Preferentially use TLS when connecting to LDAP server

src/ldaplogindlgbase.ui

@@ -80,6 +80,14 @@
 				<cstring>ldapAdminRealm</cstring>
 			</property>
 		</widget>
+		<widget class="TQCheckBox" row="4" column="0" colspan="3">
+			<property name="name">
+				<cstring>ldapUseTLS</cstring>
+			</property>
+			<property name="text">
+				<string>Use LDAP TLS to encrypt this connection (recommended)</string>
+			</property>
+		</widget>
 	</grid>
 </widget>
 <layoutdefaults spacing="3" margin="6"/>

src/libtdeldap.cpp

@@ -19,10 +19,13 @@
  ***************************************************************************/
 
 #include <sys/types.h>
+#include <sys/stat.h>
 #include <sys/socket.h>
 #include <netdb.h>
+#include <pwd.h>
 
 #include <tqfile.h>
+#include <tqcheckbox.h>
 
 #include <klocale.h>
 #include <kmessagebox.h>
@@ -44,7 +47,7 @@
 // FIXME
 // Connect this to CMake/Automake
 #define KDE_CONFDIR "/etc/trinity"
-#define LDAP_FILE "/etc/ldap.conf"
+#define LDAP_FILE "/etc/ldap/ldap.conf"
 
 int requested_ldap_version = LDAP_VERSION3;
 int requested_ldap_auth_method = LDAP_AUTH_SIMPLE;	// Is this safe and secure over an untrusted connection?
@@ -91,13 +94,21 @@ TQString ldapLikelyErrorCause(int errcode, int location) {
 	TQString ret;
 
 	if (location == ERRORCAUSE_LOCATION_BIND) {
+		if (errcode == LDAP_SERVER_DOWN) {
+			ret = " * LDAP server down<br> * Invalid LDAP Certificate Authority file on client";
+		}
 		if (LDAP_NAME_ERROR(errcode)) {
 			ret = "Unknown user name or incorrect user name format";
 		}
 	}
 
 	if (ret != "") {
-		ret.prepend("<p>" + i18n("Likely cause") + ":<br>");
+		if (ret.contains("<br>")) {
+			ret.prepend("<p>" + i18n("Potential causes") + ":<br>");
+		}
+		else {
+			ret.prepend("<p>" + i18n("Potential cause") + ":<br>");
+		}
 	}
 
 	return ret;
@@ -109,7 +120,31 @@ printf("[RAJA DEBUG 600.0] In LDAPManager::bind(%p)\n\r", errstr); fflush(stdout
 		return 0;
 	}
 
-	int use_secure_connection = 0;
+	bool using_ldapi = false;
+	if (m_host.startsWith("ldapi://")) {
+		using_ldapi = true;
+	}
+	bool havepass = false;
+	if (m_creds || using_ldapi) {
+		havepass = true;
+	}
+	else {
+printf("[RAJA DEBUG 660.1] using_ldapi: %d\n\r", using_ldapi); fflush(stdout);
+		LDAPPasswordDialog passdlg(0);
+		passdlg.m_base->ldapAdminRealm->setEnabled(false);
+		passdlg.m_base->ldapAdminRealm->insertItem(m_realm);
+		passdlg.m_base->ldapUseTLS->setChecked(true);
+		if (passdlg.exec() == TQDialog::Accepted) {
+			havepass = true;
+			if (!m_creds) {
+				m_creds = new LDAPCredentials();
+				m_creds->username = passdlg.m_base->ldapAdminUsername->text();
+				m_creds->password = passdlg.m_base->ldapAdminPassword->password();
+				m_creds->realm = passdlg.m_base->ldapAdminRealm->currentText();
+				m_creds->use_tls = passdlg.m_base->ldapUseTLS->isOn();
+			}
+		}
+	}
 
 	TQString uri;
 	if (m_host.contains("://")) {
@@ -122,7 +157,7 @@ printf("[RAJA DEBUG 600.0] In LDAPManager::bind(%p)\n\r", errstr); fflush(stdout
 		}
 	}
 	else {
-		if (use_secure_connection == 1) {
+		if (m_creds->use_tls) {
 			m_port = LDAP_SECURE_PORT;
 			uri = TQString("ldaps://%1:%2").arg(m_host).arg(m_port);
 		}
@@ -148,25 +183,6 @@ printf("[RAJA DEBUG 600.1] URI: %s\n\r", uri.ascii()); fflush(stdout);
 printf("[RAJA DEBUG 660.0]\n\r"); fflush(stdout);
 
 	TQString errorString;
-	bool havepass = false;
-	if (m_creds) {
-		havepass = true;
-	}
-	else {
-printf("[RAJA DEBUG 660.1]\n\r"); fflush(stdout);
-		LDAPPasswordDialog passdlg(0);
-		passdlg.m_base->ldapAdminRealm->setEnabled(false);
-		passdlg.m_base->ldapAdminRealm->insertItem(m_realm);
-		if (passdlg.exec() == TQDialog::Accepted) {
-			havepass = true;
-			if (!m_creds) {
-				m_creds = new LDAPCredentials();
-				m_creds->username = passdlg.m_base->ldapAdminUsername->text();
-				m_creds->password = passdlg.m_base->ldapAdminPassword->password();
-				m_creds->realm = passdlg.m_base->ldapAdminRealm->currentText();
-			}
-		}
-	}
 	if (havepass == true) {
 		char* mechanism = NULL;
 		struct berval cred;
@@ -175,7 +191,7 @@ printf("[RAJA DEBUG 660.1]\n\r"); fflush(stdout);
 		cred.bv_val = pass.data();
 		cred.bv_len = pass.length();
 printf("[RAJA DEBUG 660.2]\n\r"); fflush(stdout);
-		if (!uri.startsWith("ldapi://")) {
+		if (!using_ldapi) {
 			if (!ldap_dn.contains(",")) {
 				// Look for a POSIX account with anonymous bind and the specified account name
 				TQString uri;
@@ -184,7 +200,7 @@ printf("[RAJA DEBUG 660.2]\n\r"); fflush(stdout);
 					uri = m_host;
 				}
 				else {
-					if (use_secure_connection == 1) {
+					if (m_creds->use_tls) {
 						m_port = LDAP_SECURE_PORT;
 						uri = TQString("ldaps://%1:%2").arg(m_host).arg(m_port);
 					}
@@ -1398,11 +1414,14 @@ void LDAPManager::writeLDAPConfFile(LDAPRealmConfig realmcfg) {
 			stream << "bind_policy " << m_bindPolicy.lower() << "\n";
 			stream << "pam_password " << m_passwordHash.lower() << "\n";
 			stream << "nss_initgroups_ignoreusers " << m_ignoredUsers << "\n";
+			stream << "tls_cacert /etc/trinity/ldap/tde-ca/public/argus5.starlink.edu.ldap.crt" << "\n";
 		}
 
 		file.close();
 	}
 
+	chmod(LDAP_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
+
 	delete systemconfig;
 }
 
@@ -1473,6 +1492,15 @@ TQString LDAPManager::getMachineFQDN() {
 //
 // ===============================================================================================================
 
+LDAPCredentials::LDAPCredentials() {
+	// TQStrings are always initialized to TQString::null, so they don't need initialization here...
+	use_tls = true;
+}
+
+LDAPCredentials::~LDAPCredentials() {
+	//
+}
+
 LDAPUserInfo::LDAPUserInfo() {
 	// TQStrings are always initialized to TQString::null, so they don't need initialization here...
 	informationValid = false;

src/libtdeldap.h

@@ -65,10 +65,15 @@ typedef TQValueList<gid_t> GroupList;
 
 class LDAPCredentials
 {
+	public:
+		LDAPCredentials();
+		~LDAPCredentials();
+
 	public:
 		TQString username;
 		TQCString password;
 		TQString realm;
+		bool use_tls;
 };
 
 // PRIVATE