Add PKCS login setup controls

9 years ago · 5f90079891
parent c14f2f4613
commit 5f90079891
3 changed files with 72 additions and 4 deletions
--- a/cert-updater/main.cpp
+++ b/cert-updater/main.cpp
@ -155,6 +155,7 @@ int main(int argc, char *argv[])
 	int prevSecondsToExpiry = (7*24*60*60);

 	while (1) {
+		bool newCertDownloaded = false;
 		bool allDownloadsOK = true;
 		TQDateTime now = TQDateTime::currentDateTime();
 		TQDateTime earliestCertExpiry = now.addDays(14);	// Recheck every 7 days regardless of last expiry check results
@ -174,7 +175,10 @@ int main(int argc, char *argv[])
 					printf("[INFO] Certificate %s expires %s\n", certificateFileName.ascii(), certExpiry.toString().ascii()); fflush(stdout);
 				}
 				if (immediate || (certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
-					if (get_certificate_from_server("publicRootCertificate", certificateFileName, realmcfg) != 0) {
+					if (get_certificate_from_server("publicRootCertificate", certificateFileName, realmcfg) == 0) {
+						newCertDownloaded = true;
+					}
+					else {
 						allDownloadsOK = false;
 					}
 				}
@ -185,7 +189,10 @@ int main(int argc, char *argv[])
 			else {
 				mkdir(TDE_CERTIFICATE_DIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
 				mkdir(KERBEROS_PKI_PUBLICDIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
-				if (get_certificate_from_server("publicRootCertificate", certificateFileName, realmcfg) != 0) {
+				if (get_certificate_from_server("publicRootCertificate", certificateFileName, realmcfg) == 0) {
+					newCertDownloaded = true;
+				}
+				else {
 					allDownloadsOK = false;
 				}
 			}
@ -196,7 +203,10 @@ int main(int argc, char *argv[])
 					printf("[INFO] CRL %s expires %s\n", crlFileName.ascii(), certExpiry.toString().ascii()); fflush(stdout);
 				}
 				if (immediate || (certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
-					if (get_certificate_from_server("publicRootCertificateRevocationList", crlFileName, realmcfg) != 0) {
+					if (get_certificate_from_server("publicRootCertificateRevocationList", crlFileName, realmcfg) == 0) {
+						newCertDownloaded = true;
+					}
+					else {
 						allDownloadsOK = false;
 					}
 				}
@ -207,10 +217,19 @@ int main(int argc, char *argv[])
 			else {
 				mkdir(TDE_CERTIFICATE_DIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
 				mkdir(KERBEROS_PKI_PUBLICDIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
-				if (get_certificate_from_server("publicRootCertificateRevocationList", crlFileName, realmcfg) != 0) {
+				if (get_certificate_from_server("publicRootCertificateRevocationList", crlFileName, realmcfg) == 0) {
+					newCertDownloaded = true;
+				}
+				else {
 					allDownloadsOK = false;
 				}
 			}
+
+			if (newCertDownloaded) {
+				if (LDAPManager::rehashClientPKCSCertificates() != 0) {
+					printf("[WARNING] Unable to rehash client PKCS certificates\n"); fflush(stdout);
+				}
+			}
 		}
 		immediate = false;

--- a/src/ldapbonding.cpp
+++ b/src/ldapbonding.cpp
@ -102,6 +102,9 @@ LDAPConfig::LDAPConfig(TQWidget *parent, const char *name, const TQStringList&)
 	connect(base->passwordHash, TQT_SIGNAL(activated(int)), this, TQT_SLOT(changed()));
 	connect(base->ignoredUsers, TQT_SIGNAL(textChanged(const TQString&)), this, TQT_SLOT(changed()));

+	connect(base->pamEnablePKCS11Logons, TQT_SIGNAL(clicked()), this, TQT_SLOT(changed()));
+	connect(base->pamEnablePKCS11Logons, TQT_SIGNAL(clicked()), this, TQT_SLOT(processLockouts()));
+	connect(base->pamPKCS11LoginCardSlot, TQT_SIGNAL(valueChanged(int)), this, TQT_SLOT(changed()));
 	connect(base->pamEnableCachedLogons, TQT_SIGNAL(clicked()), this, TQT_SLOT(changed()));
 	connect(base->pamCreateHomeDirectory, TQT_SIGNAL(clicked()), this, TQT_SLOT(changed()));
 	connect(base->pamCreateHomeDirectory, TQT_SIGNAL(clicked()), this, TQT_SLOT(processLockouts()));
@ -165,6 +168,8 @@ void LDAPConfig::load(bool useDefaults )
 	}
 	base->ignoredUsers->setText(m_clientRealmConfig.ignoredUsers);

+	base->pamEnablePKCS11Logons->setChecked(m_clientRealmConfig.pamConfig.enable_pkcs11_login);
+	base->pamPKCS11LoginCardSlot->setValue(m_clientRealmConfig.pamConfig.pkcs11_login_card_slot);
 	base->pamEnableCachedLogons->setChecked(m_clientRealmConfig.pamConfig.enable_cached_credentials);
 	base->pamCreateHomeDirectory->setChecked(m_clientRealmConfig.pamConfig.autocreate_user_directories_enable);
 	base->pamCreateHomeDirectoryUmask->setValue(m_clientRealmConfig.pamConfig.autocreate_user_directories_umask);
@ -217,6 +222,8 @@ void LDAPConfig::save() {
 	m_clientRealmConfig.passwordHash = base->passwordHash->currentText();
 	m_clientRealmConfig.ignoredUsers = base->ignoredUsers->text();

+	m_clientRealmConfig.pamConfig.enable_pkcs11_login = base->pamEnablePKCS11Logons->isChecked();
+	m_clientRealmConfig.pamConfig.pkcs11_login_card_slot = base->pamPKCS11LoginCardSlot->value();
 	m_clientRealmConfig.pamConfig.enable_cached_credentials = base->pamEnableCachedLogons->isChecked();
 	m_clientRealmConfig.pamConfig.autocreate_user_directories_enable = base->pamCreateHomeDirectory->isChecked();
 	m_clientRealmConfig.pamConfig.autocreate_user_directories_umask = base->pamCreateHomeDirectoryUmask->value();
@ -343,6 +350,13 @@ void LDAPConfig::processLockouts() {
 		base->pamCreateHomeDirectoryUmask->setEnabled(false);
 		base->pamCreateHomeDirectorySkelDir->setEnabled(false);
 	}
+
+	if (base->pamEnablePKCS11Logons->isChecked()) {
+		base->pamPKCS11LoginCardSlot->setEnabled(true);
+	}
+	else {
+		base->pamPKCS11LoginCardSlot->setEnabled(false);
+	}
 }

 void LDAPConfig::bondToNewRealm() {
--- a/src/ldapconfigbase.ui
+++ b/src/ldapconfigbase.ui
@ -454,6 +454,14 @@
 									<string>&amp;Enable logon credentials cache</string>
 								</property>
 							</widget>
+							<widget class="TQCheckBox" row="2" column="0" colspan="2">
+								<property name="name">
+									<cstring>pamEnablePKCS11Logons</cstring>
+								</property>
+								<property name="text">
+									<string>&amp;Enable PKCS#11 card login</string>
+								</property>
+							</widget>
 							<widget class="TQLabel" row="0" column="2">
 								<property name="name">
 									<cstring>unnamed</cstring>
@ -500,6 +508,33 @@
 									</sizepolicy>
 								</property>
 							</widget>
+							<widget class="TQLabel" row="2" column="2">
+								<property name="name">
+									<cstring>unnamed</cstring>
+								</property>
+								<property name="text">
+									<string>PKCS#11 certificate slot</string>
+								</property>
+								<property name="sizePolicy">
+									<sizepolicy>
+										<hsizetype>0</hsizetype>
+										<vsizetype>0</vsizetype>
+										<horstretch>0</horstretch>
+										<verstretch>0</verstretch>
+									</sizepolicy>
+								</property>
+							</widget>
+							<widget class="KIntNumInput" row="2" column="3" >
+								<property name="name">
+									<cstring>pamPKCS11LoginCardSlot</cstring>
+								</property>
+								<property name="minValue">
+									<number>0</number>
+								</property>
+								<property name="maxValue">
+									<number>999</number>
+								</property>
+							</widget>
 							<widget class="KURLRequester" row="1" column="3" >
 								<property name="name">
 									<cstring>pamCreateHomeDirectorySkelDir</cstring>