Add new certificate updater daemon

Move core code to libtdeldap

cert-updater/Makefile.am

@@ -0,0 +1,10 @@
+INCLUDES= $(all_includes) $(KDE_INCLUDES)/tde
+
+bin_PROGRAMS = tdeldapcertupdater
+
+tdeldapcertupdater_SOURCES = main.cpp
+
+tdeldapcertupdater_METASOURCES = AUTO
+tdeldapcertupdater_LDFLAGS = $(all_libraries) $(KDE_RPATH) $(LIB_QT) -lDCOP $(LIB_TDECORE) $(LIB_TDEUI) -ltdefx $(LIB_KIO) -ltdetexteditor -ltdeldap
+
+KDE_OPTIONS = nofinal

cert-updater/main.cpp

@@ -0,0 +1,211 @@
+/***************************************************************************
+ *   Copyright (C) 2013 by Timothy Pearson                                 *
+ *   kb9vqf@pearsoncomputing.net                                           *
+ *                                                                         *
+ *   This program is free software; you can redistribute it and/or modify  *
+ *   it under the terms of the GNU General Public License as published by  *
+ *   the Free Software Foundation; either version 2 of the License, or     *
+ *   (at your option) any later version.                                   *
+ *                                                                         *
+ *   This program is distributed in the hope that it will be useful,       *
+ *   but WITHOUT ANY WARRANTY; without even the implied warranty of        *
+ *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         *
+ *   GNU General Public License for more details.                          *
+ *                                                                         *
+ *   You should have received a copy of the GNU General Public License     *
+ *   along with this program; if not, write to the                         *
+ *   Free Software Foundation, Inc.,                                       *
+ *   59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.             *
+ ***************************************************************************/
+
+#include <stdlib.h>
+#include <csignal>
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/time.h>
+#include <netdb.h>
+#include <pwd.h>
+
+#include <tdeapplication.h>
+#include <tdestartupinfo.h>
+#include <tdecmdlineargs.h>
+#include <tdeaboutdata.h>
+
+#include <ksimpleconfig.h>
+
+#include <tqdatetime.h>
+#include <tqfile.h>
+#include <tqdir.h>
+
+#include <libtdeldap.h>
+
+// FIXME
+// Connect this to CMake/Automake
+#define KDE_CONFDIR "/etc/trinity"
+
+static const char description[] =
+	I18N_NOOP("TDE utility for updating realm certificates");
+
+static const char version[] = "v0.0.1";
+
+bool received_sighup = false;
+
+void signalHandler(int signum)
+{
+	printf("[INFO] Got signal %d\n\r", signum);
+	if (signum == SIGHUP) {
+		received_sighup = true;
+	}
+	else if (signum == SIGTERM) {
+		unlink(TDE_LDAP_CERT_UPDATER_PID_FILE);
+		exit(0);
+	}
+	else if (signum == SIGINT) {
+		unlink(TDE_LDAP_CERT_UPDATER_PID_FILE);
+		exit(0);
+	}
+}
+
+int get_certificate_from_server(TQString certificateName, LDAPRealmConfig realmcfg)
+{
+	int retcode = 0;
+	TQString errorstring;
+
+	// Bind anonymously to LDAP
+	LDAPCredentials* credentials = new LDAPCredentials;
+	credentials->username = "";
+	credentials->password = "";
+	credentials->realm = realmcfg.name.upper();
+	credentials->use_tls = false;
+	LDAPManager* ldap_mgr = new LDAPManager(realmcfg.name.upper(), TQString("ldap://%1").arg(realmcfg.admin_server).ascii(), credentials);
+
+	// Add the domain-wide computer local admin group to local sudoers
+	ldap_mgr->writeSudoersConfFile(&errorstring);
+
+	// Get and install the CA root certificate from LDAP
+	printf("[INFO] Updating certificate %s from LDAP\n\r", certificateName.ascii());
+	if (ldap_mgr->getTDECertificate("publicRootCertificate", certificateName, &errorstring) != 0) {
+		printf("[ERROR] Unable to obtain root certificate for realm %s: %s", realmcfg.name.upper().ascii(), errorstring.ascii());
+		retcode = 1;
+	}
+
+	delete ldap_mgr;
+	delete credentials;
+
+	return retcode;
+}
+
+int main(int argc, char *argv[])
+{
+	// Register signal handler for SIGHUP
+	signal(SIGHUP, signalHandler);
+	// Register signal handler for SIGINT
+	signal(SIGINT, signalHandler);
+	// Register signal handler for SIGTERM
+	signal(SIGTERM, signalHandler);
+
+	TQDir pidDir(TDE_LDAP_PID_DIR);
+	if (!pidDir.exists()) {
+		mkdir(TDE_LDAP_PID_DIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
+	}
+	TQFile pidFile(TDE_LDAP_CERT_UPDATER_PID_FILE);
+	if (pidFile.open(IO_WriteOnly)) {
+		TQTextStream stream(&pidFile);
+		stream << getpid();
+		pidFile.close();
+	}
+
+	// Seed random number generator
+	struct timeval time;
+	gettimeofday(&time,NULL);
+	srand((time.tv_sec * 1000) + (time.tv_usec / 1000));
+
+	// Initialize TDE application libraries
+	TDEAboutData aboutData( "tdeldapcertupdater", I18N_NOOP("Realm Certificate Updater"),
+		version, description, TDEAboutData::License_GPL,
+		"(c) 2013, Timothy Pearson");
+		aboutData.addAuthor("Timothy Pearson",0, "kb9vqf@pearsoncomputing.net");
+	TDECmdLineArgs::init( argc, argv, &aboutData );
+	TDEApplication::disableAutoDcopRegistration();
+
+	TDEApplication app(false, false);
+
+	TDEStartupInfo::appStarted();
+
+	//======================================================================================================================================================
+	//
+	// Updater code follows
+	//
+	//======================================================================================================================================================
+
+	KSimpleConfig* systemconfig = new KSimpleConfig( TQString::fromLatin1( KDE_CONFDIR "/ldap/ldapconfigrc" ));
+	LDAPRealmConfigList realms = LDAPManager::readTDERealmList(systemconfig, false);
+	TQString m_defaultRealm = systemconfig->readEntry("DefaultRealm");
+
+	int prevSecondsToExpiry = (7*24*60*60);
+
+	while (1) {
+		bool allDownloadsOK = true;
+		TQDateTime now = TQDateTime::currentDateTime();
+		TQDateTime earliestCertExpiry = now.addDays(14);	// Recheck every 7 days regardless of last expiry check results
+
+		LDAPRealmConfigList::Iterator it;
+		for (it = realms.begin(); it != realms.end(); ++it) {
+			LDAPRealmConfig realmcfg = it.data();
+			TQString certificateName = KERBEROS_PKI_PUBLICDIR + realmcfg.admin_server + ".ldap.crt";
+
+			TQDateTime certExpiry;
+			TQDateTime soon = now.addDays(7);		// Keep in sync with src/ldapcontroller.cpp
+
+			if (TQFile::exists(certificateName)) {
+				certExpiry = LDAPManager::getCertificateExpiration(certificateName);
+				if (certExpiry >= now) {
+					printf("[INFO] Certificate %s expires %s\n\r", certificateName.ascii(), certExpiry.toString().ascii()); fflush(stdout);
+				}
+				if ((certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
+					if (get_certificate_from_server(certificateName, realmcfg) != 0) {
+						allDownloadsOK = false;
+					}
+				}
+				if (certExpiry < earliestCertExpiry) {
+					earliestCertExpiry = certExpiry;
+				}
+			}
+			else {
+				mkdir(TDE_CERTIFICATE_DIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
+				mkdir(KERBEROS_PKI_PUBLICDIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
+				if (get_certificate_from_server(certificateName, realmcfg) != 0) {
+					allDownloadsOK = false;
+				}
+			}
+		}
+
+		earliestCertExpiry = earliestCertExpiry.addDays(-7);	// Keep in sync with now.addDays above (use negative of value given above)
+		int secondsToExpiry = now.secsTo(earliestCertExpiry);
+		secondsToExpiry = secondsToExpiry + (rand()%(5*60));	// Nothing worse than thousands of clients hammering the LDAP server all at once...
+		if (secondsToExpiry < 1) {
+			secondsToExpiry = 1;
+		}
+		if ((prevSecondsToExpiry == 1) && (allDownloadsOK)) {
+			// The server has not yet updated its certificate, even though our copy is close to expiration
+			// Therefore, do not hammer the server with useless requests!
+			prevSecondsToExpiry = (15*60) + (rand()%(5*60));
+		}
+		prevSecondsToExpiry = secondsToExpiry;
+		printf("[INFO] Will recheck certificates in %d seconds (%d days)\n\r", secondsToExpiry, secondsToExpiry/60/60/24); fflush(stdout);
+		if (sleep(secondsToExpiry) != 0) {
+			// Signal caught
+			if (!received_sighup) {
+				break;
+			}
+		}
+	}
+
+	unlink(TDE_LDAP_CERT_UPDATER_PID_FILE);
+
+	//======================================================================================================================================================
+
+	return 0;
+}

src/ldapbonding.cpp

@@ -1,5 +1,5 @@
 /***************************************************************************
- *   Copyright (C) 2012 by Timothy Pearson                                 *
+ *   Copyright (C) 2012-2013 by Timothy Pearson                            *
  *   kb9vqf@pearsoncomputing.net                                           *
  *                                                                         *
  *   This program is free software; you can redistribute it and/or modify  *
@@ -18,6 +18,9 @@
  *   59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.             *
  ***************************************************************************/
 
+#include <sys/types.h>
+#include <signal.h>
+
 #include <tqlayout.h>
 
 #include <tdelocale.h>
@@ -49,11 +52,6 @@
 // FIXME
 // Connect this to CMake/Automake
 #define KDE_CONFDIR "/etc/trinity"
-#define KRB5_FILE "/etc/krb5.conf"
-#define NSSWITCH_FILE "/etc/nsswitch.conf"
-#define PAMD_DIRECTORY "/etc/pam.d/"
-#define PAMD_COMMON_ACCOUNT "common-account"
-#define PAMD_COMMON_AUTH "common-auth"
 
 typedef KGenericFactory<LDAPConfig, TQWidget> ldapFactory;
 
@@ -71,7 +69,7 @@ LDAPConfig::LDAPConfig(TQWidget *parent, const char *name, const TQStringList&)
 	TDEAboutData* about = new TDEAboutData("ldap", I18N_NOOP("TDE LDAP Manager"), "0.1",
 		I18N_NOOP("TDE LDAP Manager Control Panel Module"),
 		TDEAboutData::License_GPL,
-		I18N_NOOP("(c) 2012 Timothy Pearson"), 0, 0);
+		I18N_NOOP("(c) 2012-2013 Timothy Pearson"), 0, 0);
 	
 	about->addAuthor("Timothy Pearson", 0, "kb9vqf@pearsoncomputing.net");
 	setAboutData( about );
@@ -103,17 +101,16 @@ LDAPConfig::LDAPConfig(TQWidget *parent, const char *name, const TQStringList&)
 	connect(base->passwordHash, TQT_SIGNAL(activated(int)), this, TQT_SLOT(changed()));
 	connect(base->ignoredUsers, TQT_SIGNAL(textChanged(const TQString&)), this, TQT_SLOT(changed()));
 
-	m_fqdn = LDAPManager::getMachineFQDN();
+	hostFQDN = LDAPManager::getMachineFQDN();
 	base->hostFQDN->setEnabled(false);
 	base->hostFQDN->clear();
-	base->hostFQDN->insertItem(m_fqdn);
+	base->hostFQDN->insertItem(hostFQDN);
 
 	load();
 
 	systemconfig->setGroup(NULL);
-	TQString ldapRole = systemconfig->readEntry("LDAPRole", "Workstation");
 
-	if ((getuid() != 0) || (!systemconfig->checkConfigFilesWritable( true )) || (ldapRole != "Workstation")) {
+	if ((getuid() != 0) || (!systemconfig->checkConfigFilesWritable( true )) || (m_clientRealmConfig.ldapRole != "Workstation")) {
 		base->systemEnableSupport->setEnabled(false);
 	}
 
@@ -133,51 +130,33 @@ void LDAPConfig::load() {
 void LDAPConfig::load(bool useDefaults )
 {
 	int i;
-	bool thisIsMyMachine;
 
-	//Update the toggle buttons with the current configuration
-	systemconfig->setReadDefaults( useDefaults );
-	
-	systemconfig->setGroup(NULL);
-	base->systemEnableSupport->setChecked(systemconfig->readBoolEntry("EnableLDAP", false));
-	m_defaultRealm = systemconfig->readEntry("DefaultRealm", TQString::null);
-	m_ticketLifetime = systemconfig->readNumEntry("TicketLifetime", 86400);
-	if (m_fqdn == systemconfig->readEntry("HostFQDN", "")) {
-		thisIsMyMachine = true;
-	}
-	else {
-		thisIsMyMachine = false;
-	}
+	m_clientRealmConfig = LDAPManager::loadClientRealmConfig(systemconfig, useDefaults);
 
-	m_ldapVersion = systemconfig->readNumEntry("ConnectionLDAPVersion", 3);
-	m_ldapTimeout = systemconfig->readNumEntry("ConnectionLDAPTimeout", 2);
-	m_bindPolicy = systemconfig->readEntry("ConnectionBindPolicy", "soft");
-	m_ldapBindTimeout = systemconfig->readNumEntry("ConnectionBindTimeout", 2);
-	m_passwordHash = systemconfig->readEntry("ConnectionPasswordHash", "exop");
-	m_ignoredUsers = systemconfig->readEntry("ConnectionIgnoredUsers", DEFAULT_IGNORED_USERS_LIST);
+	base->systemEnableSupport->setChecked(m_clientRealmConfig.enable_bonding);
 	
 	// Load realms
 	m_realms.clear();
-	m_realms = LDAPManager::readTDERealmList(systemconfig, !thisIsMyMachine);
+	m_realms = LDAPManager::readTDERealmList(systemconfig, !m_clientRealmConfig.configurationVerifiedForLocalMachine);
 
-	base->ticketLifetime->setValue(m_ticketLifetime);
+	base->ticketLifetime->setValue(m_clientRealmConfig.ticketLifetime);
 
-	base->ldapVersion->setValue(m_ldapVersion);
-	base->ldapTimeout->setValue(m_ldapTimeout);
+	base->ldapVersion->setValue(m_clientRealmConfig.ldapVersion);
+	base->ldapTimeout->setValue(m_clientRealmConfig.ldapTimeout);
 	for (i=0; i<base->bindPolicy->count(); i++) {
-		if (base->bindPolicy->text(i).lower() == m_defaultRealm.lower()) {
+		if (base->bindPolicy->text(i).lower() == m_clientRealmConfig.defaultRealm.lower()) {
 			base->bindPolicy->setCurrentItem(i);
 			break;
 		}
 	}
-	base->ldapBindTimeout->setValue(m_ldapBindTimeout);
+	base->ldapBindTimeout->setValue(m_clientRealmConfig.ldapBindTimeout);
 	for (i=0; i<base->passwordHash->count(); i++) {
-		if (base->passwordHash->text(i).lower() == m_passwordHash.lower()) {
+		if (base->passwordHash->text(i).lower() == m_clientRealmConfig.passwordHash.lower()) {
 			base->passwordHash->setCurrentItem(i);
 			break;
 		}
 	}
-	base->ignoredUsers->setText(m_ignoredUsers);
+	base->ignoredUsers->setText(m_clientRealmConfig.ignoredUsers);
 
 	updateRealmList();
 
@@ -195,9 +174,9 @@ void LDAPConfig::updateRealmList() {
 		(void)new TQListViewItem(base->ldapRealmList, ((realmcfg.bonded)?i18n("Bonded"):i18n("Deactivated")), realmcfg.name);
 		base->defaultRealm->insertItem(realmcfg.name);
 	}
-	if (m_defaultRealm != "") {
+	if (m_clientRealmConfig.defaultRealm != "") {
 		for (int i=0; i<base->defaultRealm->count(); i++) {
-			if (base->defaultRealm->text(i) == m_defaultRealm) {
+			if (base->defaultRealm->text(i) == m_clientRealmConfig.defaultRealm) {
 				base->defaultRealm->setCurrentItem(i);
 				break;
 			}
@@ -213,71 +192,87 @@ void LDAPConfig::defaults() {
 void LDAPConfig::save() {
 	TQString errorstring;
 
+	m_clientRealmConfig.hostFQDN = hostFQDN;
+
+	m_clientRealmConfig.enable_bonding = base->systemEnableSupport->isChecked();
+	m_clientRealmConfig.defaultRealm = base->defaultRealm->currentText();
+	m_clientRealmConfig.ticketLifetime = base->ticketLifetime->value();
+
+	m_clientRealmConfig.ldapVersion = base->ldapVersion->value();
+	m_clientRealmConfig.ldapTimeout = base->ldapTimeout->value();
+	m_clientRealmConfig.bindPolicy = base->bindPolicy->currentText();
+	m_clientRealmConfig.ldapBindTimeout = base->ldapBindTimeout->value();
+	m_clientRealmConfig.passwordHash = base->passwordHash->currentText();
+	m_clientRealmConfig.ignoredUsers = base->ignoredUsers->text();
+
 	// Write system configuration
-	systemconfig->setGroup(NULL);
-	systemconfig->writeEntry("EnableLDAP", base->systemEnableSupport->isChecked());
-	systemconfig->writeEntry("HostFQDN", m_fqdn);
-	m_defaultRealm = base->defaultRealm->currentText();
-	m_ticketLifetime = base->ticketLifetime->value();
-
-	m_ldapVersion = base->ldapVersion->value();
-	m_ldapTimeout = base->ldapTimeout->value();
-	m_bindPolicy = base->bindPolicy->currentText();
-	m_ldapBindTimeout = base->ldapBindTimeout->value();
-	m_passwordHash = base->passwordHash->currentText();
-	m_ignoredUsers = base->ignoredUsers->text();
-
-	if (m_defaultRealm != "") {
-		systemconfig->writeEntry("DefaultRealm", m_defaultRealm);
-	}
-	else {
-		systemconfig->deleteEntry("DefaultRealm");
+	if (LDAPManager::saveClientRealmConfig(m_clientRealmConfig, systemconfig, &errorstring) != 0) {
+		KMessageBox::error(this, i18n("<qt><b>Unable to save configuration!</b><p>Details: %2</qt>").arg(errorstring), i18n("Unable to Save Configuration"));
+		return;
 	}
-	systemconfig->writeEntry("TicketLifetime", m_ticketLifetime);
-
-	systemconfig->writeEntry("ConnectionLDAPVersion", m_ldapVersion);
-	systemconfig->writeEntry("ConnectionLDAPTimeout", m_ldapTimeout);
-	systemconfig->writeEntry("ConnectionBindPolicy", m_bindPolicy);
-	systemconfig->writeEntry("ConnectionBindTimeout", m_ldapBindTimeout);
-	systemconfig->writeEntry("ConnectionPasswordHash", m_passwordHash);
-	systemconfig->writeEntry("ConnectionIgnoredUsers", m_ignoredUsers);
 
 	LDAPManager::writeTDERealmList(m_realms, systemconfig);
 	systemconfig->sync();
 
-	if (base->systemEnableSupport->isChecked()) {
+	if (m_clientRealmConfig.enable_bonding) {
 		// Write the Kerberos5 configuration file
-		writeKrb5ConfFile();
+		if (LDAPManager::writeClientKrb5ConfFile(m_clientRealmConfig, m_realms, &errorstring) != 0) {
+			KMessageBox::error(this, i18n("<qt><b>Unable to save configuration!</b><p>Details: %2</qt>").arg(errorstring), i18n("Unable to Save Configuration"));
+			return;
+		}
 		// Write the LDAP configuration file
-		writeLDAPConfFile();
+		if (LDAPManager::writeLDAPConfFile(m_realms[m_clientRealmConfig.defaultRealm], &errorstring) != 0) {
+			KMessageBox::error(this, i18n("<qt><b>Unable to save configuration!</b><p>Details: %2</qt>").arg(errorstring), i18n("Unable to Save Configuration"));
+			return;
+		}
 		// Write the NSSwitch configuration file
-		writeNSSwitchFile();
+		if (LDAPManager::writeNSSwitchFile(&errorstring) != 0) {
+			KMessageBox::error(this, i18n("<qt><b>Unable to save configuration!</b><p>Details: %2</qt>").arg(errorstring), i18n("Unable to Save Configuration"));
+			return;
+		}
 		// Write the PAM configuration files
-		writePAMFiles();
+		if (LDAPManager::writePAMFiles(&errorstring) != 0) {
+			KMessageBox::error(this, i18n("<qt><b>Unable to save configuration!</b><p>Details: %2</qt>").arg(errorstring), i18n("Unable to Save Configuration"));
+			return;
+		}
 		// Write the cron files
-		LDAPManager::writeCronFiles();
+		if (LDAPManager::writeClientCronFiles() != 0) {
+			KMessageBox::error(this, i18n("<qt><b>Unable to save configuration!</b><p>Details: %2</qt>").arg(errorstring), i18n("Unable to Save Configuration"));
+			return;
+		}
 
-		if (m_defaultRealm != "") {
+		if (m_clientRealmConfig.defaultRealm != "") {
 			// Bind anonymously to LDAP
 			LDAPCredentials* credentials = new LDAPCredentials;
 			credentials->username = "";
 			credentials->password = "";
-			credentials->realm = m_defaultRealm.upper();
+			credentials->realm = m_clientRealmConfig.defaultRealm.upper();
 			credentials->use_tls = false;
-			LDAPManager* ldap_mgr = new LDAPManager(m_defaultRealm.upper(), TQString("ldap://%1").arg(m_realms[m_defaultRealm].admin_server).ascii(), credentials);
+			LDAPManager* ldap_mgr = new LDAPManager(m_clientRealmConfig.defaultRealm.upper(), TQString("ldap://%1").arg(m_realms[m_clientRealmConfig.defaultRealm].admin_server).ascii(), credentials);
 	
 			// Add the domain-wide computer local admin group to local sudoers
 			ldap_mgr->writeSudoersConfFile(&errorstring);
+
 			// Get and install the CA root certificate from LDAP
 			mkdir(TDE_CERTIFICATE_DIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
 			mkdir(KERBEROS_PKI_PUBLICDIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
-			if (ldap_mgr->getTDECertificate("publicRootCertificate", KERBEROS_PKI_PUBLICDIR + m_realms[m_defaultRealm].admin_server + ".ldap.crt", &errorstring) != 0) {
-				KMessageBox::sorry(this, i18n("<qt><b>Unable to obtain root certificate for realm %1!</b><p>Details: %2</qt>").arg(m_defaultRealm.upper()).arg(errorstring), i18n("Unable to Obtain Certificate"));
+			if (ldap_mgr->getTDECertificate("publicRootCertificate", KERBEROS_PKI_PUBLICDIR + m_realms[m_clientRealmConfig.defaultRealm].admin_server + ".ldap.crt", &errorstring) != 0) {
+				KMessageBox::sorry(this, i18n("<qt><b>Unable to obtain root certificate for realm %1!</b><p>Details: %2</qt>").arg(m_clientRealmConfig.defaultRealm.upper()).arg(errorstring), i18n("Unable to Obtain Certificate"));
 			}
 	
 			delete ldap_mgr;
 			delete credentials;
 		}
+
+		// Certificates may have changed; force the certificate update daemon to reload its configuration
+		pid_t certUpdaterPID;
+		TQFile pidFile(TDE_LDAP_CERT_UPDATER_PID_FILE);
+		if (pidFile.open(IO_ReadOnly)) {
+			TQTextStream stream(&pidFile);
+			stream >> certUpdaterPID;
+			pidFile.close();
+			kill(certUpdaterPID, SIGHUP);
+		}
 	}
 
 	load();
@@ -339,7 +334,7 @@ void LDAPConfig::reBondToRealm() {
 		passdlg.m_base->ldapAdminRealm->setText(realmName);
 		if (passdlg.exec() == TQDialog::Accepted) {
 			setEnabled(false);
-			if (LDAPManager::bondRealm(m_realms[realmName], passdlg.m_base->ldapAdminUsername->text(), passdlg.m_base->ldapAdminPassword->password(), passdlg.m_base->ldapAdminRealm->text(), &errorString) == 0) {
+			if (LDAPManager::bondRealm(passdlg.m_base->ldapAdminUsername->text(), passdlg.m_base->ldapAdminPassword->password(), passdlg.m_base->ldapAdminRealm->text(), &errorString) == 0) {
 				// Success!
 				realmcfg.bonded = true;
 				m_realms.remove(realmName);
@@ -406,117 +401,6 @@ void LDAPConfig::realmProperties() {
 	}
 }
 
-void LDAPConfig::writeKrb5ConfFile() {
-	TQFile file(KRB5_FILE);
-	if (file.open(IO_WriteOnly)) {
-		TQTextStream stream( &file );
-
-		stream << "# This file was automatically generated by TDE\n";
-		stream << "# All changes will be lost!\n";
-		stream << "\n";
-
-		// Defaults
-		stream << "[libdefaults]\n";
-		stream << "    ticket_lifetime = " << m_ticketLifetime << "\n";
-		if (m_defaultRealm != "") {
-			stream << "    default_realm = " << m_defaultRealm << "\n";
-		}
-		stream << "\n";
-
-		// Realms
-		stream << "[realms]\n";
-		LDAPRealmConfigList::Iterator it;
-		for (it = m_realms.begin(); it != m_realms.end(); ++it) {
-			LDAPRealmConfig realmcfg = it.data();
-			stream << "   " << realmcfg.name << " = {\n";
-			stream << "        kdc = " << realmcfg.kdc << ":" << realmcfg.kdc_port << "\n";
-			stream << "        admin_server = " << realmcfg.admin_server << ":" << realmcfg.admin_server_port << "\n";
-			stream << "        pkinit_require_eku = " << (realmcfg.pkinit_require_eku?"true":"false") << "\n";
-			stream << "        pkinit_require_krbtgt_otherName = " << (realmcfg.pkinit_require_krbtgt_otherName?"true":"false") << "\n";
-			stream << "        win2k_pkinit = " << (realmcfg.win2k_pkinit?"yes":"no") << "\n";
-			stream << "        win2k_pkinit_require_binding = " << (realmcfg.win2k_pkinit_require_binding?"yes":"no") << "\n";
-			stream << "   }\n";
-		}
-		stream << "\n";
-
-		// Domain aliases
-		stream << "[domain_realm]\n";
-		LDAPRealmConfigList::Iterator it2;
-		for (it2 = m_realms.begin(); it2 != m_realms.end(); ++it2) {
-			LDAPRealmConfig realmcfg = it2.data();
-			TQStringList domains = realmcfg.domain_mappings;
-			for (TQStringList::Iterator it3 = domains.begin(); it3 != domains.end(); ++it3 ) {
-				stream << "    " << *it3 << " = " << realmcfg.name << "\n";
-			}
-		}
-
-		file.close();
-	}
-}
-
-void LDAPConfig::writeLDAPConfFile() {
-	LDAPManager::writeLDAPConfFile(m_realms[m_defaultRealm]);
-}
-
-void LDAPConfig::writeNSSwitchFile() {
-	TQFile file(NSSWITCH_FILE);
-	if (file.open(IO_WriteOnly)) {
-		TQTextStream stream( &file );
-
-		stream << "# This file was automatically generated by TDE\n";
-		stream << "# All changes will be lost!\n";
-		stream << "\n";
-		stream << "passwd:         files ldap [NOTFOUND=return] db" << "\n";
-		stream << "group:          files ldap [NOTFOUND=return] db" << "\n";
-		stream << "shadow:         files ldap [NOTFOUND=return] db" << "\n";
-		stream << "\n";
-		stream << "hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4" << "\n";
-		stream << "networks:       files" << "\n";
-		stream << "\n";
-		stream << "protocols:      db files" << "\n";
-		stream << "services:       db files" << "\n";
-		stream << "ethers:         db files" << "\n";
-		stream << "rpc:            db files" << "\n";
-		stream << "\n";
-		stream << "netgroup:       nis" << "\n";
-
-		file.close();
-	}
-}
-
-void LDAPConfig::writePAMFiles() {
-	TQFile file(PAMD_DIRECTORY PAMD_COMMON_ACCOUNT);
-	if (file.open(IO_WriteOnly)) {
-		TQTextStream stream( &file );
-
-		stream << "# This file was automatically generated by TDE\n";
-		stream << "# All changes will be lost!\n";
-		stream << "\n";
-		stream << "account sufficient pam_unix.so nullok_secure" << "\n";
-		stream << "account sufficient pam_ldap.so" << "\n";
-		stream << "account required pam_permit.so" << "\n";
-
-		file.close();
-	}
-
-	TQFile file2(PAMD_DIRECTORY PAMD_COMMON_AUTH);
-	if (file2.open(IO_WriteOnly)) {
-		TQTextStream stream( &file2 );
-
-		stream << "# This file was automatically generated by TDE\n";
-		stream << "# All changes will be lost!\n";
-		stream << "\n";
-		stream << "auth [default=ignore success=ignore] pam_mount.so" << "\n";
-		stream << "auth sufficient pam_unix.so nullok try_first_pass" << "\n";
-		stream << "auth [default=ignore success=1 service_err=reset] pam_krb5.so ccache=/tmp/krb5cc_%u use_first_pass" << "\n";
-		stream << "auth [default=die success=done] pam_ccreds.so action=validate use_first_pass" << "\n";
-		stream << "auth sufficient pam_ccreds.so action=store use_first_pass" << "\n";
-		stream << "auth required pam_deny.so" << "\n";
-
-		file2.close();
-	}
-}
-
 int LDAPConfig::buttons() {
 	return TDECModule::Apply|TDECModule::Help;
 }

src/ldapbonding.h

@@ -1,5 +1,5 @@
 /***************************************************************************
- *   Copyright (C) 2012 by Timothy Pearson                                 *
+ *   Copyright (C) 2012-2013 by Timothy Pearson                            *
  *   kb9vqf@pearsoncomputing.net                                           *
  *                                                                         *
  *   This program is free software; you can redistribute it and/or modify  *
@@ -65,26 +65,15 @@ class LDAPConfig: public TDECModule
 
 	private:
 		void updateRealmList();
-		void writeKrb5ConfFile();
-		void writeLDAPConfFile();
-		void writeNSSwitchFile();
-		void writePAMFiles();
 
 	private:
 		TDEAboutData *myAboutData;
 		TDEGlobalSettings *kgs;
 		LDAPConfigBase *base;
 		LDAPRealmConfigList m_realms;
-		TQString m_fqdn;
-		TQString m_defaultRealm;
-		int m_ticketLifetime;
+		LDAPClientRealmConfig m_clientRealmConfig;
 
-		int m_ldapVersion;
-		int m_ldapTimeout;
-		TQString m_bindPolicy;
-		int m_ldapBindTimeout;
-		TQString m_passwordHash;
-		TQString m_ignoredUsers;
+		TQString hostFQDN;
 };
 
 #endif // _KCMLDAP_H_

subdirs

@@ -1,3 +1,4 @@
+cert-updater
 cmdline
 doc
 pics