diff --git a/confskel/openldap/ldif/config.ldif b/confskel/openldap/ldif/config.ldif
index 8df7bdc..291975a 100644
--- a/confskel/openldap/ldif/config.ldif
+++ b/confskel/openldap/ldif/config.ldif
@@ -6,6 +6,7 @@ olcConfigDir: /tmp/ldap
olcArgsFile: /var/run/slapd/slapd.args
olcAttributeOptions: lang-
olcAuthzPolicy: none
+olcAllows: bind_v2 update_anon
olcAuthzRegexp: uid=([^,]+),cn=@@@REALM_LCNAME@@@,cn=gssapi,cn=auth uid=$1,ou=users,ou=core,ou=realm,@@@REALM_DCNAME@@@
olcConcurrency: 0
olcConnMaxPending: 100
@@ -18,6 +19,7 @@ olcIndexSubstrAnyLen: 4
olcIndexSubstrAnyStep: 2
olcIndexIntLen: 4
olcLocalSSF: 71
+olcSecurity: simple_bind=56
olcLogLevel: Stats
olcPidFile: /var/run/slapd/slapd.pid
olcReadOnly: FALSE
diff --git a/src/certconfigpagedlg.ui b/src/certconfigpagedlg.ui
index bd71535..0fad03d 100644
--- a/src/certconfigpagedlg.ui
+++ b/src/certconfigpagedlg.ui
@@ -184,7 +184,7 @@
25
- *.pem|PKI Anchor Files (*.pem)
+ *.pem|PKI Certificate Files (*.pem)
diff --git a/src/ldapcontroller.cpp b/src/ldapcontroller.cpp
index cf85638..3a79467 100644
--- a/src/ldapcontroller.cpp
+++ b/src/ldapcontroller.cpp
@@ -45,6 +45,7 @@
#include
#include
#include
+#include
#include "sha1.h"
@@ -67,15 +68,6 @@
#define SASL_CONTROL_FILE "/etc/ldap/sasl2/slapd.conf"
#define HEIMDAL_ACL_FILE "/etc/heimdal-kdc/kadmind.acl"
-#define KERBEROS_PKI_PEM_FILE KERBEROS_PKI_ANCHORDIR "tdeca.pem"
-#define KERBEROS_PKI_PEMKEY_FILE KERBEROS_PKI_ANCHORDIR "tdeca.key.pem"
-#define KERBEROS_PKI_KDC_FILE KERBEROS_PKI_PUBLICDIR "@@@KDCSERVER@@@.pki.crt"
-#define KERBEROS_PKI_KDCKEY_FILE KERBEROS_PKI_PRIVATEDIR "@@@KDCSERVER@@@.pki.key"
-#define KERBEROS_PKI_KDCREQ_FILE KERBEROS_PKI_PRIVATEDIR "@@@KDCSERVER@@@.pki.req"
-
-#define LDAP_CERT_FILE KERBEROS_PKI_PUBLICDIR "@@@ADMINSERVER@@@.ldap.crt"
-#define LDAP_CERTKEY_FILE KERBEROS_PKI_PRIVATEDIR "@@@ADMINSERVER@@@.ldap.key"
-#define LDAP_CERTREQ_FILE KERBEROS_PKI_PRIVATEDIR "@@@ADMINSERVER@@@.ldap.req"
#define OPENSSL_EXTENSIONS_FILE TDE_CERTIFICATE_DIR "pki_extensions"
@@ -121,6 +113,9 @@ LDAPController::LDAPController(TQWidget *parent, const char *name, const TQStrin
connect(m_base->systemEnableSupport, TQT_SIGNAL(clicked()), this, TQT_SLOT(processLockouts()));
connect(m_base->systemRole, TQT_SIGNAL(activated(const TQString&)), this, TQT_SLOT(systemRoleChanged()));
+ connect(m_base->caRegenerate, TQT_SIGNAL(clicked()), this, TQT_SLOT(btncaRegenerate()));
+ connect(m_base->caExport, TQT_SIGNAL(clicked()), this, TQT_SLOT(btncaExport()));
+
m_fqdn = LDAPManager::getMachineFQDN();
// FIXME
@@ -170,6 +165,10 @@ void LDAPController::systemRoleChanged() {
m_base->systemRole->setCurrentItem(ROLE_WORKSTATION);
save();
}
+ else {
+ // Wizard completed; commit changes
+ save();
+ }
// Something probably changed
load();
@@ -221,6 +220,55 @@ void LDAPController::load() {
m_certconfig.emailAddress = m_systemconfig->readEntry("emailAddress");
m_systemconfig->setGroup(NULL);
+
+ if (m_base->systemRole->currentItem() == ROLE_REALM_CONTROLLER) {
+ m_base->groupRealmController->show();
+ m_base->groupRealmCertificates->show();
+
+ m_base->realmName->setText(m_systemconfig->readEntry("DefaultRealm"));
+ m_base->caExpiryString->setText("Expires " + LDAPManager::getCertificateExpiration(KERBEROS_PKI_PEM_FILE).toString());
+ // RAJA FIXME
+ }
+ else {
+ m_base->groupRealmController->hide();
+ m_base->groupRealmCertificates->hide();
+ }
+
+ processLockouts();
+}
+
+void LDAPController::btncaRegenerate() {
+ LDAPManager::generatePublicKerberosCACertificate(m_certconfig);
+
+ TQString realmname = m_systemconfig->readEntry("DefaultRealm").upper();
+ LDAPCredentials* credentials = new LDAPCredentials;
+ credentials->username = "";
+ credentials->password = "";
+ credentials->realm = realmname;
+ LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials);
+
+ // Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server
+ TQString errorstring;
+ if (uploadKerberosCAFileToLDAP(ldap_mgr, &errorstring) != 0) {
+ KMessageBox::error(0, i18n("Unable to upload new certificate to LDAP server!%1
").arg(errorstring), i18n("Internal Failure"));
+ }
+
+ load();
+}
+
+void LDAPController::btncaExport() {
+ KURL src = KERBEROS_PKI_PEM_FILE;
+ KURL dest = KFileDialog::getSaveURL(TQString::null, "*.pem|PKI Certificate Files (*.pem)", this, i18n("Select a location to save a copy of the certificate..."));
+ if (!dest.isEmpty()) {
+ KIO::CopyJob* job = KIO::copy(src, dest, true);
+ connect(job, TQT_SIGNAL(result(KIO::Job*)), this, TQT_SLOT(slotCertCopyResult(KIO::Job*)));
+ }
+}
+
+void LDAPController::slotCertCopyResult(KIO::Job* job) {
+ if (job->error()) {
+ job->showErrorDialog(this);
+ }
}
void LDAPController::defaults() {
@@ -246,19 +294,6 @@ void LDAPController::save() {
m_systemconfig->sync();
- if (m_base->systemEnableSupport->isChecked()) {
-// // Write the Kerberos5 configuration file
-// writeKrb5ConfFile();
-// // Write the LDAP configuration file
-// writeLDAPConfFile();
-// // Write the NSSwitch configuration file
-// writeNSSwitchFile();
-// // Write the PAM configuration files
-// writePAMFiles();
-// // Write the cron files
-// writeCronFiles();
- }
-
load();
}
@@ -747,10 +782,7 @@ int LDAPController::createRealmCertificates(LDAPCertConfig certinfo, LDAPRealmCo
chmod(KERBEROS_PKI_PEMKEY_FILE, S_IRUSR|S_IWUSR);
chown(KERBEROS_PKI_PEMKEY_FILE, 0, 0);
- command = TQString("openssl req -key %1 -new -x509 -out %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(certinfo.commonName).arg(certinfo.emailAddress);
- system(command);
- chmod(KERBEROS_PKI_PEM_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
- chown(KERBEROS_PKI_PEM_FILE, 0, 0);
+ LDAPManager::generatePublicKerberosCACertificate(certinfo);
// KDC certificate
TQString kdc_certfile = KERBEROS_PKI_KDC_FILE;
@@ -796,6 +828,19 @@ int LDAPController::createRealmCertificates(LDAPCertConfig certinfo, LDAPRealmCo
return 0;
}
+int LDAPController::uploadKerberosCAFileToLDAP(LDAPManager* ldap_mgr, TQString* errstr) {
+ // Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server
+ TQFile cafile(KERBEROS_PKI_PEM_FILE);
+ if (cafile.open(IO_ReadOnly)) {
+ TQByteArray cafiledata = cafile.readAll();
+ if (ldap_mgr->writeCertificateFileIntoDirectory(cafiledata, "publicRootCertificate", errstr) != 0) {
+ return -1;
+ }
+ return 0;
+ }
+ return -1;
+}
+
int LDAPController::createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig realmconfig, TQString adminUserName, TQString adminGroupName, TQString machineAdminGroupName, TQString standardUserGroupName, const char * adminPassword, TQString rootUserName, const char * rootPassword, TQString adminRealm, LDAPCertConfig certinfo, TQString *errstr) {
int ldifSchemaNumber;
@@ -1078,8 +1123,8 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME
TQStringList domainChunks = TQStringList::split(".", realmconfig.name.lower());
TQString basedcname = "dc=" + domainChunks.join(",dc=");
LDAPCredentials* credentials = new LDAPCredentials;
- credentials->username = "cn="+rootUserName+","+basedcname;
- credentials->password = rootPassword;
+ credentials->username = "";
+ credentials->password = "";
credentials->realm = realmconfig.name.upper();
LDAPManager* ldap_mgr = new LDAPManager(realmconfig.name.upper(), "ldapi://", credentials);
if (ldap_mgr->moveKerberosEntries("o=kerberos,cn=kerberos control,ou=master services,ou=core,ou=realm," + basedcname, &errorstring) != 0) {
@@ -1091,16 +1136,12 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME
}
// Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server
- TQFile cafile(KERBEROS_PKI_PEM_FILE);
- if (cafile.open(IO_ReadOnly)) {
- TQByteArray cafiledata = cafile.readAll();
- if (ldap_mgr->writeCertificateFileIntoDirectory(cafiledata, "publicRootCertificate", &errorstring) != 0) {
- delete ldap_mgr;
- delete credentials;
- if (errstr) *errstr = errorstring;
- pdialog.closeDialog();
- return -1;
- }
+ if (uploadKerberosCAFileToLDAP(ldap_mgr, &errorstring) != 0) {
+ delete ldap_mgr;
+ delete credentials;
+ if (errstr) *errstr = errorstring;
+ pdialog.closeDialog();
+ return -1;
}
// Set @@@ADMINUSER@@@ password in kadmin
diff --git a/src/ldapcontroller.h b/src/ldapcontroller.h
index 4e9e862..d48f00f 100644
--- a/src/ldapcontroller.h
+++ b/src/ldapcontroller.h
@@ -29,6 +29,7 @@
#include
#include
#include
+#include
#include
@@ -42,27 +43,6 @@ enum sc_command {
SC_SETDBPERMS
};
-// PRIVATE
-class LDAPCertConfig
-{
- public:
- bool generate_certs;
- TQString provided_kerberos_pem;
- TQString provided_kerberos_pemkey;
- TQString provided_kerberos_crt;
- TQString provided_kerberos_key;
- TQString provided_ldap_crt;
- TQString provided_ldap_key;
-
- TQString countryName;
- TQString stateOrProvinceName;
- TQString localityName;
- TQString organizationName;
- TQString orgUnitName;
- TQString commonName;
- TQString emailAddress;
-};
-
class LDAPController: public KCModule
{
Q_OBJECT
@@ -85,6 +65,10 @@ class LDAPController: public KCModule
void systemRoleChanged();
void processLockouts();
+ void btncaRegenerate();
+ void btncaExport();
+ void slotCertCopyResult(KIO::Job*);
+
private:
int controlKAdminDaemon(sc_command command);
int controlSASLServer(sc_command command);
@@ -95,6 +79,7 @@ class LDAPController: public KCModule
int addHostEntryToKerberosRealm(TQString kerberosHost, TQString *errstr);
int setKerberosPasswordForUser(LDAPCredentials user, TQString *errstr);
int createRealmCertificates(LDAPCertConfig certinfo, LDAPRealmConfig realmconfig, uid_t ldap_uid, gid_t ldap_gid);
+ int uploadKerberosCAFileToLDAP(LDAPManager* ldap_mgr, TQString* errstr=0);
private:
KAboutData *myAboutData;
diff --git a/src/ldapcontrollerconfigbase.ui b/src/ldapcontrollerconfigbase.ui
index 0c373cc..64d4623 100644
--- a/src/ldapcontrollerconfigbase.ui
+++ b/src/ldapcontrollerconfigbase.ui
@@ -68,6 +68,74 @@
+
+
+ groupRealmController
+
+
+ Realm Controller
+
+
+
+ unnamed
+
+
+
+ unnamed
+
+
+ Realm Name:
+
+
+
+
+ realmName
+
+
+
+
+
+
+ groupRealmCertificates
+
+
+ Realm Certificates
+
+
+
+ unnamed
+
+
+
+ unnamed
+
+
+ Certificate Authority:
+
+
+
+
+ caExpiryString
+
+
+
+
+ caRegenerate
+
+
+ Regenerate Certificate
+
+
+
+
+ caExport
+
+
+ Export Certificate
+
+
+
+
Spacer4