diff --git a/confskel/heimdal/kdc.conf b/confskel/heimdal/kdc.conf index 96f3a8d..d3ba9c8 100644 --- a/confskel/heimdal/kdc.conf +++ b/confskel/heimdal/kdc.conf @@ -8,5 +8,6 @@ database = { dbname = ldap:@@@REALM_DCNAME@@@ + realm = @@@REALM_UCNAME@@@ acl_file = /etc/heimdal-kdc/kadmind.acl } \ No newline at end of file diff --git a/src/ldapcontroller.cpp b/src/ldapcontroller.cpp index 3d679a0..67fde9a 100644 --- a/src/ldapcontroller.cpp +++ b/src/ldapcontroller.cpp @@ -325,6 +325,14 @@ void replacePlaceholdersInFile(TQString infile, TQString outfile, LDAPRealmConfi tqApp->processEvents(); } +int LDAPController::controlKAdminDaemon(sc_command command) { + if (command == SC_RESTART) { + // FIXME + // This assumes Debian! + return system("/etc/init.d/openbsd-inetd restart"); + } +} + int LDAPController::controlSASLServer(sc_command command) { if (command == SC_START) { // FIXME @@ -802,10 +810,11 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME slapd_uid = pwd->pw_uid; slapd_gid = pwd->pw_gid; -// RAJA FIXME -// SECURITY -// The ldapi:/// socket in /var/run/ldap is world readable/writable -// This means anyone with access to the server running LDAP can dump the KRB5 keys!!!! + // SECURITY + // Make sure that the ldapi:/// socket in /var/run/slapd/ldapi is NOT world readable/writable (technically the permissions are for the directory containing the ldapi socket) + // This would mean that anyone with access to the server running LDAP can dump the KRB5 keys! + // FIXME + // Can we do anything about this now? // Base database configuration replacePlaceholdersInFile(templateDir + "openldap/ldif/config.ldif", destDir + "ldap/slapd.d/" + TQString("cn=config.ldif"), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, -1, slapd_uid, slapd_gid); @@ -966,6 +975,12 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME pdialog.closeDialog(); return -1; } + // Restart kadmind + if (controlKAdminDaemon(SC_RESTART) != 0) { + if (errstr) *errstr = i18n("Unable to restart Kerberos Administration Service"); + pdialog.closeDialog(); + return -1; + } // Start SASL if (controlSASLServer(SC_START) != 0) { diff --git a/src/ldapcontroller.h b/src/ldapcontroller.h index 1fad5f8..cdf999f 100644 --- a/src/ldapcontroller.h +++ b/src/ldapcontroller.h @@ -69,6 +69,7 @@ class LDAPController: public KCModule void processLockouts(); private: + int controlKAdminDaemon(sc_command command); int controlSASLServer(sc_command command); int controlHeimdalServer(sc_command command, uid_t userid=-1, gid_t groupid=-1); int controlLDAPServer(sc_command command, uid_t userid=-1, gid_t groupid=-1); diff --git a/src/realmintropagedlg.ui b/src/realmintropagedlg.ui index 402df3e..3b4c649 100644 --- a/src/realmintropagedlg.ui +++ b/src/realmintropagedlg.ui @@ -70,7 +70,8 @@ <p>This Wizard will help you create a new LDAP realm in three quick, easy steps.</p> <p>Please note that this Wizard will overwrite any existing LDAP realms and data.</p> - <p>If you wish to quit the Wizard, click <b>Cancel</b> at any time.</p> + <p>If you wish to quit the Wizard, click <b>Cancel</b> at any time.</p> + <p><b>NOTE:</b> Kerberos and LDAP rely heavily on proper DNS resolution in order to function correctly. Therefore, you must have functional forward and reverse DNS entries for this system in order to complete this Wizard.</p> RichText