal_entry , default_entry ) ;
if ( krb5adm_ret ) {
if ( krb5adm_ret ) {
default_entry = NULL ;
default_entry = NULL ;
if ( errstr ) * errstr = i18n ( " %1<p>Details:<br>Failed to execute kadm5_get_default_principal_info (code %2) " ) . arg ( krb5_get_error_message ( m_krb5admContext , krb5adm_ret ) ) . arg ( krb5adm_ret ) ;
if ( errstr ) * errstr = i18n ( " %1<p>Details:<br>Failed to execute kadm5_get_default_principal_info (code %2) " ) . arg ( krb5_get_error_message ( m_krb5admContext , krb5adm_ret ) ) . arg ( krb5adm_ret ) ;
}
}
else {
else {
// Use defaults
// Use defaults
principal_record . max_life = default_entry - > max_life ;
principal_record . max_life = default_entry - > max_life ;
principal_record . max_renewable_life = default_entry - > max_renewable_life ;
principal_record . max_renewable_life = default_entry - > max_renewable_life ;
principal_record . princ_expire_time = default_entry - > princ_expire_time ;
principal_record . princ_expire_time = default_entry - > princ_expire_time ;
principal_record . pw_expiration = default_entry - > pw_expiration ;
principal_record . pw_expiration = default_entry - > pw_expiration ;
principal_record . attributes = default_entry - > attributes & ~ KRB5_KDB_DISALLOW_ALL_TIX ;
principal_record . attributes = default_entry - > attributes & ~ KRB5_KDB_DISALLOW_ALL_TIX ;
principal_record . policy = strdup ( default_entry - > policy ) ;
principal_record . policy = strdup ( default_entry - > policy ) ;
if ( generate_password ) {
if ( generate_password ) {
const char charset [ ] =
const char charset [ ] =
" @$%&*()-+=:,/<>?0123456789 "
" @$%&*()-+=:,/<>?0123456789 "
" ABCDEFGHIJKLMNOPQRSTUVWXYZ "
" ABCDEFGHIJKLMNOPQRSTUVWXYZ "
" abcdefghijklmnopqrstuvwxyz " ;
" abcdefghijklmnopqrstuvwxyz " ;
const size_t max_index = ( sizeof ( charset ) - 2 ) ;
const size_t max_index = ( sizeof ( charset ) - 2 ) ;
TQFile randomNode ( " /dev/urandom " ) ;
TQFile randomNode ( " /dev/urandom " ) ;
if ( randomNode . open ( IO_ReadOnly ) ) {
if ( randomNode . open ( IO_ReadOnly ) ) {
password = ( char * ) malloc ( sizeof ( char ) * KRB5_ANK_RANDOM_PASSWORD_LENGTH ) ;
password = ( char * ) malloc ( sizeof ( char ) * KRB5_ANK_RANDOM_PASSWORD_LENGTH ) ;
if ( password ) {
if ( password ) {
if ( randomNode . readBlock ( password , KRB5_ANK_RANDOM_PASSWORD_LENGTH ) < KRB5_ANK_RANDOM_PASSWORD_LENGTH ) {
if ( randomNode . readBlock ( password , KRB5_ANK_RANDOM_PASSWORD_LENGTH ) < KRB5_ANK_RANDOM_PASSWORD_LENGTH ) {
free ( password ) ;
free ( password ) ;
password = NULL ;
password = NULL ;
}
}
else {
else {
for ( i = 0 ; i < KRB5_ANK_RANDOM_PASSWORD_LENGTH - 1 ; i + + ) {
for ( i = 0 ; i < KRB5_ANK_RANDOM_PASSWORD_LENGTH - 1 ; i + + ) {
while ( ( unsigned char ) password [ i ] > max_index ) {
while ( ( unsigned char ) password [ i ] > max_index ) {
password [ i ] - = max_index ;
password [ i ] - = max_index ;
}
password [ i ] = charset [ ( int ) password [ i ] ] ;
}
}
password [ i ] = 0 ;
password [ i ] = charset [ ( int ) password [ i ] ] ;
}
}
password [ i ] = 0 ;
}
}
randomNode . close ( ) ;
}
if ( password ) {
principal_record . attributes | = KRB5_KDB_DISALLOW_ALL_TIX ;
mask | = KADM5_ATTRIBUTES ;
}
else {
if ( errstr ) * errstr = i18n ( " Unable to generate random password " ) ;
}
}
randomNode . close ( ) ;
}
}
if ( password ) {
if ( password ) {
krb5adm_ret = kadm5_create_principal ( m_krb5admHandle , & principal_record , mask , password ) ;
principal_record . attributes | = KRB5_KDB_DISALLOW_ALL_TIX ;
if ( krb5adm_ret ) {
mask | = KADM5_ATTRIBUTES ;
if ( errstr ) * errstr = i18n ( " %1<p>Details:<br>Failed to execute kadm5_create_principal (code %2) " ) . arg ( krb5_get_error_message ( m_krb5admContext , krb5adm_ret ) ) . arg ( krb5adm_ret ) ;
}
}
else {
else {
if ( errstr ) * errstr = i18n ( " Unable to generate random password " ) ;
if ( generate_password ) {
}
krb5_keyblock * new_keys ;
}
int key_count ;
krb5adm_ret = kadm5_randkey_principal ( m_krb5admHandle , principal_entry , & new_keys , & key_count ) ;
if ( password ) {
if ( krb5adm_ret ) {
krb5adm_ret = kadm5_create_principal ( m_krb5admHandle , & principal_record , mask , password ) ;
key_count = 0 ;
if ( krb5adm_ret ) {
}
if ( errstr ) * errstr = i18n ( " %1<p>Details:<br>Failed to execute kadm5_create_principal (code %2) " ) . arg ( krb5_get_error_message ( m_krb5admContext , krb5adm_ret ) ) . arg ( krb5adm_ret ) ;
for ( i = 0 ; i < key_count ; i + + ) {
}
krb5_free_keyblock_contents ( m_krb5admContext , & new_keys [ i ] ) ;
else {
}
if ( generate_password ) {
if ( key_count > 0 ) {
krb5_keyblock * new_keys ;
free ( new_keys ) ;
int key_count ;
}
krb5adm_ret = kadm5_randkey_principal ( m_krb5admHandle , principal_entry , & new_keys , & key_count ) ;
kadm5_get_principal ( m_krb5admHandle , principal_entry , & principal_record , KADM5_PRINCIPAL | KADM5_KVNO | KADM5_ATTRIBUTES ) ;
if ( krb5adm_ret ) {
krb5_free_principal ( m_krb5admContext , principal_entry ) ;
key_count = 0 ;
principal_entry = principal_record . principal ;
}
principal_record . attributes & = ( ~ KRB5_KDB_DISALLOW_ALL_TIX ) ;
for ( i = 0 ; i < key_count ; i + + ) {
principal_record . kvno = 1 ;
krb5_free_keyblock_contents ( m_krb5admContext , & new_keys [ i ] ) ;
krb5adm_ret = kadm5_modify_principal ( m_krb5admHandle , & principal_record , KADM5_ATTRIBUTES | KADM5_KVNO ) ;
}
if ( krb5adm_ret ) {
if ( key_count > 0 ) {
if ( errstr ) * errstr = i18n ( " %1<p>Details:<br>Failed to execute kadm5_modify_principal (code %2) " ) . arg ( krb5_get_error_message ( m_krb5admContext , krb5adm_ret ) ) . arg ( krb5adm_ret ) ;
free ( new_keys ) ;
}
}
else {
kadm5_get_principal ( m_krb5admHandle , principal_entry , & principal_record , KADM5_PRINCIPAL | KADM5_KVNO | KADM5_ATTRIBUTES ) ;
retcode = 0 ;
krb5_free_principal ( m_krb5admContext , principal_entry ) ;
}
principal_entry = principal_record . principal ;
principal_record . attributes & = ( ~ KRB5_KDB_DISALLOW_ALL_TIX ) ;
principal_record . kvno = 1 ;
krb5adm_ret = kadm5_modify_principal ( m_krb5admHandle , & principal_record , KADM5_ATTRIBUTES | KADM5_KVNO ) ;
if ( krb5adm_ret ) {
if ( errstr ) * errstr = i18n ( " %1<p>Details:<br>Failed to execute kadm5_modify_principal (code %2) " ) . arg ( krb5_get_error_message ( m_krb5admContext , krb5adm_ret ) ) . arg ( krb5adm_ret ) ;
}
}
else {
else {
retcode = 0 ;
retcode = 0 ;
}
}
}
}
else {
retcode = 0 ;
}
}
}
}
}
}
kadm5_free_principal_ent ( m_krb5admHandle , & principal_record ) ;
kadm5_free_principal_ent ( m_krb5admHandle , & principal_record ) ;
if ( default_entry ) {
if ( default_entry ) {
kadm5_free_principal_ent ( m_krb5admHandle , default_entry ) ;
kadm5_free_principal_ent ( m_krb5admHandle , default_entry ) ;
}
}
if ( password ) {
if ( password ) {
free ( password ) ;
free ( password ) ;
}
}
if ( kadmin_unbind_needed ) {
unbindKAdmin ( ) ;
unbindKAdmin ( ) ;
unbind ( true ) ; // Using kadmin can disrupt our LDAP connection
unbind ( true ) ; // Using kadmin can disrupt our LDAP connection
}
}
return retcode ;
}
}
return retcode ;
} }
int LDAPManager : : addMachineInfo ( LDAPMachineInfo machine , TQString * errstr ) { int LDAPManager : : addMachineInfo ( LDAPMachineInfo machine , TQString * errstr ) {
@ -2584,127 +2603,105 @@ LDAPServiceInfoList LDAPManager::machineServices(TQString machine_dn, int* mretc
} }
int LDAPManager : : exportKeytabForPrincipal ( TQString principal , TQString fileName , TQString * errstr ) { int LDAPManager : : exportKeytabForPrincipal ( TQString principal , TQString fileName , TQString * errstr ) {
if ( bind ( ) < 0 ) {
int retcode ;
return - 1 ;
kadm5_ret_t krb5adm_ret ;
int i ;
bool kadmin_unbind_needed = false ;
if ( m_krb5admHandle ) {
retcode = 0 ;
}
}
else {
else {
// Use Kerberos kadmin to export the keytab
retcode = bindKAdmin ( NULL , errstr ) ;
LDAPCredentials admincreds = currentLDAPCredentials ( ) ;
kadmin_unbind_needed = true ;
if ( ( admincreds . username = = " " ) & & ( admincreds . password = = " " ) ) {
}
// Probably GSSAPI
if ( retcode = = 0 ) {
// Get active ticket principal...
retcode = 1 ;
KerberosTicketInfoList tickets = LDAPManager : : getKerberosTicketList ( ) ;
TQStringList principalParts = TQStringList : : split ( " @ " , tickets [ 0 ] . cachePrincipal , false ) ;
krb5_keytab keytab ;
admincreds . username = principalParts [ 0 ] ;
if ( fileName = = " " ) {
admincreds . realm = principalParts [ 1 ] ;
krb5adm_ret = krb5_kt_default ( m_krb5admContext , & keytab ) ;
admincreds . use_gssapi = true ;
}
TQCString command = " kadmin " ;
QCStringList args ;
if ( m_host . startsWith ( " ldapi:// " ) ) {
args < < TQCString ( " -l " ) < < TQCString ( " -r " ) < < TQCString ( admincreds . realm . upper ( ) ) ;
}
}
else {
else {
if ( admincreds . username = = " " ) {
krb5adm_ret = krb5_kt_resolve ( m_krb5admContext , fileName . ascii ( ) , & keytab ) ;
args < < TQCString ( " -r " ) < < TQCString ( admincreds . realm . upper ( ) ) ;
}
else {
args < < TQCString ( " -p " ) < < TQCString ( admincreds . username . lower ( ) + " @ " + ( admincreds . realm . upper ( ) ) ) < < TQCString ( " -r " ) < < TQCString ( admincreds . realm . upper ( ) ) ;
}
}
}
if ( krb5adm_ret ) {
if ( errstr ) * errstr = i18n ( " %1<p>Details:<br>Failed to open keytab file '%2' (code %3) " ) . arg ( krb5_get_error_message ( m_krb5admContext , krb5adm_ret ) ) . arg ( fileName ) . arg ( krb5adm_ret ) ;
}
else {
kadm5_principal_ent_rec principal_record ;
krb5_principal principal_entry = NULL ;
TQString prompt ;
memset ( & principal_record , 0 , sizeof ( principal_record ) ) ;
PtyProcess kadminProc ;
krb5adm_ret = krb5_parse_name ( m_krb5admContext , principal . ascii ( ) , & principal_entry ) ;
kadminProc . exec ( command , args ) ;
if ( krb5adm_ret ) {
prompt = readFullLineFromPtyProcess ( & kadminProc ) ;
if ( errstr ) * errstr = i18n ( " %1<p>Details:<br>Failed to execute krb5_parse_name (code %2) " ) . arg ( krb5_get_error_message ( m_krb5admContext , krb5adm_ret ) ) . arg ( krb5adm_ret ) ;
prompt = prompt . stripWhiteSpace ( ) ;
if ( prompt = = " kadmin> " ) {
if ( fileName = = " " ) {
command = TQCString ( " ext_keytab " + principal ) ;
}
}
else {
else {
command = TQCString ( " ext_keytab --keytab= \" " + fileName + " \" " + principal ) ;
principal_record . principal = principal_entry ;
}
kadminProc . enableLocalEcho ( false ) ;
krb5adm_ret = kadm5_get_principal ( m_krb5admHandle , principal_entry , & principal_record , KADM5_PRINCIPAL | KADM5_KVNO | KADM5_KEY_DATA ) ;
kadminProc . writeLine ( command , true ) ;
if ( krb5adm_ret ) {
do { // Discard our own input
if ( errstr ) * errstr = i18n ( " %1<p>Details:<br>Failed to execute kadm5_get_principal (code %2) " ) . arg ( krb5_get_error_message ( m_krb5admContext , krb5adm_ret ) ) . arg ( krb5adm_ret ) ;
prompt = readFullLineFromPtyProcess ( & kadminProc ) ;
retcode = 2 ;
printf ( " (kadmin) '%s' \n " , prompt . ascii ( ) ) ;
}
} while ( ( prompt = = TQString ( command ) ) | | ( prompt = = " " ) ) ;
else {
prompt = prompt . stripWhiteSpace ( ) ;
if ( principal_record . n_key_data = = 0 ) {
// Use all defaults
if ( errstr ) * errstr = i18n ( " No keys found!<p>If this principal is known to have valid keys, please check your access permissions and try again " ) ;
while ( prompt ! = " kadmin> " ) {
retcode = 2 ;
if ( prompt . endsWith ( " Password: " ) ) {
}
if ( admincreds . password = = " " ) {
else {
if ( tqApp - > type ( ) ! = TQApplication : : Tty ) {
// Extract keys
TQCString password ;
krb5_keytab_entry * keys = NULL ;
int result = KPasswordDialog : : getPassword ( password , prompt ) ;
keys = ( krb5_keytab_entry * ) calloc ( sizeof ( * keys ) , principal_record . n_key_data ) ;
if ( result = = KPasswordDialog : : Accepted ) {
if ( keys = = NULL ) {
admincreds . password = password ;
if ( errstr ) * errstr = i18n ( " Out of memory " ) ;
}
}
}
else {
else {
TQFile file ;
int key_count = 0 ;
file . open ( IO_ReadOnly , stdin ) ;
for ( i = 0 ; i < principal_record . n_key_data ; i + + ) {
TQTextStream qtin ( & file ) ;
krb5_key_data * kd = & principal_record . key_data [ i ] ;
admincreds . password = qtin . readLine ( ) ;
keys [ i ] . principal = principal_record . principal ;
keys [ i ] . vno = kd - > key_data_kvno ;
keys [ i ] . keyblock . keytype = kd - > key_data_type [ 0 ] ;
keys [ i ] . keyblock . keyvalue . length = kd - > key_data_length [ 0 ] ;
keys [ i ] . keyblock . keyvalue . data = kd - > key_data_contents [ 0 ] ;
keys [ i ] . timestamp = time ( NULL ) ;
key_count + + ;
}
if ( key_count < 1 ) {
if ( errstr ) * errstr = i18n ( " No keys found!<p>If this principal is known to have valid keys, please check your access permissions and try again " ) ;
}
else {
for ( i = 0 ; i < key_count ; i + + ) {
krb5adm_ret = krb5_kt_add_entry ( m_krb5admContext , keytab , & keys [ i ] ) ;
if ( krb5adm_ret ) {
if ( errstr ) * errstr = i18n ( " %1<p>Details:<br>Failed to execute krb5_kt_add_entry (code %2) " ) . arg ( krb5_get_error_message ( m_krb5admContext , krb5adm_ret ) ) . arg ( krb5adm_ret ) ;
}
}
if ( ! krb5adm_ret ) {
// Success!
retcode = 0 ;
}
}
}
}
free ( keys ) ;
}
}
if ( admincreds . password ! = " " ) {
kadm5_free_principal_ent ( m_krb5admHandle , & principal_record ) ;
kadminProc . enableLocalEcho ( false ) ;
kadminProc . writeLine ( admincreds . password , true ) ;
do { // Discard our own input
prompt = readFullLineFromPtyProcess ( & kadminProc ) ;
printf ( " (kadmin) '%s' \n " , prompt . ascii ( ) ) ;
} while ( prompt = = " " ) ;
prompt = prompt . stripWhiteSpace ( ) ;
}
}
if ( prompt . contains ( " authentication failed " ) ) {
if ( errstr ) * errstr = detailedKAdminErrorMessage ( prompt ) ;
kadminProc . enableLocalEcho ( false ) ;
kadminProc . writeLine ( " quit " , true ) ;
return 1 ;
}
else {
// Extract whatever default is in the [brackets] and feed it back to kadmin
TQString defaultParam ;
int leftbracket = prompt . find ( " [ " ) ;
int rightbracket = prompt . find ( " ] " ) ;
if ( ( leftbracket > = 0 ) & & ( rightbracket > = 0 ) ) {
leftbracket + + ;
defaultParam = prompt . mid ( leftbracket , rightbracket - leftbracket ) ;
}
command = TQCString ( defaultParam ) ;
kadminProc . enableLocalEcho ( false ) ;
kadminProc . writeLine ( command , true ) ;
do { // Discard our own input
prompt = readFullLineFromPtyProcess ( & kadminProc ) ;
printf ( " (kadmin) '%s' \n " , prompt . ascii ( ) ) ;
} while ( ( prompt = = TQString ( command ) ) | | ( prompt = = " " ) ) ;
prompt = prompt . stripWhiteSpace ( ) ;
}
}
}
}
if ( prompt ! = " kadmin> " ) {
krb5_kt_close ( m_krb5admContext , keytab ) ;
if ( errstr ) * errstr = detailedKAdminErrorMessage ( prompt ) ;
}
kadminProc . enableLocalEcho ( false ) ;
kadminProc . writeLine ( " quit " , true ) ;
return 1 ;
}
// Success!
if ( kadmin_unbind_needed ) {
kadminProc . enableLocalEcho ( false ) ;
unbindKAdmin ( ) ;
kadminProc . writeLine ( " quit " , true ) ;
unbind ( true ) ; // Using kadmin can disrupt our LDAP connection
unbind ( true ) ; // Using kadmin can disrupt our LDAP connection
return 0 ;
}
}
if ( errstr ) * errstr = " Internal error. Verify that kadmin exists and can be executed. " ;
return 1 ; // Failure
}
}
return retcode ;
} }
int LDAPManager : : writeCertificateFileIntoDirectory ( TQByteArray cert , TQString attr , TQString * errstr ) { int LDAPManager : : writeCertificateFileIntoDirectory ( TQByteArray cert , TQString attr , TQString * errstr ) {
@ -5170,144 +5167,31 @@ int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, LDAPUse
} }
int LDAPManager : : bondRealm ( TQString adminUserName , const char * adminPassword , TQString adminRealm , TQString * errstr ) { int LDAPManager : : bondRealm ( TQString adminUserName , const char * adminPassword , TQString adminRealm , TQString * errstr ) {
TQCString command = " kadmin " ;
LDAPCredentials admincreds ;
QCStringList args ;
admincreds . username = adminUserName ;
args < < TQCString ( " -p " ) < < TQCString ( adminUserName + " @ " + ( adminRealm . upper ( ) ) ) < < TQCString ( " -r " ) < < TQCString ( adminRealm . upper ( ) ) ;
admincreds . password = adminPassword ;
admincreds . realm = adminRealm ;
admincreds . use_gssapi = false ;
TQString hoststring = " host/ " + getMachineFQDN ( ) ;
TQString hoststring = " host/ " + getMachineFQDN ( ) ;
TQString prompt ;
int retcode ;
PtyProcess kadminProc ;
LDAPManager * ldap_mgr = new LDAPManager ( adminRealm , TQString : : null ) ;
kadminProc . exec ( command , args ) ;
retcode = ldap_mgr - > bindKAdmin ( & admincreds , errstr ) ;
prompt = readFullLineFromPtyProcess ( & kadminProc ) ;
if ( ! retcode ) {
prompt = prompt . stripWhiteSpace ( ) ;
retcode = ldap_mgr - > exportKeytabForPrincipal ( hoststring , TQString : : null , errstr ) ;
if ( prompt = = " kadmin> " ) {
if ( retcode = = 2 ) {
command = TQCString ( " ext " + hoststring ) ;
// Principal not found, create it
kadminProc . enableLocalEcho ( false ) ;
retcode = ldap_mgr - > kAdminAddNewPrincipal ( hoststring , TQString : : null , errstr ) ;
kadminProc . writeLine ( command , true ) ;
if ( ! retcode ) {
do { // Discard our own input
retcode = ldap_mgr - > exportKeytabForPrincipal ( hoststring , TQString : : null , errstr ) ;
prompt = readFullLineFromPtyProcess ( & kadminProc ) ;
printf ( " (kadmin) '%s' \n " , prompt . ascii ( ) ) ;
} while ( ( prompt = = TQString ( command ) ) | | ( prompt = = " " ) ) ;
prompt = prompt . stripWhiteSpace ( ) ;
if ( prompt . endsWith ( " Password: " ) ) {
kadminProc . enableLocalEcho ( false ) ;
kadminProc . writeLine ( adminPassword , true ) ;
do { // Discard our own input
prompt = readFullLineFromPtyProcess ( & kadminProc ) ;
printf ( " (kadmin) '%s' \n " , prompt . ascii ( ) ) ;
} while ( prompt = = " " ) ;
prompt = prompt . stripWhiteSpace ( ) ;
}
if ( prompt . contains ( " authentication failed " ) ) {
if ( errstr ) * errstr = prompt ;
do { // Wait for command prompt
prompt = readFullLineFromPtyProcess ( & kadminProc ) ;
printf ( " (kadmin) '%s' \n " , prompt . ascii ( ) ) ;
} while ( prompt = = " " ) ;
kadminProc . enableLocalEcho ( false ) ;
kadminProc . writeLine ( " quit " , true ) ;
return 1 ;
}
else if ( prompt . endsWith ( " Principal does not exist " ) ) {
do { // Wait for command prompt
prompt = readFullLineFromPtyProcess ( & kadminProc ) ;
printf ( " (kadmin) '%s' \n " , prompt . ascii ( ) ) ;
} while ( prompt = = " " ) ;
command = TQCString ( " ank --random-key " + hoststring ) ;
kadminProc . enableLocalEcho ( false ) ;
kadminProc . writeLine ( command , true ) ;
do { // Discard our own input
prompt = readFullLineFromPtyProcess ( & kadminProc ) ;
printf ( " (kadmin) '%s' \n " , prompt . ascii ( ) ) ;
} while ( ( prompt = = TQString ( command ) ) | | ( prompt = = " " ) ) ;
prompt = prompt . stripWhiteSpace ( ) ;
// Use all defaults
while ( prompt ! = " kadmin> " ) {
if ( prompt . endsWith ( " Password: " ) ) {
kadminProc . enableLocalEcho ( false ) ;
kadminProc . writeLine ( adminPassword , true ) ;
do { // Discard our own input
prompt = readFullLineFromPtyProcess ( & kadminProc ) ;
printf ( " (kadmin) '%s' \n " , prompt . ascii ( ) ) ;
} while ( prompt = = " " ) ;
prompt = prompt . stripWhiteSpace ( ) ;
}
if ( prompt . contains ( " authentication failed " ) ) {
if ( errstr ) * errstr = prompt ;
do { // Wait for command prompt
prompt = readFullLineFromPtyProcess ( & kadminProc ) ;
printf ( " (kadmin) '%s' \n " , prompt . ascii ( ) ) ;
} while ( prompt = = " " ) ;
kadminProc . enableLocalEcho ( false ) ;
kadminProc . writeLine ( " quit " , true ) ;
return 1 ;
}
else {
// Extract whatever default is in the [brackets] and feed it back to kadmin
TQString defaultParam ;
int leftbracket = prompt . find ( " [ " ) ;
int rightbracket = prompt . find ( " ] " ) ;
if ( ( leftbracket > = 0 ) & & ( rightbracket > = 0 ) ) {
leftbracket + + ;
defaultParam = prompt . mid ( leftbracket , rightbracket - leftbracket ) ;
}
command = TQCString ( defaultParam ) ;
kadminProc . enableLocalEcho ( false ) ;
kadminProc . writeLine ( command , true ) ;
do { // Discard our own input
prompt = readFullLineFromPtyProcess ( & kadminProc ) ;
printf ( " (kadmin) '%s' \n " , prompt . ascii ( ) ) ;
} while ( ( prompt = = TQString ( command ) ) | | ( prompt = = " " ) ) ;
prompt = prompt . stripWhiteSpace ( ) ;
}
}
command = TQCString ( " ext " + hoststring ) ;
kadminProc . enableLocalEcho ( false ) ;
kadminProc . writeLine ( command , true ) ;
do { // Discard our own input
prompt = readFullLineFromPtyProcess ( & kadminProc ) ;
printf ( " (kadmin) '%s' \n " , prompt . ascii ( ) ) ;
} while ( ( prompt = = TQString ( command ) ) | | ( prompt = = " " ) ) ;
prompt = prompt . stripWhiteSpace ( ) ;
if ( prompt ! = " kadmin> " ) {
if ( errstr ) * errstr = prompt ;
do { // Wait for command prompt
prompt = readFullLineFromPtyProcess ( & kadminProc ) ;
printf ( " (kadmin) '%s' \n " , prompt . ascii ( ) ) ;
} while ( prompt = = " " ) ;
kadminProc . enableLocalEcho ( false ) ;
kadminProc . writeLine ( " quit " , true ) ;
return 1 ;
}
}
// Success!
kadminProc . enableLocalEcho ( false ) ;
kadminProc . writeLine ( " quit " , true ) ;
return 0 ;
}
}
else if ( prompt = = " kadmin> " ) {
ldap_mgr - > unbindKAdmin ( ) ;
// Success!
kadminProc . enableLocalEcho ( false ) ;
kadminProc . writeLine ( " quit " , true ) ;
return 0 ;
}
// Failure
if ( errstr ) * errstr = prompt ;
while ( prompt = = " " ) { // Wait for command prompt
prompt = readFullLineFromPtyProcess ( & kadminProc ) ;
printf ( " (kadmin) '%s' \n " , prompt . ascii ( ) ) ;
}
kadminProc . enableLocalEcho ( false ) ;
kadminProc . writeLine ( " quit " , true ) ;
return 1 ;
}
}
delete ldap_mgr ;
if ( errstr ) * errstr = " Internal error. Verify that kadmin exists and can be executed. " ;
return retcode ;
return 1 ; // Failure
} }
int LDAPManager : : unbondRealm ( LDAPRealmConfig realmcfg , TQString adminUserName , const char * adminPassword , TQString adminRealm , TQString * errstr ) { int LDAPManager : : unbondRealm ( LDAPRealmConfig realmcfg , TQString adminUserName , const char * adminPassword , TQString adminRealm , TQString * errstr ) {
Timothy Pearson
9 years ago