Move core code from the bonding utility to this library

pull/1/head
Timothy Pearson 12 years ago
parent e0f5e6ac4e
commit fae0948a28

@ -1,5 +1,5 @@
/*************************************************************************** /***************************************************************************
* Copyright (C) 2012 by Timothy Pearson * * Copyright (C) 2012-2013 by Timothy Pearson *
* kb9vqf@pearsoncomputing.net * * kb9vqf@pearsoncomputing.net *
* * * *
* This program is free software; you can redistribute it and/or modify * * This program is free software; you can redistribute it and/or modify *
@ -56,12 +56,21 @@
// FIXME // FIXME
// This assumes Debian! // This assumes Debian!
#define KRB5_FILE "/etc/krb5.conf"
#define NSSWITCH_FILE "/etc/nsswitch.conf"
#define PAMD_DIRECTORY "/etc/pam.d/"
#define PAMD_COMMON_ACCOUNT "common-account"
#define PAMD_COMMON_AUTH "common-auth"
#define LDAP_FILE "/etc/ldap/ldap.conf" #define LDAP_FILE "/etc/ldap/ldap.conf"
#define LDAP_SECONDARY_FILE "/etc/ldap.conf" #define LDAP_SECONDARY_FILE "/etc/ldap.conf"
#define LDAP_TERTIARY_FILE "/etc/libnss-ldap.conf" #define LDAP_TERTIARY_FILE "/etc/libnss-ldap.conf"
#define TDELDAP_SUDO_D_FILE "/etc/sudoers.d/tde-realm-admins" #define TDELDAP_SUDO_D_FILE "/etc/sudoers.d/tde-realm-admins"
#define CRON_UPDATE_NSS_FILE "/etc/cron.daily/upd-local-nss-db"
#define CRON_UPDATE_NSS_FILE "/etc/cron.daily/upd-local-nss-db"
#define CRON_UPDATE_NSS_COMMAND "/usr/sbin/nss_updatedb ldap" #define CRON_UPDATE_NSS_COMMAND "/usr/sbin/nss_updatedb ldap"
int requested_ldap_version = LDAP_VERSION3; int requested_ldap_version = LDAP_VERSION3;
@ -2229,7 +2238,7 @@ int LDAPManager::moveKerberosEntries(TQString newSuffix, TQString* errstr) {
return -1; return -1;
} }
void LDAPManager::writeLDAPConfFile(LDAPRealmConfig realmcfg) { int LDAPManager::writeLDAPConfFile(LDAPRealmConfig realmcfg, TQString *errstr) {
KSimpleConfig* systemconfig; KSimpleConfig* systemconfig;
TQString m_defaultRealm; TQString m_defaultRealm;
int m_ldapVersion; int m_ldapVersion;
@ -2276,37 +2285,39 @@ void LDAPManager::writeLDAPConfFile(LDAPRealmConfig realmcfg) {
} }
if (chmod(LDAP_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH) < 0) { if (chmod(LDAP_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH) < 0) {
printf("ERROR: Unable to change permissions of \"%s\"\n\r", LDAP_FILE); if (errstr) *errstr = TQString("Unable to change permissions of \"%1\"").arg(LDAP_FILE);
return; return -1;
} }
// Create symbolic link to secondary LDAP configuration file // Create symbolic link to secondary LDAP configuration file
if (fileExists(LDAP_SECONDARY_FILE)) { if (fileExists(LDAP_SECONDARY_FILE)) {
if (unlink(LDAP_SECONDARY_FILE) < 0) { if (unlink(LDAP_SECONDARY_FILE) < 0) {
printf("ERROR: Unable to unlink \"%s\"\n\r", LDAP_SECONDARY_FILE); if (errstr) *errstr = TQString("Unable to unlink \"%s\"").arg(LDAP_SECONDARY_FILE);
return; return -1;
} }
} }
command = TQString("ln -s %1 %2").arg(LDAP_FILE).arg(LDAP_SECONDARY_FILE); command = TQString("ln -s %1 %2").arg(LDAP_FILE).arg(LDAP_SECONDARY_FILE);
if (system(command) < 0) { if (system(command) < 0) {
printf("ERROR: Execution of \"%s\" failed!\n\r", command.ascii()); if (errstr) *errstr = TQString("Execution of \"%s\" failed").arg(command.ascii());
return; return -1;
} }
// Create symbolic link to tertiary LDAP configuration file // Create symbolic link to tertiary LDAP configuration file
if (fileExists(LDAP_TERTIARY_FILE)) { if (fileExists(LDAP_TERTIARY_FILE)) {
if (unlink(LDAP_TERTIARY_FILE) < 0) { if (unlink(LDAP_TERTIARY_FILE) < 0) {
printf("ERROR: Unable to unlink \"%s\"\n\r", LDAP_TERTIARY_FILE); if (errstr) *errstr = TQString("Unable to unlink \"%s\"").arg(LDAP_TERTIARY_FILE);
return; return -1;
} }
} }
command = TQString("ln -s %1 %2").arg(LDAP_FILE).arg(LDAP_TERTIARY_FILE); command = TQString("ln -s %1 %2").arg(LDAP_FILE).arg(LDAP_TERTIARY_FILE);
if (system(command) < 0) { if (system(command) < 0) {
printf("ERROR: Execution of \"%s\" failed!\n\r", command.ascii()); if (errstr) *errstr = TQString("Execution of \"%s\" failed").arg(command.ascii());
return; return -1;
} }
delete systemconfig; delete systemconfig;
return 0;
} }
LDAPTDEBuiltinsInfo LDAPManager::parseLDAPTDEBuiltinsRecord(LDAPMessage* entry) { LDAPTDEBuiltinsInfo LDAPManager::parseLDAPTDEBuiltinsRecord(LDAPMessage* entry) {
@ -2486,7 +2497,7 @@ int LDAPManager::writeSudoersConfFile(TQString *errstr) {
return 0; return 0;
} }
void LDAPManager::writeCronFiles() { int LDAPManager::writeClientCronFiles(TQString *errstr) {
TQFile file(CRON_UPDATE_NSS_FILE); TQFile file(CRON_UPDATE_NSS_FILE);
if (file.open(IO_WriteOnly)) { if (file.open(IO_WriteOnly)) {
TQTextStream stream( &file ); TQTextStream stream( &file );
@ -2501,9 +2512,11 @@ void LDAPManager::writeCronFiles() {
} }
if (system(CRON_UPDATE_NSS_COMMAND) < 0) { if (system(CRON_UPDATE_NSS_COMMAND) < 0) {
printf("ERROR: Execution of \"%s\" failed!\n\r", CRON_UPDATE_NSS_COMMAND); if (errstr) *errstr = TQString("Execution of \"%s\" failed").arg(CRON_UPDATE_NSS_COMMAND);
return; return -1;
} }
return 0;
} }
void LDAPManager::writePrimaryRealmCertificateUpdateCronFile() { void LDAPManager::writePrimaryRealmCertificateUpdateCronFile() {
@ -2565,7 +2578,7 @@ LDAPRealmConfigList LDAPManager::readTDERealmList(KSimpleConfig* config, bool di
return realms; return realms;
} }
void LDAPManager::writeTDERealmList(LDAPRealmConfigList realms, KSimpleConfig* config) { int LDAPManager::writeTDERealmList(LDAPRealmConfigList realms, KSimpleConfig* config, TQString *errstr) {
LDAPRealmConfigList::Iterator it; LDAPRealmConfigList::Iterator it;
for (it = realms.begin(); it != realms.end(); ++it) { for (it = realms.begin(); it != realms.end(); ++it) {
LDAPRealmConfig realmcfg = it.data(); LDAPRealmConfig realmcfg = it.data();
@ -2599,6 +2612,8 @@ void LDAPManager::writeTDERealmList(LDAPRealmConfigList realms, KSimpleConfig* c
} }
} }
} }
return 0;
} }
TQDateTime LDAPManager::getCertificateExpiration(TQString certfile) { TQDateTime LDAPManager::getCertificateExpiration(TQString certfile) {
@ -2744,7 +2759,170 @@ TQString LDAPManager::getMachineFQDN() {
return fqdn; return fqdn;
} }
int LDAPManager::bondRealm(LDAPRealmConfig realmcfg, TQString adminUserName, const char * adminPassword, TQString adminRealm, TQString *errstr) { LDAPClientRealmConfig LDAPManager::loadClientRealmConfig(KSimpleConfig* config, bool useDefaults) {
LDAPClientRealmConfig clientRealmConfig;
config->setReadDefaults(useDefaults);
config->setGroup(NULL);
clientRealmConfig.enable_bonding = config->readBoolEntry("EnableLDAP", false);
clientRealmConfig.defaultRealm = config->readEntry("DefaultRealm", TQString::null);
clientRealmConfig.ticketLifetime = config->readNumEntry("TicketLifetime", 86400);
clientRealmConfig.ldapRole = config->readEntry("LDAPRole", "Workstation");
if (LDAPManager::getMachineFQDN() == config->readEntry("HostFQDN", "")) {
clientRealmConfig.configurationVerifiedForLocalMachine = true;
}
else {
clientRealmConfig.configurationVerifiedForLocalMachine = false;
}
clientRealmConfig.ldapVersion = config->readNumEntry("ConnectionLDAPVersion", 3);
clientRealmConfig.ldapTimeout = config->readNumEntry("ConnectionLDAPTimeout", 2);
clientRealmConfig.bindPolicy = config->readEntry("ConnectionBindPolicy", "soft");
clientRealmConfig.ldapBindTimeout = config->readNumEntry("ConnectionBindTimeout", 2);
clientRealmConfig.passwordHash = config->readEntry("ConnectionPasswordHash", "exop");
clientRealmConfig.ignoredUsers = config->readEntry("ConnectionIgnoredUsers", DEFAULT_IGNORED_USERS_LIST);
return clientRealmConfig;
}
int LDAPManager::saveClientRealmConfig(LDAPClientRealmConfig clientRealmConfig, KSimpleConfig* config, TQString *errstr) {
config->setGroup(NULL);
config->writeEntry("EnableLDAP", clientRealmConfig.enable_bonding);
config->writeEntry("HostFQDN", clientRealmConfig.hostFQDN);
if (clientRealmConfig.defaultRealm != "") {
config->writeEntry("DefaultRealm", clientRealmConfig.defaultRealm);
}
else {
config->deleteEntry("DefaultRealm");
}
config->writeEntry("TicketLifetime", clientRealmConfig.ticketLifetime);
config->writeEntry("ConnectionLDAPVersion", clientRealmConfig.ldapVersion);
config->writeEntry("ConnectionLDAPTimeout", clientRealmConfig.ldapTimeout);
config->writeEntry("ConnectionBindPolicy", clientRealmConfig.bindPolicy);
config->writeEntry("ConnectionBindTimeout", clientRealmConfig.ldapBindTimeout);
config->writeEntry("ConnectionPasswordHash", clientRealmConfig.passwordHash);
config->writeEntry("ConnectionIgnoredUsers", clientRealmConfig.ignoredUsers);
return 0;
}
int LDAPManager::writeClientKrb5ConfFile(LDAPClientRealmConfig clientRealmConfig, LDAPRealmConfigList realmList, TQString *errstr) {
TQFile file(KRB5_FILE);
if (file.open(IO_WriteOnly)) {
TQTextStream stream( &file );
stream << "# This file was automatically generated by TDE\n";
stream << "# All changes will be lost!\n";
stream << "\n";
// Defaults
stream << "[libdefaults]\n";
stream << " ticket_lifetime = " << clientRealmConfig.ticketLifetime << "\n";
if (clientRealmConfig.defaultRealm != "") {
stream << " default_realm = " << clientRealmConfig.defaultRealm << "\n";
}
stream << "\n";
// Realms
stream << "[realms]\n";
LDAPRealmConfigList::Iterator it;
for (it = realmList.begin(); it != realmList.end(); ++it) {
LDAPRealmConfig realmcfg = it.data();
stream << " " << realmcfg.name << " = {\n";
stream << " kdc = " << realmcfg.kdc << ":" << realmcfg.kdc_port << "\n";
stream << " admin_server = " << realmcfg.admin_server << ":" << realmcfg.admin_server_port << "\n";
stream << " pkinit_require_eku = " << (realmcfg.pkinit_require_eku?"true":"false") << "\n";
stream << " pkinit_require_krbtgt_otherName = " << (realmcfg.pkinit_require_krbtgt_otherName?"true":"false") << "\n";
stream << " win2k_pkinit = " << (realmcfg.win2k_pkinit?"yes":"no") << "\n";
stream << " win2k_pkinit_require_binding = " << (realmcfg.win2k_pkinit_require_binding?"yes":"no") << "\n";
stream << " }\n";
}
stream << "\n";
// Domain aliases
stream << "[domain_realm]\n";
LDAPRealmConfigList::Iterator it2;
for (it2 = realmList.begin(); it2 != realmList.end(); ++it2) {
LDAPRealmConfig realmcfg = it2.data();
TQStringList domains = realmcfg.domain_mappings;
for (TQStringList::Iterator it3 = domains.begin(); it3 != domains.end(); ++it3 ) {
stream << " " << *it3 << " = " << realmcfg.name << "\n";
}
}
file.close();
}
return 0;
}
int LDAPManager::writeNSSwitchFile(TQString *errstr) {
TQFile file(NSSWITCH_FILE);
if (file.open(IO_WriteOnly)) {
TQTextStream stream( &file );
stream << "# This file was automatically generated by TDE\n";
stream << "# All changes will be lost!\n";
stream << "\n";
stream << "passwd: files ldap [NOTFOUND=return] db" << "\n";
stream << "group: files ldap [NOTFOUND=return] db" << "\n";
stream << "shadow: files ldap [NOTFOUND=return] db" << "\n";
stream << "\n";
stream << "hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4" << "\n";
stream << "networks: files" << "\n";
stream << "\n";
stream << "protocols: db files" << "\n";
stream << "services: db files" << "\n";
stream << "ethers: db files" << "\n";
stream << "rpc: db files" << "\n";
stream << "\n";
stream << "netgroup: nis" << "\n";
file.close();
}
return 0;
}
int LDAPManager::writePAMFiles(TQString *errstr) {
TQFile file(PAMD_DIRECTORY PAMD_COMMON_ACCOUNT);
if (file.open(IO_WriteOnly)) {
TQTextStream stream( &file );
stream << "# This file was automatically generated by TDE\n";
stream << "# All changes will be lost!\n";
stream << "\n";
stream << "account sufficient pam_unix.so nullok_secure" << "\n";
stream << "account sufficient pam_ldap.so" << "\n";
stream << "account required pam_permit.so" << "\n";
file.close();
}
TQFile file2(PAMD_DIRECTORY PAMD_COMMON_AUTH);
if (file2.open(IO_WriteOnly)) {
TQTextStream stream( &file2 );
stream << "# This file was automatically generated by TDE\n";
stream << "# All changes will be lost!\n";
stream << "\n";
stream << "auth [default=ignore success=ignore] pam_mount.so" << "\n";
stream << "auth sufficient pam_unix.so nullok try_first_pass" << "\n";
stream << "auth [default=ignore success=1 service_err=reset] pam_krb5.so ccache=/tmp/krb5cc_%u use_first_pass" << "\n";
stream << "auth [default=die success=done] pam_ccreds.so action=validate use_first_pass" << "\n";
stream << "auth sufficient pam_ccreds.so action=store use_first_pass" << "\n";
stream << "auth required pam_deny.so" << "\n";
file2.close();
}
return 0;
}
int LDAPManager::bondRealm(TQString adminUserName, const char * adminPassword, TQString adminRealm, TQString *errstr) {
TQCString command = "kadmin"; TQCString command = "kadmin";
QCStringList args; QCStringList args;
args << TQCString("-p") << TQCString(adminUserName+"@"+(adminRealm.upper())) << TQCString("-r") << TQCString(adminRealm.upper()); args << TQCString("-p") << TQCString(adminUserName+"@"+(adminRealm.upper())) << TQCString("-r") << TQCString(adminRealm.upper());
@ -2778,6 +2956,10 @@ int LDAPManager::bondRealm(LDAPRealmConfig realmcfg, TQString adminUserName, con
return 1; return 1;
} }
else if (prompt.endsWith("Principal does not exist")) { else if (prompt.endsWith("Principal does not exist")) {
do { // Wait for command prompt
prompt = readFullLineFromPtyProcess(&kadminProc);
printf("(kadmin) '%s'\n\r", prompt.ascii());
} while (prompt == "");
command = TQCString("ank --random-key "+hoststring); command = TQCString("ank --random-key "+hoststring);
kadminProc.writeLine(command, true); kadminProc.writeLine(command, true);
do { // Discard our own input do { // Discard our own input
@ -2834,14 +3016,12 @@ int LDAPManager::bondRealm(LDAPRealmConfig realmcfg, TQString adminUserName, con
// Success! // Success!
kadminProc.writeLine("quit", true); kadminProc.writeLine("quit", true);
realmcfg.bonded = true;
return 0; return 0;
} }
else if (prompt == "kadmin>") { else if (prompt == "kadmin>") {
// Success! // Success!
kadminProc.writeLine("quit", true); kadminProc.writeLine("quit", true);
realmcfg.bonded = true;
return 0; return 0;
} }
@ -2898,7 +3078,7 @@ int LDAPManager::unbondRealm(LDAPRealmConfig realmcfg, TQString adminUserName, c
kadminProc.writeLine("quit", true); kadminProc.writeLine("quit", true);
// Delete keys from keytab // Delete keys from keytab
command = TQString("ktutil remove -p %1").arg(hostprinc); command = TQString("ktutil remove -p %1").arg(hoststring+"@"+adminRealm.upper());
if (system(command) < 0) { if (system(command) < 0) {
printf("ERROR: Execution of \"%s\" failed!\n\r", command.data()); printf("ERROR: Execution of \"%s\" failed!\n\r", command.data());
return 1; // Failure return 1; // Failure

@ -1,5 +1,5 @@
/*************************************************************************** /***************************************************************************
* Copyright (C) 2012 by Timothy Pearson * * Copyright (C) 2012-2013 by Timothy Pearson *
* kb9vqf@pearsoncomputing.net * * kb9vqf@pearsoncomputing.net *
* * * *
* This program is free software; you can redistribute it and/or modify * * This program is free software; you can redistribute it and/or modify *
@ -35,7 +35,11 @@
// Connect this to CMake/Automake // Connect this to CMake/Automake
#define TDE_BINDIR "/opt/trinity/bin" #define TDE_BINDIR "/opt/trinity/bin"
#define TDE_LDAP_PID_DIR "/etc/trinity/ldap/pid/"
#define TDE_LDAP_CERT_UPDATER_PID_FILE TDE_LDAP_PID_DIR "/tdeldapcertupdater.pid"
#define TDE_CERTIFICATE_DIR "/etc/trinity/ldap/tde-ca/" #define TDE_CERTIFICATE_DIR "/etc/trinity/ldap/tde-ca/"
#define KERBEROS_PKI_ANCHORDIR "/etc/trinity/ldap/tde-ca/anchors/" #define KERBEROS_PKI_ANCHORDIR "/etc/trinity/ldap/tde-ca/anchors/"
#define KERBEROS_PKI_PRIVATEDIR "/etc/trinity/ldap/tde-ca/private/" #define KERBEROS_PKI_PRIVATEDIR "/etc/trinity/ldap/tde-ca/private/"
#define KERBEROS_PKI_PUBLICDIR "/etc/trinity/ldap/tde-ca/public/" #define KERBEROS_PKI_PUBLICDIR "/etc/trinity/ldap/tde-ca/public/"
@ -185,6 +189,26 @@ class LDAPCertConfig
TQString emailAddress; TQString emailAddress;
}; };
// PRIVATE
class LDAPClientRealmConfig
{
public:
bool enable_bonding;
TQString hostFQDN;
TQString defaultRealm;
int ticketLifetime;
TQString ldapRole;
int ldapVersion;
int ldapTimeout;
TQString bindPolicy;
int ldapBindTimeout;
TQString passwordHash;
TQString ignoredUsers;
bool configurationVerifiedForLocalMachine;
};
typedef TQMap<TQString, LDAPRealmConfig> LDAPRealmConfigList; typedef TQMap<TQString, LDAPRealmConfig> LDAPRealmConfigList;
class LDAPUserInfo class LDAPUserInfo
@ -402,11 +426,9 @@ class LDAPManager : public TQObject {
int getTDECertificate(TQString certificateName, TQString fileName, TQString *errstr=0); int getTDECertificate(TQString certificateName, TQString fileName, TQString *errstr=0);
int setPasswordForUser(LDAPUserInfo user, TQString *errstr); int setPasswordForUser(LDAPUserInfo user, TQString *errstr);
static void writeCronFiles();
static void writePrimaryRealmCertificateUpdateCronFile(); static void writePrimaryRealmCertificateUpdateCronFile();
static TQString getMachineFQDN(); static TQString getMachineFQDN();
static void writeLDAPConfFile(LDAPRealmConfig realmcfg); static int writeTDERealmList(LDAPRealmConfigList realms, KSimpleConfig* config, TQString *errstr=0);
static void writeTDERealmList(LDAPRealmConfigList realms, KSimpleConfig* config);
static LDAPRealmConfigList readTDERealmList(KSimpleConfig* config, bool disableAllBonds=false); static LDAPRealmConfigList readTDERealmList(KSimpleConfig* config, bool disableAllBonds=false);
static TQDateTime getCertificateExpiration(TQString certfile); static TQDateTime getCertificateExpiration(TQString certfile);
@ -426,7 +448,15 @@ class LDAPManager : public TQObject {
static TQString detailedKAdminErrorMessage(TQString initialMessage); static TQString detailedKAdminErrorMessage(TQString initialMessage);
static TQString readFullLineFromPtyProcess(PtyProcess* proc); static TQString readFullLineFromPtyProcess(PtyProcess* proc);
static int bondRealm(LDAPRealmConfig realmcfg, TQString adminUserName, const char * adminPassword, TQString adminRealm, TQString *errstr=0); static LDAPClientRealmConfig loadClientRealmConfig(KSimpleConfig* config, bool useDefaults=false);
static int saveClientRealmConfig(LDAPClientRealmConfig clientRealmConfig, KSimpleConfig* config, TQString *errstr=0);
static int writeClientKrb5ConfFile(LDAPClientRealmConfig clientRealmConfig, LDAPRealmConfigList realmList, TQString *errstr=0);
static int writeLDAPConfFile(LDAPRealmConfig realmcfg, TQString *errstr=0);
static int writeNSSwitchFile(TQString *errstr=0);
static int writeClientCronFiles(TQString *errstr=0);
static int writePAMFiles(TQString *errstr=0);
static int bondRealm(TQString adminUserName, const char * adminPassword, TQString adminRealm, TQString *errstr=0);
static int unbondRealm(LDAPRealmConfig realmcfg, TQString adminUserName, const char * adminPassword, TQString adminRealm, TQString *errstr=0); static int unbondRealm(LDAPRealmConfig realmcfg, TQString adminUserName, const char * adminPassword, TQString adminRealm, TQString *errstr=0);
private: private:

Loading…
Cancel
Save