diff --git a/cert-updater/main.cpp b/cert-updater/main.cpp
index 78ad0dc..354d9de 100644
--- a/cert-updater/main.cpp
+++ b/cert-updater/main.cpp
@@ -155,6 +155,7 @@ int main(int argc, char *argv[])
int prevSecondsToExpiry = (7*24*60*60);
while (1) {
+ bool newCertDownloaded = false;
bool allDownloadsOK = true;
TQDateTime now = TQDateTime::currentDateTime();
TQDateTime earliestCertExpiry = now.addDays(14); // Recheck every 7 days regardless of last expiry check results
@@ -174,7 +175,10 @@ int main(int argc, char *argv[])
printf("[INFO] Certificate %s expires %s\n", certificateFileName.ascii(), certExpiry.toString().ascii()); fflush(stdout);
}
if (immediate || (certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
- if (get_certificate_from_server("publicRootCertificate", certificateFileName, realmcfg) != 0) {
+ if (get_certificate_from_server("publicRootCertificate", certificateFileName, realmcfg) == 0) {
+ newCertDownloaded = true;
+ }
+ else {
allDownloadsOK = false;
}
}
@@ -185,7 +189,10 @@ int main(int argc, char *argv[])
else {
mkdir(TDE_CERTIFICATE_DIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
mkdir(KERBEROS_PKI_PUBLICDIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
- if (get_certificate_from_server("publicRootCertificate", certificateFileName, realmcfg) != 0) {
+ if (get_certificate_from_server("publicRootCertificate", certificateFileName, realmcfg) == 0) {
+ newCertDownloaded = true;
+ }
+ else {
allDownloadsOK = false;
}
}
@@ -196,7 +203,10 @@ int main(int argc, char *argv[])
printf("[INFO] CRL %s expires %s\n", crlFileName.ascii(), certExpiry.toString().ascii()); fflush(stdout);
}
if (immediate || (certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
- if (get_certificate_from_server("publicRootCertificateRevocationList", crlFileName, realmcfg) != 0) {
+ if (get_certificate_from_server("publicRootCertificateRevocationList", crlFileName, realmcfg) == 0) {
+ newCertDownloaded = true;
+ }
+ else {
allDownloadsOK = false;
}
}
@@ -207,10 +217,19 @@ int main(int argc, char *argv[])
else {
mkdir(TDE_CERTIFICATE_DIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
mkdir(KERBEROS_PKI_PUBLICDIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
- if (get_certificate_from_server("publicRootCertificateRevocationList", crlFileName, realmcfg) != 0) {
+ if (get_certificate_from_server("publicRootCertificateRevocationList", crlFileName, realmcfg) == 0) {
+ newCertDownloaded = true;
+ }
+ else {
allDownloadsOK = false;
}
}
+
+ if (newCertDownloaded) {
+ if (LDAPManager::rehashClientPKCSCertificates() != 0) {
+ printf("[WARNING] Unable to rehash client PKCS certificates\n"); fflush(stdout);
+ }
+ }
}
immediate = false;
diff --git a/src/ldapbonding.cpp b/src/ldapbonding.cpp
index bf20050..abe4e95 100644
--- a/src/ldapbonding.cpp
+++ b/src/ldapbonding.cpp
@@ -102,6 +102,9 @@ LDAPConfig::LDAPConfig(TQWidget *parent, const char *name, const TQStringList&)
connect(base->passwordHash, TQT_SIGNAL(activated(int)), this, TQT_SLOT(changed()));
connect(base->ignoredUsers, TQT_SIGNAL(textChanged(const TQString&)), this, TQT_SLOT(changed()));
+ connect(base->pamEnablePKCS11Logons, TQT_SIGNAL(clicked()), this, TQT_SLOT(changed()));
+ connect(base->pamEnablePKCS11Logons, TQT_SIGNAL(clicked()), this, TQT_SLOT(processLockouts()));
+ connect(base->pamPKCS11LoginCardSlot, TQT_SIGNAL(valueChanged(int)), this, TQT_SLOT(changed()));
connect(base->pamEnableCachedLogons, TQT_SIGNAL(clicked()), this, TQT_SLOT(changed()));
connect(base->pamCreateHomeDirectory, TQT_SIGNAL(clicked()), this, TQT_SLOT(changed()));
connect(base->pamCreateHomeDirectory, TQT_SIGNAL(clicked()), this, TQT_SLOT(processLockouts()));
@@ -165,6 +168,8 @@ void LDAPConfig::load(bool useDefaults )
}
base->ignoredUsers->setText(m_clientRealmConfig.ignoredUsers);
+ base->pamEnablePKCS11Logons->setChecked(m_clientRealmConfig.pamConfig.enable_pkcs11_login);
+ base->pamPKCS11LoginCardSlot->setValue(m_clientRealmConfig.pamConfig.pkcs11_login_card_slot);
base->pamEnableCachedLogons->setChecked(m_clientRealmConfig.pamConfig.enable_cached_credentials);
base->pamCreateHomeDirectory->setChecked(m_clientRealmConfig.pamConfig.autocreate_user_directories_enable);
base->pamCreateHomeDirectoryUmask->setValue(m_clientRealmConfig.pamConfig.autocreate_user_directories_umask);
@@ -217,6 +222,8 @@ void LDAPConfig::save() {
m_clientRealmConfig.passwordHash = base->passwordHash->currentText();
m_clientRealmConfig.ignoredUsers = base->ignoredUsers->text();
+ m_clientRealmConfig.pamConfig.enable_pkcs11_login = base->pamEnablePKCS11Logons->isChecked();
+ m_clientRealmConfig.pamConfig.pkcs11_login_card_slot = base->pamPKCS11LoginCardSlot->value();
m_clientRealmConfig.pamConfig.enable_cached_credentials = base->pamEnableCachedLogons->isChecked();
m_clientRealmConfig.pamConfig.autocreate_user_directories_enable = base->pamCreateHomeDirectory->isChecked();
m_clientRealmConfig.pamConfig.autocreate_user_directories_umask = base->pamCreateHomeDirectoryUmask->value();
@@ -343,6 +350,13 @@ void LDAPConfig::processLockouts() {
base->pamCreateHomeDirectoryUmask->setEnabled(false);
base->pamCreateHomeDirectorySkelDir->setEnabled(false);
}
+
+ if (base->pamEnablePKCS11Logons->isChecked()) {
+ base->pamPKCS11LoginCardSlot->setEnabled(true);
+ }
+ else {
+ base->pamPKCS11LoginCardSlot->setEnabled(false);
+ }
}
void LDAPConfig::bondToNewRealm() {
diff --git a/src/ldapconfigbase.ui b/src/ldapconfigbase.ui
index a889ac9..8c9b2db 100644
--- a/src/ldapconfigbase.ui
+++ b/src/ldapconfigbase.ui
@@ -454,6 +454,14 @@
&Enable logon credentials cache
+
+
+ pamEnablePKCS11Logons
+
+
+ &Enable PKCS#11 card login
+
+
unnamed
@@ -500,6 +508,33 @@
+
+
+ unnamed
+
+
+ PKCS#11 certificate slot
+
+
+
+ 0
+ 0
+ 0
+ 0
+
+
+
+
+
+ pamPKCS11LoginCardSlot
+
+
+ 0
+
+
+ 999
+
+
pamCreateHomeDirectorySkelDir