@ -45,6 +45,7 @@
# include <kprocess.h>
# include <kprocess.h>
# include <tdesu/process.h>
# include <tdesu/process.h>
# include <libtdeldap.h>
# include <libtdeldap.h>
# include <kfiledialog.h>
# include "sha1.h"
# include "sha1.h"
@ -67,15 +68,6 @@
# define SASL_CONTROL_FILE " / etc / ldap / sasl2 / slapd.conf"
# define SASL_CONTROL_FILE " / etc / ldap / sasl2 / slapd.conf"
# define HEIMDAL_ACL_FILE " / etc / heimdal-kdc / kadmind.acl"
# define HEIMDAL_ACL_FILE " / etc / heimdal-kdc / kadmind.acl"
# define KERBEROS_PKI_PEM_FILE KERBEROS_PKI_ANCHORDIR "tdeca.pem"
# define KERBEROS_PKI_PEMKEY_FILE KERBEROS_PKI_ANCHORDIR "tdeca.key.pem"
# define KERBEROS_PKI_KDC_FILE KERBEROS_PKI_PUBLICDIR "@@@KDCSERVER@@@.pki.crt"
# define KERBEROS_PKI_KDCKEY_FILE KERBEROS_PKI_PRIVATEDIR "@@@KDCSERVER@@@.pki.key"
# define KERBEROS_PKI_KDCREQ_FILE KERBEROS_PKI_PRIVATEDIR "@@@KDCSERVER@@@.pki.req"
# define LDAP_CERT_FILE KERBEROS_PKI_PUBLICDIR "@@@ADMINSERVER@@@.ldap.crt"
# define LDAP_CERTKEY_FILE KERBEROS_PKI_PRIVATEDIR "@@@ADMINSERVER@@@.ldap.key"
# define LDAP_CERTREQ_FILE KERBEROS_PKI_PRIVATEDIR "@@@ADMINSERVER@@@.ldap.req"
# define OPENSSL_EXTENSIONS_FILE TDE_CERTIFICATE_DIR "pki_extensions"
# define OPENSSL_EXTENSIONS_FILE TDE_CERTIFICATE_DIR "pki_extensions"
@ -121,6 +113,9 @@ LDAPController::LDAPController(TQWidget *parent, const char *name, const TQStrin
connect ( m_base - > systemEnableSupport , TQT_SIGNAL ( clicked ( ) ) , this , TQT_SLOT ( processLockouts ( ) ) ) ;
connect ( m_base - > systemEnableSupport , TQT_SIGNAL ( clicked ( ) ) , this , TQT_SLOT ( processLockouts ( ) ) ) ;
connect ( m_base - > systemRole , TQT_SIGNAL ( activated ( const TQString & ) ) , this , TQT_SLOT ( systemRoleChanged ( ) ) ) ;
connect ( m_base - > systemRole , TQT_SIGNAL ( activated ( const TQString & ) ) , this , TQT_SLOT ( systemRoleChanged ( ) ) ) ;
connect ( m_base - > caRegenerate , TQT_SIGNAL ( clicked ( ) ) , this , TQT_SLOT ( btncaRegenerate ( ) ) ) ;
connect ( m_base - > caExport , TQT_SIGNAL ( clicked ( ) ) , this , TQT_SLOT ( btncaExport ( ) ) ) ;
m_fqdn = LDAPManager : : getMachineFQDN ( ) ;
m_fqdn = LDAPManager : : getMachineFQDN ( ) ;
// FIXME
// FIXME
@ -170,6 +165,10 @@ void LDAPController::systemRoleChanged() {
m_base - > systemRole - > setCurrentItem ( ROLE_WORKSTATION ) ;
m_base - > systemRole - > setCurrentItem ( ROLE_WORKSTATION ) ;
save ( ) ;
save ( ) ;
}
}
else {
// Wizard completed; commit changes
save ( ) ;
}
// Something probably changed
// Something probably changed
load ( ) ;
load ( ) ;
@ -221,6 +220,55 @@ void LDAPController::load() {
m_certconfig . emailAddress = m_systemconfig - > readEntry ( " emailAddress " ) ;
m_certconfig . emailAddress = m_systemconfig - > readEntry ( " emailAddress " ) ;
m_systemconfig - > setGroup ( NULL ) ;
m_systemconfig - > setGroup ( NULL ) ;
if ( m_base - > systemRole - > currentItem ( ) = = ROLE_REALM_CONTROLLER ) {
m_base - > groupRealmController - > show ( ) ;
m_base - > groupRealmCertificates - > show ( ) ;
m_base - > realmName - > setText ( m_systemconfig - > readEntry ( " DefaultRealm " ) ) ;
m_base - > caExpiryString - > setText ( " Expires " + LDAPManager : : getCertificateExpiration ( KERBEROS_PKI_PEM_FILE ) . toString ( ) ) ;
// RAJA FIXME
}
else {
m_base - > groupRealmController - > hide ( ) ;
m_base - > groupRealmCertificates - > hide ( ) ;
}
processLockouts ( ) ;
}
void LDAPController : : btncaRegenerate ( ) {
LDAPManager : : generatePublicKerberosCACertificate ( m_certconfig ) ;
TQString realmname = m_systemconfig - > readEntry ( " DefaultRealm " ) . upper ( ) ;
LDAPCredentials * credentials = new LDAPCredentials ;
credentials - > username = " " ;
credentials - > password = " " ;
credentials - > realm = realmname ;
LDAPManager * ldap_mgr = new LDAPManager ( realmname , " ldapi:// " , credentials ) ;
// Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server
TQString errorstring ;
if ( uploadKerberosCAFileToLDAP ( ldap_mgr , & errorstring ) ! = 0 ) {
KMessageBox : : error ( 0 , i18n ( " <qt>Unable to upload new certificate to LDAP server!<p>%1</qt> " ) . arg ( errorstring ) , i18n ( " Internal Failure " ) ) ;
}
load ( ) ;
}
void LDAPController : : btncaExport ( ) {
KURL src = KERBEROS_PKI_PEM_FILE ;
KURL dest = KFileDialog : : getSaveURL ( TQString : : null , " *.pem|PKI Certificate Files (*.pem) " , this , i18n ( " Select a location to save a copy of the certificate... " ) ) ;
if ( ! dest . isEmpty ( ) ) {
KIO : : CopyJob * job = KIO : : copy ( src , dest , true ) ;
connect ( job , TQT_SIGNAL ( result ( KIO : : Job * ) ) , this , TQT_SLOT ( slotCertCopyResult ( KIO : : Job * ) ) ) ;
}
}
void LDAPController : : slotCertCopyResult ( KIO : : Job * job ) {
if ( job - > error ( ) ) {
job - > showErrorDialog ( this ) ;
}
}
}
void LDAPController : : defaults ( ) {
void LDAPController : : defaults ( ) {
@ -246,19 +294,6 @@ void LDAPController::save() {
m_systemconfig - > sync ( ) ;
m_systemconfig - > sync ( ) ;
if ( m_base - > systemEnableSupport - > isChecked ( ) ) {
// // Write the Kerberos5 configuration file
// writeKrb5ConfFile();
// // Write the LDAP configuration file
// writeLDAPConfFile();
// // Write the NSSwitch configuration file
// writeNSSwitchFile();
// // Write the PAM configuration files
// writePAMFiles();
// // Write the cron files
// writeCronFiles();
}
load ( ) ;
load ( ) ;
}
}
@ -747,10 +782,7 @@ int LDAPController::createRealmCertificates(LDAPCertConfig certinfo, LDAPRealmCo
chmod ( KERBEROS_PKI_PEMKEY_FILE , S_IRUSR | S_IWUSR ) ;
chmod ( KERBEROS_PKI_PEMKEY_FILE , S_IRUSR | S_IWUSR ) ;
chown ( KERBEROS_PKI_PEMKEY_FILE , 0 , 0 ) ;
chown ( KERBEROS_PKI_PEMKEY_FILE , 0 , 0 ) ;
command = TQString ( " openssl req -key %1 -new -x509 -out %2 -subj \" /C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9 \" " ) . arg ( KERBEROS_PKI_PEMKEY_FILE ) . arg ( KERBEROS_PKI_PEM_FILE ) . arg ( certinfo . countryName ) . arg ( certinfo . stateOrProvinceName ) . arg ( certinfo . localityName ) . arg ( certinfo . organizationName ) . arg ( certinfo . orgUnitName ) . arg ( certinfo . commonName ) . arg ( certinfo . emailAddress ) ;
LDAPManager : : generatePublicKerberosCACertificate ( certinfo ) ;
system ( command ) ;
chmod ( KERBEROS_PKI_PEM_FILE , S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH ) ;
chown ( KERBEROS_PKI_PEM_FILE , 0 , 0 ) ;
// KDC certificate
// KDC certificate
TQString kdc_certfile = KERBEROS_PKI_KDC_FILE ;
TQString kdc_certfile = KERBEROS_PKI_KDC_FILE ;
@ -796,6 +828,19 @@ int LDAPController::createRealmCertificates(LDAPCertConfig certinfo, LDAPRealmCo
return 0 ;
return 0 ;
}
}
int LDAPController : : uploadKerberosCAFileToLDAP ( LDAPManager * ldap_mgr , TQString * errstr ) {
// Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server
TQFile cafile ( KERBEROS_PKI_PEM_FILE ) ;
if ( cafile . open ( IO_ReadOnly ) ) {
TQByteArray cafiledata = cafile . readAll ( ) ;
if ( ldap_mgr - > writeCertificateFileIntoDirectory ( cafiledata , " publicRootCertificate " , errstr ) ! = 0 ) {
return - 1 ;
}
return 0 ;
}
return - 1 ;
}
int LDAPController : : createNewLDAPRealm ( TQWidget * dialogparent , LDAPRealmConfig realmconfig , TQString adminUserName , TQString adminGroupName , TQString machineAdminGroupName , TQString standardUserGroupName , const char * adminPassword , TQString rootUserName , const char * rootPassword , TQString adminRealm , LDAPCertConfig certinfo , TQString * errstr ) {
int LDAPController : : createNewLDAPRealm ( TQWidget * dialogparent , LDAPRealmConfig realmconfig , TQString adminUserName , TQString adminGroupName , TQString machineAdminGroupName , TQString standardUserGroupName , const char * adminPassword , TQString rootUserName , const char * rootPassword , TQString adminRealm , LDAPCertConfig certinfo , TQString * errstr ) {
int ldifSchemaNumber ;
int ldifSchemaNumber ;
@ -1078,8 +1123,8 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME
TQStringList domainChunks = TQStringList : : split ( " . " , realmconfig . name . lower ( ) ) ;
TQStringList domainChunks = TQStringList : : split ( " . " , realmconfig . name . lower ( ) ) ;
TQString basedcname = " dc= " + domainChunks . join ( " ,dc= " ) ;
TQString basedcname = " dc= " + domainChunks . join ( " ,dc= " ) ;
LDAPCredentials * credentials = new LDAPCredentials ;
LDAPCredentials * credentials = new LDAPCredentials ;
credentials - > username = " cn= "+ rootUserName + " , " + basedcname ;
credentials - > username = " ";
credentials - > password = rootPassword ;
credentials - > password = " " ;
credentials - > realm = realmconfig . name . upper ( ) ;
credentials - > realm = realmconfig . name . upper ( ) ;
LDAPManager * ldap_mgr = new LDAPManager ( realmconfig . name . upper ( ) , " ldapi:// " , credentials ) ;
LDAPManager * ldap_mgr = new LDAPManager ( realmconfig . name . upper ( ) , " ldapi:// " , credentials ) ;
if ( ldap_mgr - > moveKerberosEntries ( " o=kerberos,cn=kerberos control,ou=master services,ou=core,ou=realm, " + basedcname , & errorstring ) ! = 0 ) {
if ( ldap_mgr - > moveKerberosEntries ( " o=kerberos,cn=kerberos control,ou=master services,ou=core,ou=realm, " + basedcname , & errorstring ) ! = 0 ) {
@ -1091,16 +1136,12 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME
}
}
// Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server
// Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server
TQFile cafile ( KERBEROS_PKI_PEM_FILE ) ;
if ( uploadKerberosCAFileToLDAP ( ldap_mgr , & errorstring ) ! = 0 ) {
if ( cafile . open ( IO_ReadOnly ) ) {
delete ldap_mgr ;
TQByteArray cafiledata = cafile . readAll ( ) ;
delete credentials ;
if ( ldap_mgr - > writeCertificateFileIntoDirectory ( cafiledata , " publicRootCertificate " , & errorstring ) ! = 0 ) {
if ( errstr ) * errstr = errorstring ;
delete ldap_mgr ;
pdialog . closeDialog ( ) ;
delete credentials ;
return - 1 ;
if ( errstr ) * errstr = errorstring ;
pdialog . closeDialog ( ) ;
return - 1 ;
}
}
}
// Set @@@ADMINUSER@@@ password in kadmin
// Set @@@ADMINUSER@@@ password in kadmin