From f101efbd4d4dbe7725bc2a1848ab2aa12d0de1d7 Mon Sep 17 00:00:00 2001 From: Timothy Pearson Date: Sat, 23 Mar 2013 19:00:15 -0500 Subject: [PATCH] Add exportKeytabForPrincipal method --- src/libtdeldap.cpp | 127 +++++++++++++++++++++++++++++++++++++++++++-- src/libtdeldap.h | 3 ++ 2 files changed, 126 insertions(+), 4 deletions(-) diff --git a/src/libtdeldap.cpp b/src/libtdeldap.cpp index e3bb252..8ff91f3 100644 --- a/src/libtdeldap.cpp +++ b/src/libtdeldap.cpp @@ -1614,8 +1614,6 @@ int LDAPManager::addGroupInfo(LDAPGroupInfo group, TQString *errstr) { } int LDAPManager::addMachineInfo(LDAPMachineInfo machine, TQString *errstr) { - LDAPGroupInfo machineinfo; - if (bind() < 0) { return -1; } @@ -1741,8 +1739,6 @@ int LDAPManager::addMachineInfo(LDAPMachineInfo machine, TQString *errstr) { } int LDAPManager::addServiceInfo(LDAPServiceInfo service, TQString *errstr) { - LDAPGroupInfo serviceinfo; - if (bind() < 0) { return -1; } @@ -2277,6 +2273,129 @@ LDAPServiceInfoList LDAPManager::machineServices(TQString machine_dn, int* mretc return LDAPServiceInfoList(); } +int LDAPManager::exportKeytabForPrincipal(TQString principal, TQString fileName, TQString *errstr) { + if (bind() < 0) { + return -1; + } + else { + // Use Kerberos kadmin to export the keytab + LDAPCredentials admincreds = currentLDAPCredentials(); + if ((admincreds.username == "") && (admincreds.password == "")) { + // Probably GSSAPI + // Get active ticket principal... + KerberosTicketInfoList tickets = LDAPManager::getKerberosTicketList(); + TQStringList principalParts = TQStringList::split("@", tickets[0].cachePrincipal, false); + admincreds.username = principalParts[0]; + admincreds.realm = principalParts[1]; + } + + TQCString command = "kadmin"; + QCStringList args; + if (m_host.startsWith("ldapi://")) { + args << TQCString("-l") << TQCString("-r") << TQCString(admincreds.realm.upper()); + } + else { + if (admincreds.username == "") { + args << TQCString("-r") << TQCString(admincreds.realm.upper()); + } + else { + args << TQCString("-p") << TQCString(admincreds.username.lower()+"@"+(admincreds.realm.upper())) << TQCString("-r") << TQCString(admincreds.realm.upper()); + } + } + + TQString prompt; + PtyProcess kadminProc; + kadminProc.exec(command, args); + prompt = readFullLineFromPtyProcess(&kadminProc); + prompt = prompt.stripWhiteSpace(); + if (prompt == "kadmin>") { + if (fileName == "") { + command = TQCString("ext_keytab "+principal); + } + else { + command = TQCString("ext_keytab --keytab=\""+fileName+"\" "+principal); + } + kadminProc.enableLocalEcho(false); + kadminProc.writeLine(command, true); + do { // Discard our own input + prompt = readFullLineFromPtyProcess(&kadminProc); + printf("(kadmin) '%s'\n\r", prompt.ascii()); + } while (prompt == TQString(command)); + prompt = prompt.stripWhiteSpace(); + // Use all defaults + while (prompt != "kadmin>") { + if (prompt.endsWith(" Password:")) { + if (admincreds.password == "") { + if (tqApp->type() != TQApplication::Tty) { + TQCString password; + int result = KPasswordDialog::getPassword(password, prompt); + if (result == KPasswordDialog::Accepted) { + admincreds.password = password; + } + } + else { + TQFile file; + file.open(IO_ReadOnly, stdin); + TQTextStream qtin(&file); + admincreds.password = qtin.readLine(); + } + } + if (admincreds.password != "") { + kadminProc.enableLocalEcho(false); + kadminProc.writeLine(admincreds.password, true); + do { // Discard our own input + prompt = readFullLineFromPtyProcess(&kadminProc); + printf("(kadmin) '%s'\n\r", prompt.ascii()); + } while (prompt == ""); + prompt = prompt.stripWhiteSpace(); + } + } + if (prompt.contains("authentication failed")) { + if (errstr) *errstr = detailedKAdminErrorMessage(prompt); + kadminProc.enableLocalEcho(false); + kadminProc.writeLine("quit", true); + return 1; + } + else { + // Extract whatever default is in the [brackets] and feed it back to kadmin + TQString defaultParam; + int leftbracket = prompt.find("["); + int rightbracket = prompt.find("]"); + if ((leftbracket >= 0) && (rightbracket >= 0)) { + leftbracket++; + defaultParam = prompt.mid(leftbracket, rightbracket-leftbracket); + } + command = TQCString(defaultParam); + kadminProc.enableLocalEcho(false); + kadminProc.writeLine(command, true); + do { // Discard our own input + prompt = readFullLineFromPtyProcess(&kadminProc); + printf("(kadmin) '%s'\n\r", prompt.ascii()); + } while (prompt == TQString(command)); + prompt = prompt.stripWhiteSpace(); + } + } + if (prompt != "kadmin>") { + if (errstr) *errstr = detailedKAdminErrorMessage(prompt); + kadminProc.enableLocalEcho(false); + kadminProc.writeLine("quit", true); + return 1; + } + + // Success! + kadminProc.enableLocalEcho(false); + kadminProc.writeLine("quit", true); + unbind(true); // Using kadmin can disrupt our LDAP connection + + return 0; + } + + if (errstr) *errstr = "Internal error. Verify that kadmin exists and can be executed."; + return 1; // Failure + + } +} + int LDAPManager::writeCertificateFileIntoDirectory(TQByteArray cert, TQString attr, TQString* errstr) { int retcode; int i; diff --git a/src/libtdeldap.h b/src/libtdeldap.h index 08dbb65..8bc0355 100644 --- a/src/libtdeldap.h +++ b/src/libtdeldap.h @@ -407,6 +407,7 @@ class LDAPManager : public TQObject { LDAPServiceInfoList services(int* retcode=0); LDAPUserInfo getUserByDistinguishedName(TQString dn); LDAPGroupInfo getGroupByDistinguishedName(TQString dn, TQString *errstr=0); + int updateUserInfo(LDAPUserInfo user, TQString *errstr=0); int updateGroupInfo(LDAPGroupInfo group, TQString *errstr=0); int updateMachineInfo(LDAPMachineInfo group, TQString *errstr=0); @@ -420,6 +421,8 @@ class LDAPManager : public TQObject { int deleteMachineInfo(LDAPMachineInfo machine, TQString *errstr=0); int deleteServiceInfo(LDAPServiceInfo service, TQString *errstr=0); + int exportKeytabForPrincipal(TQString principal, TQString fileName, TQString *errstr=0); + LDAPCredentials currentLDAPCredentials(); int moveKerberosEntries(TQString newSuffix, TQString* errstr=0);