Add root CA certificate management

Allow anonymous writes on ldapi
pull/1/head
Timothy Pearson 13 years ago
parent 4f186beefc
commit 023a331a3c

@ -6,6 +6,7 @@ olcConfigDir: /tmp/ldap
olcArgsFile: /var/run/slapd/slapd.args olcArgsFile: /var/run/slapd/slapd.args
olcAttributeOptions: lang- olcAttributeOptions: lang-
olcAuthzPolicy: none olcAuthzPolicy: none
olcAllows: bind_v2 update_anon
olcAuthzRegexp: uid=([^,]+),cn=@@@REALM_LCNAME@@@,cn=gssapi,cn=auth uid=$1,ou=users,ou=core,ou=realm,@@@REALM_DCNAME@@@ olcAuthzRegexp: uid=([^,]+),cn=@@@REALM_LCNAME@@@,cn=gssapi,cn=auth uid=$1,ou=users,ou=core,ou=realm,@@@REALM_DCNAME@@@
olcConcurrency: 0 olcConcurrency: 0
olcConnMaxPending: 100 olcConnMaxPending: 100
@ -18,6 +19,7 @@ olcIndexSubstrAnyLen: 4
olcIndexSubstrAnyStep: 2 olcIndexSubstrAnyStep: 2
olcIndexIntLen: 4 olcIndexIntLen: 4
olcLocalSSF: 71 olcLocalSSF: 71
olcSecurity: simple_bind=56
olcLogLevel: Stats olcLogLevel: Stats
olcPidFile: /var/run/slapd/slapd.pid olcPidFile: /var/run/slapd/slapd.pid
olcReadOnly: FALSE olcReadOnly: FALSE

@ -184,7 +184,7 @@
<number>25</number> <number>25</number>
</property> </property>
<property name="filter"> <property name="filter">
<cstring>*.pem|PKI Anchor Files (*.pem)</cstring> <cstring>*.pem|PKI Certificate Files (*.pem)</cstring>
</property> </property>
</widget> </widget>
<widget class="TQLabel" row="12" column="0"> <widget class="TQLabel" row="12" column="0">

@ -45,6 +45,7 @@
#include <kprocess.h> #include <kprocess.h>
#include <tdesu/process.h> #include <tdesu/process.h>
#include <libtdeldap.h> #include <libtdeldap.h>
#include <kfiledialog.h>
#include "sha1.h" #include "sha1.h"
@ -67,15 +68,6 @@
#define SASL_CONTROL_FILE "/etc/ldap/sasl2/slapd.conf" #define SASL_CONTROL_FILE "/etc/ldap/sasl2/slapd.conf"
#define HEIMDAL_ACL_FILE "/etc/heimdal-kdc/kadmind.acl" #define HEIMDAL_ACL_FILE "/etc/heimdal-kdc/kadmind.acl"
#define KERBEROS_PKI_PEM_FILE KERBEROS_PKI_ANCHORDIR "tdeca.pem"
#define KERBEROS_PKI_PEMKEY_FILE KERBEROS_PKI_ANCHORDIR "tdeca.key.pem"
#define KERBEROS_PKI_KDC_FILE KERBEROS_PKI_PUBLICDIR "@@@KDCSERVER@@@.pki.crt"
#define KERBEROS_PKI_KDCKEY_FILE KERBEROS_PKI_PRIVATEDIR "@@@KDCSERVER@@@.pki.key"
#define KERBEROS_PKI_KDCREQ_FILE KERBEROS_PKI_PRIVATEDIR "@@@KDCSERVER@@@.pki.req"
#define LDAP_CERT_FILE KERBEROS_PKI_PUBLICDIR "@@@ADMINSERVER@@@.ldap.crt"
#define LDAP_CERTKEY_FILE KERBEROS_PKI_PRIVATEDIR "@@@ADMINSERVER@@@.ldap.key"
#define LDAP_CERTREQ_FILE KERBEROS_PKI_PRIVATEDIR "@@@ADMINSERVER@@@.ldap.req"
#define OPENSSL_EXTENSIONS_FILE TDE_CERTIFICATE_DIR "pki_extensions" #define OPENSSL_EXTENSIONS_FILE TDE_CERTIFICATE_DIR "pki_extensions"
@ -121,6 +113,9 @@ LDAPController::LDAPController(TQWidget *parent, const char *name, const TQStrin
connect(m_base->systemEnableSupport, TQT_SIGNAL(clicked()), this, TQT_SLOT(processLockouts())); connect(m_base->systemEnableSupport, TQT_SIGNAL(clicked()), this, TQT_SLOT(processLockouts()));
connect(m_base->systemRole, TQT_SIGNAL(activated(const TQString&)), this, TQT_SLOT(systemRoleChanged())); connect(m_base->systemRole, TQT_SIGNAL(activated(const TQString&)), this, TQT_SLOT(systemRoleChanged()));
connect(m_base->caRegenerate, TQT_SIGNAL(clicked()), this, TQT_SLOT(btncaRegenerate()));
connect(m_base->caExport, TQT_SIGNAL(clicked()), this, TQT_SLOT(btncaExport()));
m_fqdn = LDAPManager::getMachineFQDN(); m_fqdn = LDAPManager::getMachineFQDN();
// FIXME // FIXME
@ -170,6 +165,10 @@ void LDAPController::systemRoleChanged() {
m_base->systemRole->setCurrentItem(ROLE_WORKSTATION); m_base->systemRole->setCurrentItem(ROLE_WORKSTATION);
save(); save();
} }
else {
// Wizard completed; commit changes
save();
}
// Something probably changed // Something probably changed
load(); load();
@ -221,6 +220,55 @@ void LDAPController::load() {
m_certconfig.emailAddress = m_systemconfig->readEntry("emailAddress"); m_certconfig.emailAddress = m_systemconfig->readEntry("emailAddress");
m_systemconfig->setGroup(NULL); m_systemconfig->setGroup(NULL);
if (m_base->systemRole->currentItem() == ROLE_REALM_CONTROLLER) {
m_base->groupRealmController->show();
m_base->groupRealmCertificates->show();
m_base->realmName->setText(m_systemconfig->readEntry("DefaultRealm"));
m_base->caExpiryString->setText("Expires " + LDAPManager::getCertificateExpiration(KERBEROS_PKI_PEM_FILE).toString());
// RAJA FIXME
}
else {
m_base->groupRealmController->hide();
m_base->groupRealmCertificates->hide();
}
processLockouts();
}
void LDAPController::btncaRegenerate() {
LDAPManager::generatePublicKerberosCACertificate(m_certconfig);
TQString realmname = m_systemconfig->readEntry("DefaultRealm").upper();
LDAPCredentials* credentials = new LDAPCredentials;
credentials->username = "";
credentials->password = "";
credentials->realm = realmname;
LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials);
// Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server
TQString errorstring;
if (uploadKerberosCAFileToLDAP(ldap_mgr, &errorstring) != 0) {
KMessageBox::error(0, i18n("<qt>Unable to upload new certificate to LDAP server!<p>%1</qt>").arg(errorstring), i18n("Internal Failure"));
}
load();
}
void LDAPController::btncaExport() {
KURL src = KERBEROS_PKI_PEM_FILE;
KURL dest = KFileDialog::getSaveURL(TQString::null, "*.pem|PKI Certificate Files (*.pem)", this, i18n("Select a location to save a copy of the certificate..."));
if (!dest.isEmpty()) {
KIO::CopyJob* job = KIO::copy(src, dest, true);
connect(job, TQT_SIGNAL(result(KIO::Job*)), this, TQT_SLOT(slotCertCopyResult(KIO::Job*)));
}
}
void LDAPController::slotCertCopyResult(KIO::Job* job) {
if (job->error()) {
job->showErrorDialog(this);
}
} }
void LDAPController::defaults() { void LDAPController::defaults() {
@ -246,19 +294,6 @@ void LDAPController::save() {
m_systemconfig->sync(); m_systemconfig->sync();
if (m_base->systemEnableSupport->isChecked()) {
// // Write the Kerberos5 configuration file
// writeKrb5ConfFile();
// // Write the LDAP configuration file
// writeLDAPConfFile();
// // Write the NSSwitch configuration file
// writeNSSwitchFile();
// // Write the PAM configuration files
// writePAMFiles();
// // Write the cron files
// writeCronFiles();
}
load(); load();
} }
@ -747,10 +782,7 @@ int LDAPController::createRealmCertificates(LDAPCertConfig certinfo, LDAPRealmCo
chmod(KERBEROS_PKI_PEMKEY_FILE, S_IRUSR|S_IWUSR); chmod(KERBEROS_PKI_PEMKEY_FILE, S_IRUSR|S_IWUSR);
chown(KERBEROS_PKI_PEMKEY_FILE, 0, 0); chown(KERBEROS_PKI_PEMKEY_FILE, 0, 0);
command = TQString("openssl req -key %1 -new -x509 -out %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(certinfo.commonName).arg(certinfo.emailAddress); LDAPManager::generatePublicKerberosCACertificate(certinfo);
system(command);
chmod(KERBEROS_PKI_PEM_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
chown(KERBEROS_PKI_PEM_FILE, 0, 0);
// KDC certificate // KDC certificate
TQString kdc_certfile = KERBEROS_PKI_KDC_FILE; TQString kdc_certfile = KERBEROS_PKI_KDC_FILE;
@ -796,6 +828,19 @@ int LDAPController::createRealmCertificates(LDAPCertConfig certinfo, LDAPRealmCo
return 0; return 0;
} }
int LDAPController::uploadKerberosCAFileToLDAP(LDAPManager* ldap_mgr, TQString* errstr) {
// Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server
TQFile cafile(KERBEROS_PKI_PEM_FILE);
if (cafile.open(IO_ReadOnly)) {
TQByteArray cafiledata = cafile.readAll();
if (ldap_mgr->writeCertificateFileIntoDirectory(cafiledata, "publicRootCertificate", errstr) != 0) {
return -1;
}
return 0;
}
return -1;
}
int LDAPController::createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig realmconfig, TQString adminUserName, TQString adminGroupName, TQString machineAdminGroupName, TQString standardUserGroupName, const char * adminPassword, TQString rootUserName, const char * rootPassword, TQString adminRealm, LDAPCertConfig certinfo, TQString *errstr) { int LDAPController::createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig realmconfig, TQString adminUserName, TQString adminGroupName, TQString machineAdminGroupName, TQString standardUserGroupName, const char * adminPassword, TQString rootUserName, const char * rootPassword, TQString adminRealm, LDAPCertConfig certinfo, TQString *errstr) {
int ldifSchemaNumber; int ldifSchemaNumber;
@ -1078,8 +1123,8 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME
TQStringList domainChunks = TQStringList::split(".", realmconfig.name.lower()); TQStringList domainChunks = TQStringList::split(".", realmconfig.name.lower());
TQString basedcname = "dc=" + domainChunks.join(",dc="); TQString basedcname = "dc=" + domainChunks.join(",dc=");
LDAPCredentials* credentials = new LDAPCredentials; LDAPCredentials* credentials = new LDAPCredentials;
credentials->username = "cn="+rootUserName+","+basedcname; credentials->username = "";
credentials->password = rootPassword; credentials->password = "";
credentials->realm = realmconfig.name.upper(); credentials->realm = realmconfig.name.upper();
LDAPManager* ldap_mgr = new LDAPManager(realmconfig.name.upper(), "ldapi://", credentials); LDAPManager* ldap_mgr = new LDAPManager(realmconfig.name.upper(), "ldapi://", credentials);
if (ldap_mgr->moveKerberosEntries("o=kerberos,cn=kerberos control,ou=master services,ou=core,ou=realm," + basedcname, &errorstring) != 0) { if (ldap_mgr->moveKerberosEntries("o=kerberos,cn=kerberos control,ou=master services,ou=core,ou=realm," + basedcname, &errorstring) != 0) {
@ -1091,16 +1136,12 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME
} }
// Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server // Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server
TQFile cafile(KERBEROS_PKI_PEM_FILE); if (uploadKerberosCAFileToLDAP(ldap_mgr, &errorstring) != 0) {
if (cafile.open(IO_ReadOnly)) { delete ldap_mgr;
TQByteArray cafiledata = cafile.readAll(); delete credentials;
if (ldap_mgr->writeCertificateFileIntoDirectory(cafiledata, "publicRootCertificate", &errorstring) != 0) { if (errstr) *errstr = errorstring;
delete ldap_mgr; pdialog.closeDialog();
delete credentials; return -1;
if (errstr) *errstr = errorstring;
pdialog.closeDialog();
return -1;
}
} }
// Set @@@ADMINUSER@@@ password in kadmin // Set @@@ADMINUSER@@@ password in kadmin

@ -29,6 +29,7 @@
#include <kglobalsettings.h> #include <kglobalsettings.h>
#include <tqpushbutton.h> #include <tqpushbutton.h>
#include <tqcombobox.h> #include <tqcombobox.h>
#include <kio/jobclasses.h>
#include <libtdeldap.h> #include <libtdeldap.h>
@ -42,27 +43,6 @@ enum sc_command {
SC_SETDBPERMS SC_SETDBPERMS
}; };
// PRIVATE
class LDAPCertConfig
{
public:
bool generate_certs;
TQString provided_kerberos_pem;
TQString provided_kerberos_pemkey;
TQString provided_kerberos_crt;
TQString provided_kerberos_key;
TQString provided_ldap_crt;
TQString provided_ldap_key;
TQString countryName;
TQString stateOrProvinceName;
TQString localityName;
TQString organizationName;
TQString orgUnitName;
TQString commonName;
TQString emailAddress;
};
class LDAPController: public KCModule class LDAPController: public KCModule
{ {
Q_OBJECT Q_OBJECT
@ -85,6 +65,10 @@ class LDAPController: public KCModule
void systemRoleChanged(); void systemRoleChanged();
void processLockouts(); void processLockouts();
void btncaRegenerate();
void btncaExport();
void slotCertCopyResult(KIO::Job*);
private: private:
int controlKAdminDaemon(sc_command command); int controlKAdminDaemon(sc_command command);
int controlSASLServer(sc_command command); int controlSASLServer(sc_command command);
@ -95,6 +79,7 @@ class LDAPController: public KCModule
int addHostEntryToKerberosRealm(TQString kerberosHost, TQString *errstr); int addHostEntryToKerberosRealm(TQString kerberosHost, TQString *errstr);
int setKerberosPasswordForUser(LDAPCredentials user, TQString *errstr); int setKerberosPasswordForUser(LDAPCredentials user, TQString *errstr);
int createRealmCertificates(LDAPCertConfig certinfo, LDAPRealmConfig realmconfig, uid_t ldap_uid, gid_t ldap_gid); int createRealmCertificates(LDAPCertConfig certinfo, LDAPRealmConfig realmconfig, uid_t ldap_uid, gid_t ldap_gid);
int uploadKerberosCAFileToLDAP(LDAPManager* ldap_mgr, TQString* errstr=0);
private: private:
KAboutData *myAboutData; KAboutData *myAboutData;

@ -68,6 +68,74 @@
</widget> </widget>
</grid> </grid>
</widget> </widget>
<widget class="TQGroupBox" row="1" column="0">
<property name="name">
<cstring>groupRealmController</cstring>
</property>
<property name="title">
<string>Realm Controller</string>
</property>
<grid>
<property name="name">
<cstring>unnamed</cstring>
</property>
<widget class="TQLabel" row="0" column="0" colspan="1">
<property name="name">
<cstring>unnamed</cstring>
</property>
<property name="text">
<cstring>Realm Name:</cstring>
</property>
</widget>
<widget class="TQLabel" row="0" column="1" colspan="1">
<property name="name">
<cstring>realmName</cstring>
</property>
</widget>
</grid>
</widget>
<widget class="TQGroupBox" row="2" column="0">
<property name="name">
<cstring>groupRealmCertificates</cstring>
</property>
<property name="title">
<string>Realm Certificates</string>
</property>
<grid>
<property name="name">
<cstring>unnamed</cstring>
</property>
<widget class="TQLabel" row="0" column="0" colspan="1">
<property name="name">
<cstring>unnamed</cstring>
</property>
<property name="text">
<cstring>Certificate Authority:</cstring>
</property>
</widget>
<widget class="TQLabel" row="0" column="1" colspan="1">
<property name="name">
<cstring>caExpiryString</cstring>
</property>
</widget>
<widget class="TQPushButton" row="0" column="2" colspan="1">
<property name="name">
<cstring>caRegenerate</cstring>
</property>
<property name="text">
<cstring>Regenerate Certificate</cstring>
</property>
</widget>
<widget class="TQPushButton" row="0" column="3" colspan="1">
<property name="name">
<cstring>caExport</cstring>
</property>
<property name="text">
<cstring>Export Certificate</cstring>
</property>
</widget>
</grid>
</widget>
<spacer row="4" column="0"> <spacer row="4" column="0">
<property name="name" stdset="0"> <property name="name" stdset="0">
<cstring>Spacer4</cstring> <cstring>Spacer4</cstring>

Loading…
Cancel
Save