From 02cfa8d8afb2c84b0683e4071f4482a54d2e459e Mon Sep 17 00:00:00 2001 From: Timothy Pearson Date: Thu, 7 Jun 2012 18:45:11 -0500 Subject: [PATCH] Provide a range of user and certificate management options --- confskel/openldap/skel.ldif | 2 +- src/ldapcontroller.cpp | 422 +++++++++++++++++++++++++++++--- src/ldapcontroller.h | 18 +- src/ldapcontrollerconfigbase.ui | 173 ++++++++++++- src/realmwizard.cpp | 3 +- 5 files changed, 570 insertions(+), 48 deletions(-) diff --git a/confskel/openldap/skel.ldif b/confskel/openldap/skel.ldif index aec1f55..7d3f2fa 100644 --- a/confskel/openldap/skel.ldif +++ b/confskel/openldap/skel.ldif @@ -300,7 +300,7 @@ objectClass: tdeBuiltinStore objectClass: applicationProcess tdeBuiltinAccount: TRUE structuralObjectClass: applicationProcess -builtinRealmAdminAccount: cn=@@@ADMINUSER@@@,ou=users,ou=core,ou=realm,@@@REALM_DCNAME@@@ +builtinRealmAdminAccount: uid=@@@ADMINUSER@@@,ou=users,ou=core,ou=realm,@@@REALM_DCNAME@@@ builtinRealmAdminGroup: cn=@@@ADMINGROUP@@@,ou=groups,ou=core,ou=realm,@@@REALM_DCNAME@@@ builtinMachineAdminGroup: cn=@@@LOCALADMINGROUP@@@,ou=groups,ou=core,ou=realm,@@@REALM_DCNAME@@@ builtinStandardUserGroup: cn=@@@STANDARDUSERGROUP@@@,ou=groups,ou=core,ou=realm,@@@REALM_DCNAME@@@ diff --git a/src/ldapcontroller.cpp b/src/ldapcontroller.cpp index 3a79467..4f7ff1b 100644 --- a/src/ldapcontroller.cpp +++ b/src/ldapcontroller.cpp @@ -46,6 +46,7 @@ #include #include #include +#include #include "sha1.h" @@ -69,17 +70,12 @@ #define HEIMDAL_ACL_FILE "/etc/heimdal-kdc/kadmind.acl" -#define OPENSSL_EXTENSIONS_FILE TDE_CERTIFICATE_DIR "pki_extensions" - #define ROLE_WORKSTATION 0 -#define ROLE_REALM_CONTROLLER 1 +#define ROLE_SECONDARY_REALM_CONTROLLER 1 +#define ROLE_PRIMARY_REALM_CONTROLLER 2 #define KEY_STRENGTH 2048 -// RAJA FIXME -// Provide a way to change the LDAP root password -// in the olcDatabase (field olcRootPW) after installation! - typedef KGenericFactory ldapFactory; K_EXPORT_COMPONENT_FACTORY( kcm_ldapcontroller, ldapFactory("kcmldapcontroller")) @@ -104,7 +100,8 @@ LDAPController::LDAPController(TQWidget *parent, const char *name, const TQStrin m_base->systemRole->clear(); m_base->systemRole->insertItem("Workstation", ROLE_WORKSTATION); - m_base->systemRole->insertItem("Realm Controller", ROLE_REALM_CONTROLLER); + m_base->systemRole->insertItem("Secondary Realm Controller", ROLE_SECONDARY_REALM_CONTROLLER); + m_base->systemRole->insertItem("Primary Realm Controller", ROLE_PRIMARY_REALM_CONTROLLER); setRootOnlyMsg(i18n("LDAP controller settings take effect system wide, and require administrator access to modify
To alter the system's realm controller settings, click on the \"Administrator Mode\" button below.")); setUseRootOnlyMsg(true); @@ -114,7 +111,21 @@ LDAPController::LDAPController(TQWidget *parent, const char *name, const TQStrin connect(m_base->systemRole, TQT_SIGNAL(activated(const TQString&)), this, TQT_SLOT(systemRoleChanged())); connect(m_base->caRegenerate, TQT_SIGNAL(clicked()), this, TQT_SLOT(btncaRegenerate())); - connect(m_base->caExport, TQT_SIGNAL(clicked()), this, TQT_SLOT(btncaExport())); + connect(m_base->caExportKey, TQT_SIGNAL(clicked()), this, TQT_SLOT(btncaExportKey())); + connect(m_base->caExportCert, TQT_SIGNAL(clicked()), this, TQT_SLOT(btncaExportCert())); + + connect(m_base->krbRegenerate, TQT_SIGNAL(clicked()), this, TQT_SLOT(btnkrbRegenerate())); + connect(m_base->krbExportKey, TQT_SIGNAL(clicked()), this, TQT_SLOT(btnkrbExportKey())); + connect(m_base->krbExportCert, TQT_SIGNAL(clicked()), this, TQT_SLOT(btnkrbExportCert())); + + connect(m_base->ldapRegenerate, TQT_SIGNAL(clicked()), this, TQT_SLOT(btnldapRegenerate())); + connect(m_base->ldapExportKey, TQT_SIGNAL(clicked()), this, TQT_SLOT(btnldapExportKey())); + connect(m_base->ldapExportCert, TQT_SIGNAL(clicked()), this, TQT_SLOT(btnldapExportCert())); + + connect(m_base->btnChangeLDAPRootPassword, TQT_SIGNAL(clicked()), this, TQT_SLOT(btnChangeLDAPRootPassword())); + connect(m_base->btnChangeRealmAdminPassword, TQT_SIGNAL(clicked()), this, TQT_SLOT(btnChangeRealmAdminPassword())); + + connect(&m_certRefreshTimer, TQT_SIGNAL(timeout()), this, TQT_SLOT(updateCertDisplay())); m_fqdn = LDAPManager::getMachineFQDN(); @@ -125,10 +136,6 @@ LDAPController::LDAPController(TQWidget *parent, const char *name, const TQStrin load(); - if (getuid() != 0 || !m_systemconfig->checkConfigFilesWritable( true )) { - m_base->systemEnableSupport->setEnabled(false); - } - processLockouts(); }; @@ -137,7 +144,7 @@ LDAPController::~LDAPController() { void LDAPController::systemRoleChanged() { if (m_base->systemRole->currentItem() != m_prevRole) { - if (m_base->systemRole->currentItem() == ROLE_REALM_CONTROLLER) { + if (m_base->systemRole->currentItem() == ROLE_PRIMARY_REALM_CONTROLLER) { // Verify that this workstation was not already bonded to an LDAP realm! bool bonded = false; TQStringList cfgRealms = m_systemconfig->groupList(); @@ -174,15 +181,77 @@ void LDAPController::systemRoleChanged() { load(); } } - if (m_base->systemRole->currentItem() == ROLE_WORKSTATION) { + else if (m_base->systemRole->currentItem() == ROLE_SECONDARY_REALM_CONTROLLER) { // RAJA FIXME + KMessageBox::error(0, i18n("Secondary realm controller support is not yet available

If you want to see it implemented, contact the Trinity Desktop developers"), i18n("Feature Not Yet Available")); + m_base->systemRole->setCurrentItem(m_prevRole); + } + else if (m_base->systemRole->currentItem() == ROLE_WORKSTATION) { + if (KMessageBox::warningYesNo(this, i18n("WARNING
You are attempting to demote a realm controller

This action will PERMANENTLY DESTROY the realm directory stored on this machine

If you do not want to do this, select Cancel below"), i18n("Are you absolutely sure?"), TQString("Continue"), TQString("Cancel")) == KMessageBox::Yes) { + ProcessingDialog pdialog(this); + pdialog.setStatusMessage(i18n("Preparing to demote primary realm controller...")); + pdialog.raise(); + pdialog.setActiveWindow(); + tqApp->processEvents(); + + save(); + + pdialog.setStatusMessage(i18n("Stopping servers...")); + + // Stop SASL + if (controlSASLServer(SC_STOP) != 0) { + // + } + // Stop Heimdal + if (controlHeimdalServer(SC_STOP) != 0) { + // + } + // Stop slapd + if (controlLDAPServer(SC_STOP) != 0) { + // + } + + pdialog.setStatusMessage(i18n("Purging LDAP database...")); + tqApp->processEvents(); + controlHeimdalServer(SC_PURGE); + controlLDAPServer(SC_PURGE); + + pdialog.setStatusMessage(i18n("Purging local configuration...")); + tqApp->processEvents(); + + system(TQString("rm -rf %1").arg(TDE_CERTIFICATE_DIR)); + + // Write the TDE realm configuration file + LDAPRealmConfigList realms; + LDAPManager::writeTDERealmList(realms, m_systemconfig); + m_systemconfig->deleteEntry("DefaultRealm"); + m_systemconfig->sync(); + + pdialog.closeDialog(); + + load(); + } + else { + m_base->systemRole->setCurrentItem(m_prevRole); + } } } } void LDAPController::processLockouts() { - bool enabled = (m_base->systemEnableSupport->isEnabled() && m_base->systemEnableSupport->isChecked()); + bool enabled = true; + bool canChangeLDAPEnabled = true; + + if (getuid() != 0 || !m_systemconfig->checkConfigFilesWritable( true )) { + canChangeLDAPEnabled = false; + enabled = false; + } + + if (m_base->systemRole->currentItem() != ROLE_WORKSTATION) { + canChangeLDAPEnabled = false; + } + m_base->systemEnableSupport->setEnabled(canChangeLDAPEnabled); m_base->systemRole->setEnabled(enabled); } @@ -201,8 +270,8 @@ void LDAPController::load() { if (!thisIsMyMachine) { ldapRole = "Workstation"; } - if (ldapRole == "Realm Controller") { - m_base->systemRole->setCurrentItem(ROLE_REALM_CONTROLLER); + if (ldapRole == "Primary Realm Controller") { + m_base->systemRole->setCurrentItem(ROLE_PRIMARY_REALM_CONTROLLER); } else { m_base->systemRole->setCurrentItem(ROLE_WORKSTATION); @@ -219,28 +288,141 @@ void LDAPController::load() { m_certconfig.commonName = m_systemconfig->readEntry("commonName"); m_certconfig.emailAddress = m_systemconfig->readEntry("emailAddress"); + m_realmconfig = LDAPManager::readTDERealmList(m_systemconfig, !thisIsMyMachine); + if (!thisIsMyMachine) { + LDAPManager::writeTDERealmList(m_realmconfig, m_systemconfig); + } + m_systemconfig->setGroup(NULL); + m_defaultRealm = m_systemconfig->readEntry("DefaultRealm"); - if (m_base->systemRole->currentItem() == ROLE_REALM_CONTROLLER) { + if (m_base->systemRole->currentItem() == ROLE_PRIMARY_REALM_CONTROLLER) { m_base->groupRealmController->show(); m_base->groupRealmCertificates->show(); - m_base->realmName->setText(m_systemconfig->readEntry("DefaultRealm")); - m_base->caExpiryString->setText("Expires " + LDAPManager::getCertificateExpiration(KERBEROS_PKI_PEM_FILE).toString()); - // RAJA FIXME + m_base->realmName->setText(m_defaultRealm); + + // Display builtin account and group names, and provide a password reset button for each builtin user (yes, this includes the LDAP admin account!) + // FIXME + // root account should not be locked to "admin"! + // when fixing, please fix the other instance of locked "admin" in realmwizard.cpp ::accept() + m_base->ldapRootUser->setText(TQString("cn=%1,").arg("admin") + LDAPManager::ldapdnForRealm(m_defaultRealm)); + + TQString realmname = m_defaultRealm.upper(); + LDAPCredentials* credentials = new LDAPCredentials; + credentials->username = ""; + credentials->password = ""; + credentials->realm = realmname; + LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials); + TQString errorstring; + LDAPTDEBuiltinsInfo builtins = ldap_mgr->getTDEBuiltinMappings(&errorstring); + delete ldap_mgr; + delete credentials; + + m_base->realmAdminUser->setText(LDAPManager::cnFromDn(builtins.builtinRealmAdminAccount)); + m_base->realmAdminGroup->setText(LDAPManager::cnFromDn(builtins.builtinRealmAdminGroup)); + m_base->realmMachineAdminGroup->setText(LDAPManager::cnFromDn(builtins.builtinMachineAdminGroup)); + m_base->realmStandardUserGroup->setText(LDAPManager::cnFromDn(builtins.builtinStandardUserGroup)); + + updateCertDisplay(); + m_certRefreshTimer.start(60*1000); } else { m_base->groupRealmController->hide(); m_base->groupRealmCertificates->hide(); + + m_certRefreshTimer.stop(); } processLockouts(); } +#define CERT_STATUS_COLOR_ACTIVE TQColor(0, 128, 0) +#define CERT_STATUS_COLOR_STALE TQColor(128, 64, 0) +#define CERT_STATUS_COLOR_EXPIRED TQColor(128, 0, 0) +#define CERT_STATUS_COLOR_NOTFOUND CERT_STATUS_COLOR_EXPIRED + +void LDAPController::updateCertDisplay() { + TQDateTime certExpiry; + TQDateTime now = TQDateTime::currentDateTime(); + TQDateTime soon = now.addDays(7); + + TQString kdc_certfile = KERBEROS_PKI_KDC_FILE; + kdc_certfile.replace("@@@KDCSERVER@@@", m_realmconfig[m_defaultRealm].kdc); + TQString ldap_certfile = LDAP_CERT_FILE; + ldap_certfile.replace("@@@ADMINSERVER@@@", m_realmconfig[m_defaultRealm].admin_server); + + // Certificate Authority + if (TQFile::exists(KERBEROS_PKI_PEM_FILE)) { + certExpiry = LDAPManager::getCertificateExpiration(KERBEROS_PKI_PEM_FILE); + if (certExpiry >= now) { + m_base->caExpiryString->setText("Expires " + certExpiry.toString()); + if (certExpiry >= soon) { + m_base->caExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_ACTIVE); + } + else { + m_base->caExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_STALE); + } + } + else { + m_base->caExpiryString->setText("Expired " + certExpiry.toString()); + m_base->caExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_EXPIRED); + } + } + else { + m_base->caExpiryString->setText("File not found"); + m_base->caExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_NOTFOUND); + } + + // Kerberos + if (TQFile::exists(kdc_certfile)) { + certExpiry = LDAPManager::getCertificateExpiration(kdc_certfile); + if (certExpiry >= now) { + m_base->krbExpiryString->setText("Expires " + certExpiry.toString()); + if (certExpiry >= soon) { + m_base->krbExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_ACTIVE); + } + else { + m_base->krbExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_STALE); + } + } + else { + m_base->krbExpiryString->setText("Expired " + certExpiry.toString()); + m_base->krbExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_EXPIRED); + } + } + else { + m_base->krbExpiryString->setText("File not found"); + m_base->krbExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_NOTFOUND); + } + + // LDAP + if (TQFile::exists(kdc_certfile)) { + certExpiry = LDAPManager::getCertificateExpiration(ldap_certfile); + if (certExpiry >= now) { + m_base->ldapExpiryString->setText("Expires " + certExpiry.toString()); + if (certExpiry >= soon) { + m_base->ldapExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_ACTIVE); + } + else { + m_base->ldapExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_STALE); + } + } + else { + m_base->ldapExpiryString->setText("Expired " + certExpiry.toString()); + m_base->ldapExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_EXPIRED); + } + } + else { + m_base->ldapExpiryString->setText("File not found"); + m_base->ldapExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_NOTFOUND); + } +} + void LDAPController::btncaRegenerate() { LDAPManager::generatePublicKerberosCACertificate(m_certconfig); - TQString realmname = m_systemconfig->readEntry("DefaultRealm").upper(); + TQString realmname = m_defaultRealm.upper(); LDAPCredentials* credentials = new LDAPCredentials; credentials->username = ""; credentials->password = ""; @@ -256,7 +438,16 @@ void LDAPController::btncaRegenerate() { load(); } -void LDAPController::btncaExport() { +void LDAPController::btncaExportKey() { + KURL src = KERBEROS_PKI_PEMKEY_FILE; + KURL dest = KFileDialog::getSaveURL(TQString::null, "*.key|Private Key (*.key)", this, i18n("Select a location to save a copy of the private key...")); + if (!dest.isEmpty()) { + KIO::CopyJob* job = KIO::copy(src, dest, true); + connect(job, TQT_SIGNAL(result(KIO::Job*)), this, TQT_SLOT(slotCertCopyResult(KIO::Job*))); + } +} + +void LDAPController::btncaExportCert() { KURL src = KERBEROS_PKI_PEM_FILE; KURL dest = KFileDialog::getSaveURL(TQString::null, "*.pem|PKI Certificate Files (*.pem)", this, i18n("Select a location to save a copy of the certificate...")); if (!dest.isEmpty()) { @@ -265,12 +456,165 @@ void LDAPController::btncaExport() { } } +void LDAPController::btnkrbRegenerate() { + LDAPManager::generatePublicKerberosCertificate(m_certconfig, m_realmconfig[m_defaultRealm]); + + load(); +} + +void LDAPController::btnkrbExportKey() { + TQString kdc_keyfile = KERBEROS_PKI_KDCKEY_FILE; + kdc_keyfile.replace("@@@KDCSERVER@@@", m_realmconfig[m_defaultRealm].kdc); + + KURL src = kdc_keyfile; + KURL dest = KFileDialog::getSaveURL(TQString::null, "*.key|Private Key (*.key)", this, i18n("Select a location to save a copy of the private key...")); + if (!dest.isEmpty()) { + KIO::CopyJob* job = KIO::copy(src, dest, true); + connect(job, TQT_SIGNAL(result(KIO::Job*)), this, TQT_SLOT(slotCertCopyResult(KIO::Job*))); + } +} + +void LDAPController::btnkrbExportCert() { + TQString kdc_certfile = KERBEROS_PKI_KDC_FILE; + kdc_certfile.replace("@@@KDCSERVER@@@", m_realmconfig[m_defaultRealm].kdc); + + KURL src = kdc_certfile; + KURL dest = KFileDialog::getSaveURL(TQString::null, "*.pem|PKI Certificate Files (*.pem)", this, i18n("Select a location to save a copy of the certificate...")); + if (!dest.isEmpty()) { + KIO::CopyJob* job = KIO::copy(src, dest, true); + connect(job, TQT_SIGNAL(result(KIO::Job*)), this, TQT_SLOT(slotCertCopyResult(KIO::Job*))); + } +} + +void LDAPController::btnldapRegenerate() { + struct stat sb; + uid_t slapd_uid = 0; + gid_t slapd_gid = 0; + + // Get LDAP user uid/gid + struct passwd *pwd; + pwd = getpwnam(m_ldapUserName); + slapd_uid = pwd->pw_uid; + slapd_gid = pwd->pw_gid; + + LDAPManager::generatePublicLDAPCertificate(m_certconfig, m_realmconfig[m_defaultRealm], slapd_uid, slapd_gid); + + load(); +} + +void LDAPController::btnldapExportKey() { + TQString ldap_keyfile = LDAP_CERTKEY_FILE; + ldap_keyfile.replace("@@@ADMINSERVER@@@", m_realmconfig[m_defaultRealm].admin_server); + + KURL src = ldap_keyfile; + KURL dest = KFileDialog::getSaveURL(TQString::null, "*.key|Private Key (*.key)", this, i18n("Select a location to save a copy of the private key...")); + if (!dest.isEmpty()) { + KIO::CopyJob* job = KIO::copy(src, dest, true); + connect(job, TQT_SIGNAL(result(KIO::Job*)), this, TQT_SLOT(slotCertCopyResult(KIO::Job*))); + } +} + +void LDAPController::btnldapExportCert() { + TQString ldap_certfile = LDAP_CERT_FILE; + ldap_certfile.replace("@@@ADMINSERVER@@@", m_realmconfig[m_defaultRealm].admin_server); + + KURL src = ldap_certfile; + KURL dest = KFileDialog::getSaveURL(TQString::null, "*.pem|PKI Certificate Files (*.pem)", this, i18n("Select a location to save a copy of the certificate...")); + if (!dest.isEmpty()) { + KIO::CopyJob* job = KIO::copy(src, dest, true); + connect(job, TQT_SIGNAL(result(KIO::Job*)), this, TQT_SLOT(slotCertCopyResult(KIO::Job*))); + } +} + void LDAPController::slotCertCopyResult(KIO::Job* job) { if (job->error()) { job->showErrorDialog(this); } } +void LDAPController::btnChangeLDAPRootPassword() { + // NOTE + // There is (currently) no good way to replace the root password + // This convoluted procedure is (currently) the best I can do... + + bool ret = false; + + TQCString rootPassword; + int result = KPasswordDialog::getNewPassword(rootPassword, i18n("Please enter the new LDAP root password:")); + if (result == KPasswordDialog::Accepted) { + SHA1 sha; + sha.process(rootPassword, strlen(rootPassword)); + TQString rootpw_hash = sha.base64Hash(); + + TQString oldconfigfilename = "/etc/ldap/slapd.d/cn=config/" + TQString("olcDatabase={%1}hdb.ldif.bkp").arg(1); + TQString newconfigfilename = "/etc/ldap/slapd.d/cn=config/" + TQString("olcDatabase={%1}hdb.ldif").arg(1); + + if (controlLDAPServer(SC_STOP) == 0) { + rename(newconfigfilename.ascii(), oldconfigfilename.ascii()); + TQFile ifile(oldconfigfilename); + TQFile ofile(newconfigfilename); + + if (ifile.open(IO_ReadOnly)) { + if (ofile.open(IO_WriteOnly)) { + TQString line; + TQTextStream istream(&ifile); + TQTextStream ostream(&ofile); + while (!istream.atEnd()) { + line = istream.readLine(); + if (line.startsWith("olcRootPW:")) { + ostream << "olcRootPW: {SHA}" << rootpw_hash << "\n"; + } + else { + ostream << line << "\n"; + } + } + ifile.close(); + unlink(oldconfigfilename); + ofile.close(); + if (controlLDAPServer(SC_START) == 0) { + ret = true; + } + } + else { + ifile.close(); + rename(oldconfigfilename.ascii(), newconfigfilename.ascii()); + } + } + else { + rename(oldconfigfilename.ascii(), newconfigfilename.ascii()); + } + } + + if (!ret) { + KMessageBox::error(0, i18n("Unable to modify LDAP root password

Your LDAP server may now be in an inconsistent or disabled state"), i18n("Internal Failure")); + } + } +} + +void LDAPController::btnChangeRealmAdminPassword() { + TQCString adminPassword; + int result = KPasswordDialog::getNewPassword(adminPassword, i18n("Please enter the new realm administrator password:")); + if (result == KPasswordDialog::Accepted) { + TQString realmname = m_defaultRealm.upper(); + LDAPCredentials* credentials = new LDAPCredentials; + credentials->username = ""; + credentials->password = ""; + credentials->realm = realmname; + LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials); + TQString errorstring; + LDAPTDEBuiltinsInfo builtins = ldap_mgr->getTDEBuiltinMappings(&errorstring); + + LDAPUserInfo adminuserinfo = ldap_mgr->getUserByDistinguishedName(builtins.builtinRealmAdminAccount); + if (adminuserinfo.informationValid) { + adminuserinfo.new_password = adminPassword; + ldap_mgr->setPasswordForUser(adminuserinfo, &errorstring); + } + + delete ldap_mgr; + delete credentials; + } +} + void LDAPController::defaults() { // } @@ -278,6 +622,7 @@ void LDAPController::defaults() { void LDAPController::save() { m_systemconfig->setGroup(NULL); m_systemconfig->writeEntry("EnableLDAP", m_base->systemEnableSupport->isChecked()); + m_systemconfig->writeEntry("HostFQDN", m_fqdn); m_systemconfig->writeEntry("LDAPRole", m_base->systemRole->currentText()); // Write cert config @@ -371,7 +716,6 @@ void replacePlaceholdersInFile(TQString infile, TQString outfile, LDAPRealmConfi } ostream << line << "\n"; } - ifile.close(); ofile.close(); // Set permissions @@ -383,6 +727,7 @@ void replacePlaceholdersInFile(TQString infile, TQString outfile, LDAPRealmConfi //KMessageBox::error(0, i18n("Unable to open output schema file %1 for writing").arg(outfile), i18n("Internal Failure")); printf("[INTERNAL FAILURE] Unable to open output schema file %s for writing\n\r", outfile.ascii()); fflush(stdout); } + ifile.close(); } else { //KMessageBox::error(0, i18n("Unable to open template schema file %1").arg(infile), i18n("Internal Failure")); @@ -796,14 +1141,7 @@ int LDAPController::createRealmCertificates(LDAPCertConfig certinfo, LDAPRealmCo chmod(kdc_keyfile.ascii(), S_IRUSR|S_IWUSR); chown(kdc_keyfile.ascii(), 0, 0); - command = TQString("openssl req -new -out %1 -key %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(kdc_reqfile).arg(kdc_keyfile).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(certinfo.commonName).arg(certinfo.emailAddress); - system(command); - command = TQString("openssl x509 -req -in %1 -CAkey %2 -CA %3 -out %4 -extfile %5 -extensions kdc_cert -CAcreateserial").arg(kdc_reqfile).arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(kdc_certfile).arg(OPENSSL_EXTENSIONS_FILE); - system(command); - chmod(kdc_certfile.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); - chown(kdc_certfile.ascii(), 0, 0); - unlink(kdc_reqfile.ascii()); - unlink(OPENSSL_EXTENSIONS_FILE); + LDAPManager::generatePublicKerberosCertificate(certinfo, realmconfig); // LDAP certificate TQString ldap_certfile = LDAP_CERT_FILE; @@ -817,13 +1155,7 @@ int LDAPController::createRealmCertificates(LDAPCertConfig certinfo, LDAPRealmCo chmod(ldap_keyfile.ascii(), S_IRUSR|S_IWUSR); chown(ldap_keyfile.ascii(), ldap_uid, ldap_gid); - command = TQString("openssl req -new -out %1 -key %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(ldap_reqfile).arg(ldap_keyfile).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(realmconfig.admin_server).arg(certinfo.emailAddress); - system(command); - command = TQString("openssl x509 -req -in %1 -CAkey %2 -CA %3 -out %4 -CAcreateserial").arg(ldap_reqfile).arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(ldap_certfile); - system(command); - chmod(ldap_certfile.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); - chown(ldap_certfile.ascii(), ldap_uid, ldap_gid); - unlink(ldap_reqfile.ascii()); + LDAPManager::generatePublicLDAPCertificate(certinfo, realmconfig, ldap_uid, ldap_gid); return 0; } @@ -841,6 +1173,8 @@ int LDAPController::uploadKerberosCAFileToLDAP(LDAPManager* ldap_mgr, TQString* return -1; } +// #define STRICT_SETUP 1 + int LDAPController::createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig realmconfig, TQString adminUserName, TQString adminGroupName, TQString machineAdminGroupName, TQString standardUserGroupName, const char * adminPassword, TQString rootUserName, const char * rootPassword, TQString adminRealm, LDAPCertConfig certinfo, TQString *errstr) { int ldifSchemaNumber; @@ -874,21 +1208,27 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME // Stop SASL if (controlSASLServer(SC_STOP) != 0) { +#ifdef STRICT_SETUP if (errstr) *errstr = i18n("Unable to stop SASL server"); pdialog.closeDialog(); return -1; +#endif // STRICT_SETUP } // Stop Heimdal if (controlHeimdalServer(SC_STOP) != 0) { +#ifdef STRICT_SETUP if (errstr) *errstr = i18n("Unable to stop Kerberos server"); pdialog.closeDialog(); return -1; +#endif // STRICT_SETUP } // Stop slapd if (controlLDAPServer(SC_STOP) != 0) { +#ifdef STRICT_SETUP if (errstr) *errstr = i18n("Unable to stop LDAP server"); pdialog.closeDialog(); return -1; +#endif // STRICT_SETUP } pdialog.setStatusMessage(i18n("Purging existing LDAP database...")); @@ -1000,6 +1340,8 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME chmod(TQString(SASL_DEFAULT_FILE).ascii(), S_IRUSR|S_IWUSR|S_IRGRP); chmod(TQString(SASL_CONTROL_FILE).ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); + chmod(TQString(OPENSSL_EXTENSIONS_FILE).ascii(), S_IRUSR|S_IWUSR); + pdialog.setStatusMessage(i18n("Installing realm certificates...")); tqApp->processEvents(); diff --git a/src/ldapcontroller.h b/src/ldapcontroller.h index d48f00f..da41004 100644 --- a/src/ldapcontroller.h +++ b/src/ldapcontroller.h @@ -29,6 +29,7 @@ #include #include #include +#include #include #include @@ -64,11 +65,22 @@ class LDAPController: public KCModule private slots: void systemRoleChanged(); void processLockouts(); + void updateCertDisplay(); void btncaRegenerate(); - void btncaExport(); + void btncaExportKey(); + void btncaExportCert(); + void btnkrbRegenerate(); + void btnkrbExportKey(); + void btnkrbExportCert(); + void btnldapRegenerate(); + void btnldapExportKey(); + void btnldapExportCert(); void slotCertCopyResult(KIO::Job*); + void btnChangeLDAPRootPassword(); + void btnChangeRealmAdminPassword(); + private: int controlKAdminDaemon(sc_command command); int controlSASLServer(sc_command command); @@ -93,6 +105,10 @@ class LDAPController: public KCModule TQString m_ldapGroupName; LDAPCertConfig m_certconfig; + TQString m_defaultRealm; + LDAPRealmConfigList m_realmconfig; + + TQTimer m_certRefreshTimer; }; #endif // _LDAPCONTROLLER_H_ diff --git a/src/ldapcontrollerconfigbase.ui b/src/ldapcontrollerconfigbase.ui index 64d4623..6e3bb47 100644 --- a/src/ldapcontrollerconfigbase.ui +++ b/src/ldapcontrollerconfigbase.ui @@ -92,6 +92,87 @@ realmName + + + unnamed + + + LDAP Root User: + + + + + ldapRootUser + + + + + btnChangeLDAPRootPassword + + + Change Password + + + + + unnamed + + + Realm Administrative User: + + + + + realmAdminUser + + + + + btnChangeRealmAdminPassword + + + Change Password + + + + + unnamed + + + Realm Administrative Group: + + + + + realmAdminGroup + + + + + unnamed + + + Machine Administrative Group: + + + + + realmMachineAdminGroup + + + + + unnamed + + + Standard User Group: + + + + + realmStandardUserGroup + + @@ -113,12 +194,12 @@ Certificate Authority: - + caExpiryString - + caRegenerate @@ -126,12 +207,94 @@ Regenerate Certificate - + + + caExportKey + + + Export Private Key + + + + + caExportCert + + + Export Public Certificate + + + + + unnamed + + + Kerberos: + + + + + krbExpiryString + + + + + krbRegenerate + + + Regenerate Certificate + + + + + krbExportKey + + + Export Private Key + + + + + krbExportCert + + + Export Public Certificate + + + + + unnamed + + + LDAP TLS: + + + + + ldapExpiryString + + + + + ldapRegenerate + + + Regenerate Certificate + + + + + ldapExportKey + + + Export Private Key + + + - caExport + ldapExportCert - Export Certificate + Export Public Certificate diff --git a/src/realmwizard.cpp b/src/realmwizard.cpp index 95bd931..f2a7760 100644 --- a/src/realmwizard.cpp +++ b/src/realmwizard.cpp @@ -239,8 +239,9 @@ void RealmWizard::accept() { // Try to create realm TQString errorString; - // RAJA FIXME + // FIXME // root account should not be locked to "admin"! + // when fixing, please fix the other instance of locked "admin" in ldapcontroller.cpp ::load() backButton()->setEnabled(false); nextButton()->setEnabled(false); finishButton()->setEnabled(false);