From 023a331a3c85d7fae541cc1c3c721af2cc3415fe Mon Sep 17 00:00:00 2001
From: Timothy Pearson <kb9vqf@pearsoncomputing.net>
Date: Thu, 7 Jun 2012 02:43:33 -0500
Subject: [PATCH] Add root CA certificate management Allow anonymous writes on
 ldapi

---
 confskel/openldap/ldif/config.ldif |   2 +
 src/certconfigpagedlg.ui           |   2 +-
 src/ldapcontroller.cpp             | 117 +++++++++++++++++++----------
 src/ldapcontroller.h               |  27 ++-----
 src/ldapcontrollerconfigbase.ui    |  68 +++++++++++++++++
 5 files changed, 156 insertions(+), 60 deletions(-)

diff --git a/confskel/openldap/ldif/config.ldif b/confskel/openldap/ldif/config.ldif
index 8df7bdc..291975a 100644
--- a/confskel/openldap/ldif/config.ldif
+++ b/confskel/openldap/ldif/config.ldif
@@ -6,6 +6,7 @@ olcConfigDir: /tmp/ldap
 olcArgsFile: /var/run/slapd/slapd.args
 olcAttributeOptions: lang-
 olcAuthzPolicy: none
+olcAllows: bind_v2 update_anon
 olcAuthzRegexp: uid=([^,]+),cn=@@@REALM_LCNAME@@@,cn=gssapi,cn=auth uid=$1,ou=users,ou=core,ou=realm,@@@REALM_DCNAME@@@
 olcConcurrency: 0
 olcConnMaxPending: 100
@@ -18,6 +19,7 @@ olcIndexSubstrAnyLen: 4
 olcIndexSubstrAnyStep: 2
 olcIndexIntLen: 4
 olcLocalSSF: 71
+olcSecurity: simple_bind=56
 olcLogLevel: Stats
 olcPidFile: /var/run/slapd/slapd.pid
 olcReadOnly: FALSE
diff --git a/src/certconfigpagedlg.ui b/src/certconfigpagedlg.ui
index bd71535..0fad03d 100644
--- a/src/certconfigpagedlg.ui
+++ b/src/certconfigpagedlg.ui
@@ -184,7 +184,7 @@
 							<number>25</number>
 						</property>
 						<property name="filter">
-							<cstring>*.pem|PKI Anchor Files (*.pem)</cstring>
+							<cstring>*.pem|PKI Certificate Files (*.pem)</cstring>
 						</property>
 					</widget>
 					<widget class="TQLabel" row="12" column="0">
diff --git a/src/ldapcontroller.cpp b/src/ldapcontroller.cpp
index cf85638..3a79467 100644
--- a/src/ldapcontroller.cpp
+++ b/src/ldapcontroller.cpp
@@ -45,6 +45,7 @@
 #include <kprocess.h>
 #include <tdesu/process.h>
 #include <libtdeldap.h>
+#include <kfiledialog.h>
 
 #include "sha1.h"
 
@@ -67,15 +68,6 @@
 #define SASL_CONTROL_FILE "/etc/ldap/sasl2/slapd.conf"
 
 #define HEIMDAL_ACL_FILE "/etc/heimdal-kdc/kadmind.acl"
-#define KERBEROS_PKI_PEM_FILE KERBEROS_PKI_ANCHORDIR "tdeca.pem"
-#define KERBEROS_PKI_PEMKEY_FILE KERBEROS_PKI_ANCHORDIR "tdeca.key.pem"
-#define KERBEROS_PKI_KDC_FILE KERBEROS_PKI_PUBLICDIR "@@@KDCSERVER@@@.pki.crt"
-#define KERBEROS_PKI_KDCKEY_FILE KERBEROS_PKI_PRIVATEDIR "@@@KDCSERVER@@@.pki.key"
-#define KERBEROS_PKI_KDCREQ_FILE KERBEROS_PKI_PRIVATEDIR "@@@KDCSERVER@@@.pki.req"
-
-#define LDAP_CERT_FILE KERBEROS_PKI_PUBLICDIR "@@@ADMINSERVER@@@.ldap.crt"
-#define LDAP_CERTKEY_FILE KERBEROS_PKI_PRIVATEDIR "@@@ADMINSERVER@@@.ldap.key"
-#define LDAP_CERTREQ_FILE KERBEROS_PKI_PRIVATEDIR "@@@ADMINSERVER@@@.ldap.req"
 
 #define OPENSSL_EXTENSIONS_FILE TDE_CERTIFICATE_DIR "pki_extensions"
 
@@ -121,6 +113,9 @@ LDAPController::LDAPController(TQWidget *parent, const char *name, const TQStrin
 	connect(m_base->systemEnableSupport, TQT_SIGNAL(clicked()), this, TQT_SLOT(processLockouts()));
 	connect(m_base->systemRole, TQT_SIGNAL(activated(const TQString&)), this, TQT_SLOT(systemRoleChanged()));
 
+	connect(m_base->caRegenerate, TQT_SIGNAL(clicked()), this, TQT_SLOT(btncaRegenerate()));
+	connect(m_base->caExport, TQT_SIGNAL(clicked()), this, TQT_SLOT(btncaExport()));
+
 	m_fqdn = LDAPManager::getMachineFQDN();
 
 	// FIXME
@@ -170,6 +165,10 @@ void LDAPController::systemRoleChanged() {
 					m_base->systemRole->setCurrentItem(ROLE_WORKSTATION);
 					save();
 				}
+				else {
+					// Wizard completed; commit changes
+					save();
+				}
 			
 				// Something probably changed
 				load();
@@ -221,6 +220,55 @@ void LDAPController::load() {
 	m_certconfig.emailAddress = m_systemconfig->readEntry("emailAddress");
 
 	m_systemconfig->setGroup(NULL);
+
+	if (m_base->systemRole->currentItem() == ROLE_REALM_CONTROLLER) {
+		m_base->groupRealmController->show();
+		m_base->groupRealmCertificates->show();
+
+		m_base->realmName->setText(m_systemconfig->readEntry("DefaultRealm"));
+		m_base->caExpiryString->setText("Expires " + LDAPManager::getCertificateExpiration(KERBEROS_PKI_PEM_FILE).toString());
+		// RAJA FIXME
+	}
+	else {
+		m_base->groupRealmController->hide();
+		m_base->groupRealmCertificates->hide();
+	}
+
+	processLockouts();
+}
+
+void LDAPController::btncaRegenerate() {
+	LDAPManager::generatePublicKerberosCACertificate(m_certconfig);
+
+	TQString realmname = m_systemconfig->readEntry("DefaultRealm").upper();
+	LDAPCredentials* credentials = new LDAPCredentials;
+	credentials->username = "";
+	credentials->password = "";
+	credentials->realm = realmname;
+	LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials);
+
+	// Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server
+	TQString errorstring;
+	if (uploadKerberosCAFileToLDAP(ldap_mgr, &errorstring) != 0) {
+		KMessageBox::error(0, i18n("<qt>Unable to upload new certificate to LDAP server!<p>%1</qt>").arg(errorstring), i18n("Internal Failure"));
+	}
+
+	load();
+}
+
+void LDAPController::btncaExport() {
+	KURL src = KERBEROS_PKI_PEM_FILE;
+	KURL dest = KFileDialog::getSaveURL(TQString::null, "*.pem|PKI Certificate Files (*.pem)", this, i18n("Select a location to save a copy of the certificate..."));
+	if (!dest.isEmpty()) {
+		KIO::CopyJob* job = KIO::copy(src, dest, true);
+		connect(job, TQT_SIGNAL(result(KIO::Job*)), this, TQT_SLOT(slotCertCopyResult(KIO::Job*)));
+	}
+}
+
+void LDAPController::slotCertCopyResult(KIO::Job* job) {
+	if (job->error()) {
+		job->showErrorDialog(this);
+	}
 }
 
 void LDAPController::defaults() {
@@ -246,19 +294,6 @@ void LDAPController::save() {
 
 	m_systemconfig->sync();
 
-	if (m_base->systemEnableSupport->isChecked()) {
-// 		// Write the Kerberos5 configuration file
-// 		writeKrb5ConfFile();
-// 		// Write the LDAP configuration file
-// 		writeLDAPConfFile();
-// 		// Write the NSSwitch configuration file
-// 		writeNSSwitchFile();
-// 		// Write the PAM configuration files
-// 		writePAMFiles();
-// 		// Write the cron files
-// 		writeCronFiles();
-	}
-
 	load();
 }
 
@@ -747,10 +782,7 @@ int LDAPController::createRealmCertificates(LDAPCertConfig certinfo, LDAPRealmCo
 	chmod(KERBEROS_PKI_PEMKEY_FILE, S_IRUSR|S_IWUSR);
 	chown(KERBEROS_PKI_PEMKEY_FILE, 0, 0);
 
-	command = TQString("openssl req -key %1 -new -x509 -out %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(certinfo.commonName).arg(certinfo.emailAddress);
-	system(command);
-	chmod(KERBEROS_PKI_PEM_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
-	chown(KERBEROS_PKI_PEM_FILE, 0, 0);
+	LDAPManager::generatePublicKerberosCACertificate(certinfo);
 
 	// KDC certificate
 	TQString kdc_certfile = KERBEROS_PKI_KDC_FILE;
@@ -796,6 +828,19 @@ int LDAPController::createRealmCertificates(LDAPCertConfig certinfo, LDAPRealmCo
 	return 0;
 }
 
+int LDAPController::uploadKerberosCAFileToLDAP(LDAPManager* ldap_mgr, TQString* errstr) {
+	// Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server
+	TQFile cafile(KERBEROS_PKI_PEM_FILE);
+	if (cafile.open(IO_ReadOnly)) {
+		TQByteArray cafiledata = cafile.readAll();
+		if (ldap_mgr->writeCertificateFileIntoDirectory(cafiledata, "publicRootCertificate", errstr) != 0) {
+			return -1;
+		}
+		return 0;
+	}
+	return -1;
+}
+
 int LDAPController::createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig realmconfig, TQString adminUserName, TQString adminGroupName, TQString machineAdminGroupName, TQString standardUserGroupName, const char * adminPassword, TQString rootUserName, const char * rootPassword, TQString adminRealm, LDAPCertConfig certinfo, TQString *errstr) {
 	int ldifSchemaNumber;
 
@@ -1078,8 +1123,8 @@ configTempDir.setAutoDelete(false);	// RAJA DEBUG ONLY FIXME
 	TQStringList domainChunks = TQStringList::split(".", realmconfig.name.lower());
 	TQString basedcname = "dc=" + domainChunks.join(",dc=");
 	LDAPCredentials* credentials = new LDAPCredentials;
-	credentials->username = "cn="+rootUserName+","+basedcname;
-	credentials->password = rootPassword;
+	credentials->username = "";
+	credentials->password = "";
 	credentials->realm = realmconfig.name.upper();
 	LDAPManager* ldap_mgr = new LDAPManager(realmconfig.name.upper(), "ldapi://", credentials);
 	if (ldap_mgr->moveKerberosEntries("o=kerberos,cn=kerberos control,ou=master services,ou=core,ou=realm," + basedcname, &errorstring) != 0) {
@@ -1091,16 +1136,12 @@ configTempDir.setAutoDelete(false);	// RAJA DEBUG ONLY FIXME
 	}
 
 	// Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server
-	TQFile cafile(KERBEROS_PKI_PEM_FILE);
-	if (cafile.open(IO_ReadOnly)) {
-		TQByteArray cafiledata = cafile.readAll();
-		if (ldap_mgr->writeCertificateFileIntoDirectory(cafiledata, "publicRootCertificate", &errorstring) != 0) {
-			delete ldap_mgr;
-			delete credentials;
-			if (errstr) *errstr = errorstring;
-			pdialog.closeDialog();
-			return -1;
-		}
+	if (uploadKerberosCAFileToLDAP(ldap_mgr, &errorstring) != 0) {
+		delete ldap_mgr;
+		delete credentials;
+		if (errstr) *errstr = errorstring;
+		pdialog.closeDialog();
+		return -1;
 	}
 
 	// Set @@@ADMINUSER@@@ password in kadmin
diff --git a/src/ldapcontroller.h b/src/ldapcontroller.h
index 4e9e862..d48f00f 100644
--- a/src/ldapcontroller.h
+++ b/src/ldapcontroller.h
@@ -29,6 +29,7 @@
 #include <kglobalsettings.h>
 #include <tqpushbutton.h>
 #include <tqcombobox.h>
+#include <kio/jobclasses.h>
 
 #include <libtdeldap.h>
 
@@ -42,27 +43,6 @@ enum sc_command {
 	SC_SETDBPERMS
 };
 
-// PRIVATE
-class LDAPCertConfig
-{
-	public:
-		bool generate_certs;
-		TQString provided_kerberos_pem;
-		TQString provided_kerberos_pemkey;
-		TQString provided_kerberos_crt;
-		TQString provided_kerberos_key;
-		TQString provided_ldap_crt;
-		TQString provided_ldap_key;
-
-		TQString countryName;
-		TQString stateOrProvinceName;
-		TQString localityName;
-		TQString organizationName;
-		TQString orgUnitName;
-		TQString commonName;
-		TQString emailAddress;
-};
-
 class LDAPController: public KCModule
 {
 	Q_OBJECT
@@ -85,6 +65,10 @@ class LDAPController: public KCModule
 		void systemRoleChanged();
 		void processLockouts();
 
+		void btncaRegenerate();
+		void btncaExport();
+		void slotCertCopyResult(KIO::Job*);
+
 	private:
 		int controlKAdminDaemon(sc_command command);
 		int controlSASLServer(sc_command command);
@@ -95,6 +79,7 @@ class LDAPController: public KCModule
 		int addHostEntryToKerberosRealm(TQString kerberosHost, TQString *errstr);
 		int setKerberosPasswordForUser(LDAPCredentials user, TQString *errstr);
 		int createRealmCertificates(LDAPCertConfig certinfo, LDAPRealmConfig realmconfig, uid_t ldap_uid, gid_t ldap_gid);
+		int uploadKerberosCAFileToLDAP(LDAPManager* ldap_mgr, TQString* errstr=0);
 
 	private:
 		KAboutData *myAboutData;
diff --git a/src/ldapcontrollerconfigbase.ui b/src/ldapcontrollerconfigbase.ui
index 0c373cc..64d4623 100644
--- a/src/ldapcontrollerconfigbase.ui
+++ b/src/ldapcontrollerconfigbase.ui
@@ -68,6 +68,74 @@
 							</widget>
 						</grid>
 					</widget>
+					<widget class="TQGroupBox" row="1" column="0">
+						<property name="name">
+							<cstring>groupRealmController</cstring>
+						</property>
+						<property name="title">
+							<string>Realm Controller</string>
+						</property>
+						<grid>
+							<property name="name">
+								<cstring>unnamed</cstring>
+							</property>
+							<widget class="TQLabel" row="0" column="0" colspan="1">
+								<property name="name">
+									<cstring>unnamed</cstring>
+								</property>
+								<property name="text">
+									<cstring>Realm Name:</cstring>
+								</property>
+							</widget>
+							<widget class="TQLabel" row="0" column="1" colspan="1">
+								<property name="name">
+									<cstring>realmName</cstring>
+								</property>
+							</widget>
+						</grid>
+					</widget>
+					<widget class="TQGroupBox" row="2" column="0">
+						<property name="name">
+							<cstring>groupRealmCertificates</cstring>
+						</property>
+						<property name="title">
+							<string>Realm Certificates</string>
+						</property>
+						<grid>
+							<property name="name">
+								<cstring>unnamed</cstring>
+							</property>
+							<widget class="TQLabel" row="0" column="0" colspan="1">
+								<property name="name">
+									<cstring>unnamed</cstring>
+								</property>
+								<property name="text">
+									<cstring>Certificate Authority:</cstring>
+								</property>
+							</widget>
+							<widget class="TQLabel" row="0" column="1" colspan="1">
+								<property name="name">
+									<cstring>caExpiryString</cstring>
+								</property>
+							</widget>
+							<widget class="TQPushButton" row="0" column="2" colspan="1">
+								<property name="name">
+									<cstring>caRegenerate</cstring>
+								</property>
+								<property name="text">
+									<cstring>Regenerate Certificate</cstring>
+								</property>
+							</widget>
+							<widget class="TQPushButton" row="0" column="3" colspan="1">
+								<property name="name">
+									<cstring>caExport</cstring>
+								</property>
+								<property name="text">
+									<cstring>Export Certificate</cstring>
+								</property>
+							</widget>
+						</grid>
+					</widget>
 					<spacer row="4" column="0">
 						<property name="name" stdset="0">
 							<cstring>Spacer4</cstring>