@ -46,6 +46,7 @@
# include <tdesu/process.h>
# include <libtdeldap.h>
# include <kfiledialog.h>
# include <kpassdlg.h>
# include "sha1.h"
@ -69,17 +70,12 @@
# define HEIMDAL_ACL_FILE " / etc / heimdal-kdc / kadmind.acl"
# define OPENSSL_EXTENSIONS_FILE TDE_CERTIFICATE_DIR "pki_extensions"
# define ROLE_WORKSTATION 0
# define ROLE_REALM_CONTROLLER 1
# define ROLE_SECONDARY_REALM_CONTROLLER 1
# define ROLE_PRIMARY_REALM_CONTROLLER 2
# define KEY_STRENGTH 2048
// RAJA FIXME
// Provide a way to change the LDAP root password
// in the olcDatabase (field olcRootPW) after installation!
typedef KGenericFactory < LDAPController , TQWidget > ldapFactory ;
K_EXPORT_COMPONENT_FACTORY ( kcm_ldapcontroller , ldapFactory ( " kcmldapcontroller " ) )
@ -104,7 +100,8 @@ LDAPController::LDAPController(TQWidget *parent, const char *name, const TQStrin
m_base - > systemRole - > clear ( ) ;
m_base - > systemRole - > insertItem ( " Workstation " , ROLE_WORKSTATION ) ;
m_base - > systemRole - > insertItem ( " Realm Controller " , ROLE_REALM_CONTROLLER ) ;
m_base - > systemRole - > insertItem ( " Secondary Realm Controller " , ROLE_SECONDARY_REALM_CONTROLLER ) ;
m_base - > systemRole - > insertItem ( " Primary Realm Controller " , ROLE_PRIMARY_REALM_CONTROLLER ) ;
setRootOnlyMsg ( i18n ( " <b>LDAP controller settings take effect system wide, and require administrator access to modify</b><br>To alter the system's realm controller settings, click on the \" Administrator Mode \" button below. " ) ) ;
setUseRootOnlyMsg ( true ) ;
@ -114,7 +111,21 @@ LDAPController::LDAPController(TQWidget *parent, const char *name, const TQStrin
connect ( m_base - > systemRole , TQT_SIGNAL ( activated ( const TQString & ) ) , this , TQT_SLOT ( systemRoleChanged ( ) ) ) ;
connect ( m_base - > caRegenerate , TQT_SIGNAL ( clicked ( ) ) , this , TQT_SLOT ( btncaRegenerate ( ) ) ) ;
connect ( m_base - > caExport , TQT_SIGNAL ( clicked ( ) ) , this , TQT_SLOT ( btncaExport ( ) ) ) ;
connect ( m_base - > caExportKey , TQT_SIGNAL ( clicked ( ) ) , this , TQT_SLOT ( btncaExportKey ( ) ) ) ;
connect ( m_base - > caExportCert , TQT_SIGNAL ( clicked ( ) ) , this , TQT_SLOT ( btncaExportCert ( ) ) ) ;
connect ( m_base - > krbRegenerate , TQT_SIGNAL ( clicked ( ) ) , this , TQT_SLOT ( btnkrbRegenerate ( ) ) ) ;
connect ( m_base - > krbExportKey , TQT_SIGNAL ( clicked ( ) ) , this , TQT_SLOT ( btnkrbExportKey ( ) ) ) ;
connect ( m_base - > krbExportCert , TQT_SIGNAL ( clicked ( ) ) , this , TQT_SLOT ( btnkrbExportCert ( ) ) ) ;
connect ( m_base - > ldapRegenerate , TQT_SIGNAL ( clicked ( ) ) , this , TQT_SLOT ( btnldapRegenerate ( ) ) ) ;
connect ( m_base - > ldapExportKey , TQT_SIGNAL ( clicked ( ) ) , this , TQT_SLOT ( btnldapExportKey ( ) ) ) ;
connect ( m_base - > ldapExportCert , TQT_SIGNAL ( clicked ( ) ) , this , TQT_SLOT ( btnldapExportCert ( ) ) ) ;
connect ( m_base - > btnChangeLDAPRootPassword , TQT_SIGNAL ( clicked ( ) ) , this , TQT_SLOT ( btnChangeLDAPRootPassword ( ) ) ) ;
connect ( m_base - > btnChangeRealmAdminPassword , TQT_SIGNAL ( clicked ( ) ) , this , TQT_SLOT ( btnChangeRealmAdminPassword ( ) ) ) ;
connect ( & m_certRefreshTimer , TQT_SIGNAL ( timeout ( ) ) , this , TQT_SLOT ( updateCertDisplay ( ) ) ) ;
m_fqdn = LDAPManager : : getMachineFQDN ( ) ;
@ -125,10 +136,6 @@ LDAPController::LDAPController(TQWidget *parent, const char *name, const TQStrin
load ( ) ;
if ( getuid ( ) ! = 0 | | ! m_systemconfig - > checkConfigFilesWritable ( true ) ) {
m_base - > systemEnableSupport - > setEnabled ( false ) ;
}
processLockouts ( ) ;
} ;
@ -137,7 +144,7 @@ LDAPController::~LDAPController() {
void LDAPController : : systemRoleChanged ( ) {
if ( m_base - > systemRole - > currentItem ( ) ! = m_prevRole ) {
if ( m_base - > systemRole - > currentItem ( ) = = ROLE_ REALM_CONTROLLER) {
if ( m_base - > systemRole - > currentItem ( ) = = ROLE_ PRIMARY_ REALM_CONTROLLER) {
// Verify that this workstation was not already bonded to an LDAP realm!
bool bonded = false ;
TQStringList cfgRealms = m_systemconfig - > groupList ( ) ;
@ -174,15 +181,77 @@ void LDAPController::systemRoleChanged() {
load ( ) ;
}
}
if ( m_base - > systemRole - > currentItem ( ) = = ROLE_ WORKSTATION ) {
else if ( m_base - > systemRole - > currentItem ( ) = = ROLE_ SECONDARY_REALM_CONTROLLER ) {
// RAJA FIXME
KMessageBox : : error ( 0 , i18n ( " <qt>Secondary realm controller support is not yet available<p>If you want to see it implemented, contact the Trinity Desktop developers</qt> " ) , i18n ( " Feature Not Yet Available " ) ) ;
m_base - > systemRole - > setCurrentItem ( m_prevRole ) ;
}
else if ( m_base - > systemRole - > currentItem ( ) = = ROLE_WORKSTATION ) {
if ( KMessageBox : : warningYesNo ( this , i18n ( " <qt><b>WARNING</b><br>You are attempting to demote a realm controller<p>This action will <b>PERMANENTLY DESTROY</b> the realm directory stored on this machine<p>If you do not want to do this, select <b>Cancel</b> below</qt> " ) , i18n ( " Are you absolutely sure? " ) , TQString ( " Continue " ) , TQString ( " Cancel " ) ) = = KMessageBox : : Yes ) {
ProcessingDialog pdialog ( this ) ;
pdialog . setStatusMessage ( i18n ( " Preparing to demote primary realm controller... " ) ) ;
pdialog . raise ( ) ;
pdialog . setActiveWindow ( ) ;
tqApp - > processEvents ( ) ;
save ( ) ;
pdialog . setStatusMessage ( i18n ( " Stopping servers... " ) ) ;
// Stop SASL
if ( controlSASLServer ( SC_STOP ) ! = 0 ) {
//
}
// Stop Heimdal
if ( controlHeimdalServer ( SC_STOP ) ! = 0 ) {
//
}
// Stop slapd
if ( controlLDAPServer ( SC_STOP ) ! = 0 ) {
//
}
pdialog . setStatusMessage ( i18n ( " Purging LDAP database... " ) ) ;
tqApp - > processEvents ( ) ;
controlHeimdalServer ( SC_PURGE ) ;
controlLDAPServer ( SC_PURGE ) ;
pdialog . setStatusMessage ( i18n ( " Purging local configuration... " ) ) ;
tqApp - > processEvents ( ) ;
system ( TQString ( " rm -rf %1 " ) . arg ( TDE_CERTIFICATE_DIR ) ) ;
// Write the TDE realm configuration file
LDAPRealmConfigList realms ;
LDAPManager : : writeTDERealmList ( realms , m_systemconfig ) ;
m_systemconfig - > deleteEntry ( " DefaultRealm " ) ;
m_systemconfig - > sync ( ) ;
pdialog . closeDialog ( ) ;
load ( ) ;
}
else {
m_base - > systemRole - > setCurrentItem ( m_prevRole ) ;
}
}
}
}
void LDAPController : : processLockouts ( ) {
bool enabled = ( m_base - > systemEnableSupport - > isEnabled ( ) & & m_base - > systemEnableSupport - > isChecked ( ) ) ;
bool enabled = true ;
bool canChangeLDAPEnabled = true ;
if ( getuid ( ) ! = 0 | | ! m_systemconfig - > checkConfigFilesWritable ( true ) ) {
canChangeLDAPEnabled = false ;
enabled = false ;
}
if ( m_base - > systemRole - > currentItem ( ) ! = ROLE_WORKSTATION ) {
canChangeLDAPEnabled = false ;
}
m_base - > systemEnableSupport - > setEnabled ( canChangeLDAPEnabled ) ;
m_base - > systemRole - > setEnabled ( enabled ) ;
}
@ -201,8 +270,8 @@ void LDAPController::load() {
if ( ! thisIsMyMachine ) {
ldapRole = " Workstation " ;
}
if ( ldapRole = = " Realm Controller" ) {
m_base - > systemRole - > setCurrentItem ( ROLE_ REALM_CONTROLLER) ;
if ( ldapRole = = " Primary Realm Controller" ) {
m_base - > systemRole - > setCurrentItem ( ROLE_ PRIMARY_ REALM_CONTROLLER) ;
}
else {
m_base - > systemRole - > setCurrentItem ( ROLE_WORKSTATION ) ;
@ -219,28 +288,141 @@ void LDAPController::load() {
m_certconfig . commonName = m_systemconfig - > readEntry ( " commonName " ) ;
m_certconfig . emailAddress = m_systemconfig - > readEntry ( " emailAddress " ) ;
m_realmconfig = LDAPManager : : readTDERealmList ( m_systemconfig , ! thisIsMyMachine ) ;
if ( ! thisIsMyMachine ) {
LDAPManager : : writeTDERealmList ( m_realmconfig , m_systemconfig ) ;
}
m_systemconfig - > setGroup ( NULL ) ;
m_defaultRealm = m_systemconfig - > readEntry ( " DefaultRealm " ) ;
if ( m_base - > systemRole - > currentItem ( ) = = ROLE_REALM_CONTROLLER ) {
if ( m_base - > systemRole - > currentItem ( ) = = ROLE_ PRIMARY_ REALM_CONTROLLER) {
m_base - > groupRealmController - > show ( ) ;
m_base - > groupRealmCertificates - > show ( ) ;
m_base - > realmName - > setText ( m_systemconfig - > readEntry ( " DefaultRealm " ) ) ;
m_base - > caExpiryString - > setText ( " Expires " + LDAPManager : : getCertificateExpiration ( KERBEROS_PKI_PEM_FILE ) . toString ( ) ) ;
// RAJA FIXME
m_base - > realmName - > setText ( m_defaultRealm ) ;
// Display builtin account and group names, and provide a password reset button for each builtin user (yes, this includes the LDAP admin account!)
// FIXME
// root account should not be locked to "admin"!
// when fixing, please fix the other instance of locked "admin" in realmwizard.cpp ::accept()
m_base - > ldapRootUser - > setText ( TQString ( " cn=%1, " ) . arg ( " admin " ) + LDAPManager : : ldapdnForRealm ( m_defaultRealm ) ) ;
TQString realmname = m_defaultRealm . upper ( ) ;
LDAPCredentials * credentials = new LDAPCredentials ;
credentials - > username = " " ;
credentials - > password = " " ;
credentials - > realm = realmname ;
LDAPManager * ldap_mgr = new LDAPManager ( realmname , " ldapi:// " , credentials ) ;
TQString errorstring ;
LDAPTDEBuiltinsInfo builtins = ldap_mgr - > getTDEBuiltinMappings ( & errorstring ) ;
delete ldap_mgr ;
delete credentials ;
m_base - > realmAdminUser - > setText ( LDAPManager : : cnFromDn ( builtins . builtinRealmAdminAccount ) ) ;
m_base - > realmAdminGroup - > setText ( LDAPManager : : cnFromDn ( builtins . builtinRealmAdminGroup ) ) ;
m_base - > realmMachineAdminGroup - > setText ( LDAPManager : : cnFromDn ( builtins . builtinMachineAdminGroup ) ) ;
m_base - > realmStandardUserGroup - > setText ( LDAPManager : : cnFromDn ( builtins . builtinStandardUserGroup ) ) ;
updateCertDisplay ( ) ;
m_certRefreshTimer . start ( 60 * 1000 ) ;
}
else {
m_base - > groupRealmController - > hide ( ) ;
m_base - > groupRealmCertificates - > hide ( ) ;
m_certRefreshTimer . stop ( ) ;
}
processLockouts ( ) ;
}
# define CERT_STATUS_COLOR_ACTIVE TQColor(0, 128, 0)
# define CERT_STATUS_COLOR_STALE TQColor(128, 64, 0)
# define CERT_STATUS_COLOR_EXPIRED TQColor(128, 0, 0)
# define CERT_STATUS_COLOR_NOTFOUND CERT_STATUS_COLOR_EXPIRED
void LDAPController : : updateCertDisplay ( ) {
TQDateTime certExpiry ;
TQDateTime now = TQDateTime : : currentDateTime ( ) ;
TQDateTime soon = now . addDays ( 7 ) ;
TQString kdc_certfile = KERBEROS_PKI_KDC_FILE ;
kdc_certfile . replace ( " @@@KDCSERVER@@@ " , m_realmconfig [ m_defaultRealm ] . kdc ) ;
TQString ldap_certfile = LDAP_CERT_FILE ;
ldap_certfile . replace ( " @@@ADMINSERVER@@@ " , m_realmconfig [ m_defaultRealm ] . admin_server ) ;
// Certificate Authority
if ( TQFile : : exists ( KERBEROS_PKI_PEM_FILE ) ) {
certExpiry = LDAPManager : : getCertificateExpiration ( KERBEROS_PKI_PEM_FILE ) ;
if ( certExpiry > = now ) {
m_base - > caExpiryString - > setText ( " Expires " + certExpiry . toString ( ) ) ;
if ( certExpiry > = soon ) {
m_base - > caExpiryString - > setPaletteForegroundColor ( CERT_STATUS_COLOR_ACTIVE ) ;
}
else {
m_base - > caExpiryString - > setPaletteForegroundColor ( CERT_STATUS_COLOR_STALE ) ;
}
}
else {
m_base - > caExpiryString - > setText ( " Expired " + certExpiry . toString ( ) ) ;
m_base - > caExpiryString - > setPaletteForegroundColor ( CERT_STATUS_COLOR_EXPIRED ) ;
}
}
else {
m_base - > caExpiryString - > setText ( " File not found " ) ;
m_base - > caExpiryString - > setPaletteForegroundColor ( CERT_STATUS_COLOR_NOTFOUND ) ;
}
// Kerberos
if ( TQFile : : exists ( kdc_certfile ) ) {
certExpiry = LDAPManager : : getCertificateExpiration ( kdc_certfile ) ;
if ( certExpiry > = now ) {
m_base - > krbExpiryString - > setText ( " Expires " + certExpiry . toString ( ) ) ;
if ( certExpiry > = soon ) {
m_base - > krbExpiryString - > setPaletteForegroundColor ( CERT_STATUS_COLOR_ACTIVE ) ;
}
else {
m_base - > krbExpiryString - > setPaletteForegroundColor ( CERT_STATUS_COLOR_STALE ) ;
}
}
else {
m_base - > krbExpiryString - > setText ( " Expired " + certExpiry . toString ( ) ) ;
m_base - > krbExpiryString - > setPaletteForegroundColor ( CERT_STATUS_COLOR_EXPIRED ) ;
}
}
else {
m_base - > krbExpiryString - > setText ( " File not found " ) ;
m_base - > krbExpiryString - > setPaletteForegroundColor ( CERT_STATUS_COLOR_NOTFOUND ) ;
}
// LDAP
if ( TQFile : : exists ( kdc_certfile ) ) {
certExpiry = LDAPManager : : getCertificateExpiration ( ldap_certfile ) ;
if ( certExpiry > = now ) {
m_base - > ldapExpiryString - > setText ( " Expires " + certExpiry . toString ( ) ) ;
if ( certExpiry > = soon ) {
m_base - > ldapExpiryString - > setPaletteForegroundColor ( CERT_STATUS_COLOR_ACTIVE ) ;
}
else {
m_base - > ldapExpiryString - > setPaletteForegroundColor ( CERT_STATUS_COLOR_STALE ) ;
}
}
else {
m_base - > ldapExpiryString - > setText ( " Expired " + certExpiry . toString ( ) ) ;
m_base - > ldapExpiryString - > setPaletteForegroundColor ( CERT_STATUS_COLOR_EXPIRED ) ;
}
}
else {
m_base - > ldapExpiryString - > setText ( " File not found " ) ;
m_base - > ldapExpiryString - > setPaletteForegroundColor ( CERT_STATUS_COLOR_NOTFOUND ) ;
}
}
void LDAPController : : btncaRegenerate ( ) {
LDAPManager : : generatePublicKerberosCACertificate ( m_certconfig ) ;
TQString realmname = m_systemconfig - > readEntry ( " DefaultRealm " ) . upper ( ) ;
TQString realmname = m_ defaultRealm. upper ( ) ;
LDAPCredentials * credentials = new LDAPCredentials ;
credentials - > username = " " ;
credentials - > password = " " ;
@ -256,7 +438,16 @@ void LDAPController::btncaRegenerate() {
load ( ) ;
}
void LDAPController : : btncaExport ( ) {
void LDAPController : : btncaExportKey ( ) {
KURL src = KERBEROS_PKI_PEMKEY_FILE ;
KURL dest = KFileDialog : : getSaveURL ( TQString : : null , " *.key|Private Key (*.key) " , this , i18n ( " Select a location to save a copy of the private key... " ) ) ;
if ( ! dest . isEmpty ( ) ) {
KIO : : CopyJob * job = KIO : : copy ( src , dest , true ) ;
connect ( job , TQT_SIGNAL ( result ( KIO : : Job * ) ) , this , TQT_SLOT ( slotCertCopyResult ( KIO : : Job * ) ) ) ;
}
}
void LDAPController : : btncaExportCert ( ) {
KURL src = KERBEROS_PKI_PEM_FILE ;
KURL dest = KFileDialog : : getSaveURL ( TQString : : null , " *.pem|PKI Certificate Files (*.pem) " , this , i18n ( " Select a location to save a copy of the certificate... " ) ) ;
if ( ! dest . isEmpty ( ) ) {
@ -265,12 +456,165 @@ void LDAPController::btncaExport() {
}
}
void LDAPController : : btnkrbRegenerate ( ) {
LDAPManager : : generatePublicKerberosCertificate ( m_certconfig , m_realmconfig [ m_defaultRealm ] ) ;
load ( ) ;
}
void LDAPController : : btnkrbExportKey ( ) {
TQString kdc_keyfile = KERBEROS_PKI_KDCKEY_FILE ;
kdc_keyfile . replace ( " @@@KDCSERVER@@@ " , m_realmconfig [ m_defaultRealm ] . kdc ) ;
KURL src = kdc_keyfile ;
KURL dest = KFileDialog : : getSaveURL ( TQString : : null , " *.key|Private Key (*.key) " , this , i18n ( " Select a location to save a copy of the private key... " ) ) ;
if ( ! dest . isEmpty ( ) ) {
KIO : : CopyJob * job = KIO : : copy ( src , dest , true ) ;
connect ( job , TQT_SIGNAL ( result ( KIO : : Job * ) ) , this , TQT_SLOT ( slotCertCopyResult ( KIO : : Job * ) ) ) ;
}
}
void LDAPController : : btnkrbExportCert ( ) {
TQString kdc_certfile = KERBEROS_PKI_KDC_FILE ;
kdc_certfile . replace ( " @@@KDCSERVER@@@ " , m_realmconfig [ m_defaultRealm ] . kdc ) ;
KURL src = kdc_certfile ;
KURL dest = KFileDialog : : getSaveURL ( TQString : : null , " *.pem|PKI Certificate Files (*.pem) " , this , i18n ( " Select a location to save a copy of the certificate... " ) ) ;
if ( ! dest . isEmpty ( ) ) {
KIO : : CopyJob * job = KIO : : copy ( src , dest , true ) ;
connect ( job , TQT_SIGNAL ( result ( KIO : : Job * ) ) , this , TQT_SLOT ( slotCertCopyResult ( KIO : : Job * ) ) ) ;
}
}
void LDAPController : : btnldapRegenerate ( ) {
struct stat sb ;
uid_t slapd_uid = 0 ;
gid_t slapd_gid = 0 ;
// Get LDAP user uid/gid
struct passwd * pwd ;
pwd = getpwnam ( m_ldapUserName ) ;
slapd_uid = pwd - > pw_uid ;
slapd_gid = pwd - > pw_gid ;
LDAPManager : : generatePublicLDAPCertificate ( m_certconfig , m_realmconfig [ m_defaultRealm ] , slapd_uid , slapd_gid ) ;
load ( ) ;
}
void LDAPController : : btnldapExportKey ( ) {
TQString ldap_keyfile = LDAP_CERTKEY_FILE ;
ldap_keyfile . replace ( " @@@ADMINSERVER@@@ " , m_realmconfig [ m_defaultRealm ] . admin_server ) ;
KURL src = ldap_keyfile ;
KURL dest = KFileDialog : : getSaveURL ( TQString : : null , " *.key|Private Key (*.key) " , this , i18n ( " Select a location to save a copy of the private key... " ) ) ;
if ( ! dest . isEmpty ( ) ) {
KIO : : CopyJob * job = KIO : : copy ( src , dest , true ) ;
connect ( job , TQT_SIGNAL ( result ( KIO : : Job * ) ) , this , TQT_SLOT ( slotCertCopyResult ( KIO : : Job * ) ) ) ;
}
}
void LDAPController : : btnldapExportCert ( ) {
TQString ldap_certfile = LDAP_CERT_FILE ;
ldap_certfile . replace ( " @@@ADMINSERVER@@@ " , m_realmconfig [ m_defaultRealm ] . admin_server ) ;
KURL src = ldap_certfile ;
KURL dest = KFileDialog : : getSaveURL ( TQString : : null , " *.pem|PKI Certificate Files (*.pem) " , this , i18n ( " Select a location to save a copy of the certificate... " ) ) ;
if ( ! dest . isEmpty ( ) ) {
KIO : : CopyJob * job = KIO : : copy ( src , dest , true ) ;
connect ( job , TQT_SIGNAL ( result ( KIO : : Job * ) ) , this , TQT_SLOT ( slotCertCopyResult ( KIO : : Job * ) ) ) ;
}
}
void LDAPController : : slotCertCopyResult ( KIO : : Job * job ) {
if ( job - > error ( ) ) {
job - > showErrorDialog ( this ) ;
}
}
void LDAPController : : btnChangeLDAPRootPassword ( ) {
// NOTE
// There is (currently) no good way to replace the root password
// This convoluted procedure is (currently) the best I can do...
bool ret = false ;
TQCString rootPassword ;
int result = KPasswordDialog : : getNewPassword ( rootPassword , i18n ( " Please enter the new LDAP root password: " ) ) ;
if ( result = = KPasswordDialog : : Accepted ) {
SHA1 sha ;
sha . process ( rootPassword , strlen ( rootPassword ) ) ;
TQString rootpw_hash = sha . base64Hash ( ) ;
TQString oldconfigfilename = " /etc/ldap/slapd.d/cn=config/ " + TQString ( " olcDatabase={%1}hdb.ldif.bkp " ) . arg ( 1 ) ;
TQString newconfigfilename = " /etc/ldap/slapd.d/cn=config/ " + TQString ( " olcDatabase={%1}hdb.ldif " ) . arg ( 1 ) ;
if ( controlLDAPServer ( SC_STOP ) = = 0 ) {
rename ( newconfigfilename . ascii ( ) , oldconfigfilename . ascii ( ) ) ;
TQFile ifile ( oldconfigfilename ) ;
TQFile ofile ( newconfigfilename ) ;
if ( ifile . open ( IO_ReadOnly ) ) {
if ( ofile . open ( IO_WriteOnly ) ) {
TQString line ;
TQTextStream istream ( & ifile ) ;
TQTextStream ostream ( & ofile ) ;
while ( ! istream . atEnd ( ) ) {
line = istream . readLine ( ) ;
if ( line . startsWith ( " olcRootPW: " ) ) {
ostream < < " olcRootPW: {SHA} " < < rootpw_hash < < " \n " ;
}
else {
ostream < < line < < " \n " ;
}
}
ifile . close ( ) ;
unlink ( oldconfigfilename ) ;
ofile . close ( ) ;
if ( controlLDAPServer ( SC_START ) = = 0 ) {
ret = true ;
}
}
else {
ifile . close ( ) ;
rename ( oldconfigfilename . ascii ( ) , newconfigfilename . ascii ( ) ) ;
}
}
else {
rename ( oldconfigfilename . ascii ( ) , newconfigfilename . ascii ( ) ) ;
}
}
if ( ! ret ) {
KMessageBox : : error ( 0 , i18n ( " <qt>Unable to modify LDAP root password<p>Your LDAP server may now be in an inconsistent or disabled state</qt> " ) , i18n ( " Internal Failure " ) ) ;
}
}
}
void LDAPController : : btnChangeRealmAdminPassword ( ) {
TQCString adminPassword ;
int result = KPasswordDialog : : getNewPassword ( adminPassword , i18n ( " Please enter the new realm administrator password: " ) ) ;
if ( result = = KPasswordDialog : : Accepted ) {
TQString realmname = m_defaultRealm . upper ( ) ;
LDAPCredentials * credentials = new LDAPCredentials ;
credentials - > username = " " ;
credentials - > password = " " ;
credentials - > realm = realmname ;
LDAPManager * ldap_mgr = new LDAPManager ( realmname , " ldapi:// " , credentials ) ;
TQString errorstring ;
LDAPTDEBuiltinsInfo builtins = ldap_mgr - > getTDEBuiltinMappings ( & errorstring ) ;
LDAPUserInfo adminuserinfo = ldap_mgr - > getUserByDistinguishedName ( builtins . builtinRealmAdminAccount ) ;
if ( adminuserinfo . informationValid ) {
adminuserinfo . new_password = adminPassword ;
ldap_mgr - > setPasswordForUser ( adminuserinfo , & errorstring ) ;
}
delete ldap_mgr ;
delete credentials ;
}
}
void LDAPController : : defaults ( ) {
//
}
@ -278,6 +622,7 @@ void LDAPController::defaults() {
void LDAPController : : save ( ) {
m_systemconfig - > setGroup ( NULL ) ;
m_systemconfig - > writeEntry ( " EnableLDAP " , m_base - > systemEnableSupport - > isChecked ( ) ) ;
m_systemconfig - > writeEntry ( " HostFQDN " , m_fqdn ) ;
m_systemconfig - > writeEntry ( " LDAPRole " , m_base - > systemRole - > currentText ( ) ) ;
// Write cert config
@ -371,7 +716,6 @@ void replacePlaceholdersInFile(TQString infile, TQString outfile, LDAPRealmConfi
}
ostream < < line < < " \n " ;
}
ifile . close ( ) ;
ofile . close ( ) ;
// Set permissions
@ -383,6 +727,7 @@ void replacePlaceholdersInFile(TQString infile, TQString outfile, LDAPRealmConfi
//KMessageBox::error(0, i18n("<qt>Unable to open output schema file %1 for writing</qt>").arg(outfile), i18n("Internal Failure"));
printf ( " [INTERNAL FAILURE] Unable to open output schema file %s for writing \n \r " , outfile . ascii ( ) ) ; fflush ( stdout ) ;
}
ifile . close ( ) ;
}
else {
//KMessageBox::error(0, i18n("<qt>Unable to open template schema file %1</qt>").arg(infile), i18n("Internal Failure"));
@ -796,14 +1141,7 @@ int LDAPController::createRealmCertificates(LDAPCertConfig certinfo, LDAPRealmCo
chmod ( kdc_keyfile . ascii ( ) , S_IRUSR | S_IWUSR ) ;
chown ( kdc_keyfile . ascii ( ) , 0 , 0 ) ;
command = TQString ( " openssl req -new -out %1 -key %2 -subj \" /C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9 \" " ) . arg ( kdc_reqfile ) . arg ( kdc_keyfile ) . arg ( certinfo . countryName ) . arg ( certinfo . stateOrProvinceName ) . arg ( certinfo . localityName ) . arg ( certinfo . organizationName ) . arg ( certinfo . orgUnitName ) . arg ( certinfo . commonName ) . arg ( certinfo . emailAddress ) ;
system ( command ) ;
command = TQString ( " openssl x509 -req -in %1 -CAkey %2 -CA %3 -out %4 -extfile %5 -extensions kdc_cert -CAcreateserial " ) . arg ( kdc_reqfile ) . arg ( KERBEROS_PKI_PEMKEY_FILE ) . arg ( KERBEROS_PKI_PEM_FILE ) . arg ( kdc_certfile ) . arg ( OPENSSL_EXTENSIONS_FILE ) ;
system ( command ) ;
chmod ( kdc_certfile . ascii ( ) , S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH ) ;
chown ( kdc_certfile . ascii ( ) , 0 , 0 ) ;
unlink ( kdc_reqfile . ascii ( ) ) ;
unlink ( OPENSSL_EXTENSIONS_FILE ) ;
LDAPManager : : generatePublicKerberosCertificate ( certinfo , realmconfig ) ;
// LDAP certificate
TQString ldap_certfile = LDAP_CERT_FILE ;
@ -817,13 +1155,7 @@ int LDAPController::createRealmCertificates(LDAPCertConfig certinfo, LDAPRealmCo
chmod ( ldap_keyfile . ascii ( ) , S_IRUSR | S_IWUSR ) ;
chown ( ldap_keyfile . ascii ( ) , ldap_uid , ldap_gid ) ;
command = TQString ( " openssl req -new -out %1 -key %2 -subj \" /C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9 \" " ) . arg ( ldap_reqfile ) . arg ( ldap_keyfile ) . arg ( certinfo . countryName ) . arg ( certinfo . stateOrProvinceName ) . arg ( certinfo . localityName ) . arg ( certinfo . organizationName ) . arg ( certinfo . orgUnitName ) . arg ( realmconfig . admin_server ) . arg ( certinfo . emailAddress ) ;
system ( command ) ;
command = TQString ( " openssl x509 -req -in %1 -CAkey %2 -CA %3 -out %4 -CAcreateserial " ) . arg ( ldap_reqfile ) . arg ( KERBEROS_PKI_PEMKEY_FILE ) . arg ( KERBEROS_PKI_PEM_FILE ) . arg ( ldap_certfile ) ;
system ( command ) ;
chmod ( ldap_certfile . ascii ( ) , S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH ) ;
chown ( ldap_certfile . ascii ( ) , ldap_uid , ldap_gid ) ;
unlink ( ldap_reqfile . ascii ( ) ) ;
LDAPManager : : generatePublicLDAPCertificate ( certinfo , realmconfig , ldap_uid , ldap_gid ) ;
return 0 ;
}
@ -841,6 +1173,8 @@ int LDAPController::uploadKerberosCAFileToLDAP(LDAPManager* ldap_mgr, TQString*
return - 1 ;
}
// #define STRICT_SETUP 1
int LDAPController : : createNewLDAPRealm ( TQWidget * dialogparent , LDAPRealmConfig realmconfig , TQString adminUserName , TQString adminGroupName , TQString machineAdminGroupName , TQString standardUserGroupName , const char * adminPassword , TQString rootUserName , const char * rootPassword , TQString adminRealm , LDAPCertConfig certinfo , TQString * errstr ) {
int ldifSchemaNumber ;
@ -874,21 +1208,27 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME
// Stop SASL
if ( controlSASLServer ( SC_STOP ) ! = 0 ) {
# ifdef STRICT_SETUP
if ( errstr ) * errstr = i18n ( " Unable to stop SASL server " ) ;
pdialog . closeDialog ( ) ;
return - 1 ;
# endif // STRICT_SETUP
}
// Stop Heimdal
if ( controlHeimdalServer ( SC_STOP ) ! = 0 ) {
# ifdef STRICT_SETUP
if ( errstr ) * errstr = i18n ( " Unable to stop Kerberos server " ) ;
pdialog . closeDialog ( ) ;
return - 1 ;
# endif // STRICT_SETUP
}
// Stop slapd
if ( controlLDAPServer ( SC_STOP ) ! = 0 ) {
# ifdef STRICT_SETUP
if ( errstr ) * errstr = i18n ( " Unable to stop LDAP server " ) ;
pdialog . closeDialog ( ) ;
return - 1 ;
# endif // STRICT_SETUP
}
pdialog . setStatusMessage ( i18n ( " Purging existing LDAP database... " ) ) ;
@ -1000,6 +1340,8 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME
chmod ( TQString ( SASL_DEFAULT_FILE ) . ascii ( ) , S_IRUSR | S_IWUSR | S_IRGRP ) ;
chmod ( TQString ( SASL_CONTROL_FILE ) . ascii ( ) , S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH ) ;
chmod ( TQString ( OPENSSL_EXTENSIONS_FILE ) . ascii ( ) , S_IRUSR | S_IWUSR ) ;
pdialog . setStatusMessage ( i18n ( " Installing realm certificates... " ) ) ;
tqApp - > processEvents ( ) ;