Use tdeldap library PKI certificate generation methods

10 years ago · 18c4c37897
parent 4df015f326
commit 18c4c37897
4 changed files with 7 additions and 71 deletions
--- a/cert-updater/main.cpp
+++ b/cert-updater/main.cpp
@ -1,5 +1,5 @@
 /***************************************************************************
- *   Copyright (C) 2012 by Timothy Pearson                                 *
+ *   Copyright (C) 2012 - 2015 by Timothy Pearson                          *
 *   kb9vqf@pearsoncomputing.net                                           *
 *                                                                         *
 *   This program is free software; you can redistribute it and/or modify  *
@ -73,7 +73,7 @@ int main(int argc, char *argv[])
 {
 	TDEAboutData aboutData( "primaryrccertupdater", I18N_NOOP("Realm Certificate Updater"),
 		version, description, TDEAboutData::License_GPL,
-		"(c) 2012-2013, Timothy Pearson");
+		"(c) 2012-2015, Timothy Pearson");
 		aboutData.addAuthor("Timothy Pearson",0, "kb9vqf@pearsoncomputing.net");
 	TDECmdLineArgs::init( argc, argv, &aboutData );
 	TDECmdLineArgs::addCmdLineOptions(options);
@ -160,7 +160,7 @@ int main(int argc, char *argv[])
 				}
 				if (force_update || (certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
 					printf("Regenerating certificate %s...\n", TQString(KERBEROS_PKI_PEM_FILE).ascii()); fflush(stdout);
-					LDAPManager::generatePublicKerberosCACertificate(m_certconfig);
+					LDAPManager::generatePublicKerberosCACertificate(m_certconfig, m_realmconfig[m_defaultRealm]);
 					TQString realmname = m_defaultRealm.upper();
 					LDAPCredentials* credentials = new LDAPCredentials;
--- a/confskel/Makefile.am
+++ b/confskel/Makefile.am
@ -14,6 +14,3 @@ ldapldifskel_DATA = openldap/ldif/*
 saslskeldir = $(confskeldir)/sasl
 saslskel_DATA = sasl/*
 sslskeldir = $(confskeldir)/openssl
 sslskel_DATA = openssl/*
--- a/confskel/openssl/pki_extensions
+++ b/confskel/openssl/pki_extensions
@ -1,61 +0,0 @@
 [ kdc_cert ]
 basicConstraints=CA:FALSE
 # Here are some examples of the usage of nsCertType. If it is omitted
 keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
 #Pkinit EKU
 extendedKeyUsage = 1.3.6.1.5.2.3.5
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer
 # Copy subject details
 issuerAltName=issuer:copy
 # Add id-pkinit-san (pkinit subjectAlternativeName)
 subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name
 [kdc_princ_name]
 realm = EXP:0, GeneralString:@@@REALM_UCNAME@@@
 principal_name = EXP:1, SEQUENCE:kdc_principal_seq
 [kdc_principal_seq]
 name_type = EXP:0, INTEGER:1
 name_string = EXP:1, SEQUENCE:kdc_principals
 [kdc_principals]
 princ1 = GeneralString:krbtgt
 princ2 = GeneralString:@@@REALM_UCNAME@@@
 [ client_cert ]
 # These extensions are added when 'ca' signs a request.
 basicConstraints=CA:FALSE
 keyUsage = digitalSignature, keyEncipherment, keyAgreement
 extendedKeyUsage =  1.3.6.1.5.2.3.4
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer
 subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name
 # Copy subject details
 issuerAltName=issuer:copy
 [princ_name]
 realm = EXP:0, GeneralString:@@@REALM_UCNAME@@@
 principal_name = EXP:1, SEQUENCE:principal_seq
 [principal_seq]
 name_type = EXP:0, INTEGER:1
 name_string = EXP:1, SEQUENCE:principals
 [principals]
 princ1 = GeneralString:@@@KDCSERVER@@@
--- a/src/ldapcontroller.cpp
+++ b/src/ldapcontroller.cpp
@ -590,7 +590,7 @@ void LDAPController::btncaSetMaster() {
 			return;
 		}
-		LDAPManager::generatePublicKerberosCACertificate(m_certconfig);
+		LDAPManager::generatePublicKerberosCACertificate(m_certconfig, m_realmconfig[m_defaultRealm]);
 		// Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server
 		if (uploadKerberosCAFileToLDAP(ldap_mgr, &errorstring) != 0) {
@ -604,7 +604,7 @@ void LDAPController::btncaSetMaster() {
 }
 void LDAPController::btncaRegenerate() {
-	LDAPManager::generatePublicKerberosCACertificate(m_certconfig);
+	LDAPManager::generatePublicKerberosCACertificate(m_certconfig, m_realmconfig[m_defaultRealm]);
 	TQString realmname = m_defaultRealm.upper();
 	LDAPCredentials* credentials = new LDAPCredentials;
@ -1591,7 +1591,7 @@ int LDAPController::createRealmCertificates(LDAPCertConfig certinfo, LDAPRealmCo
 	chmod(KERBEROS_PKI_PEMKEY_FILE, S_IRUSR|S_IWUSR);
 	chown_safe(KERBEROS_PKI_PEMKEY_FILE, 0, 0);
-	LDAPManager::generatePublicKerberosCACertificate(certinfo);
+	LDAPManager::generatePublicKerberosCACertificate(certinfo, m_realmconfig[m_defaultRealm]);
 	// KDC certificate
 	TQString kdc_certfile = KERBEROS_PKI_KDC_FILE;
@ -1807,7 +1807,7 @@ int LDAPController::createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig r
 	replacePlaceholdersInFile(templateDir + "sasl/slapd.conf", SASL_CONTROL_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, standardUserGroupName, adminPassword, rootUserName, rootPassword);
 	// OpenSSL
-	replacePlaceholdersInFile(templateDir + "openssl/pki_extensions", OPENSSL_EXTENSIONS_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, standardUserGroupName, adminPassword, rootUserName, rootPassword);
+	LDAPManager::writeOpenSSLConfigurationFile(realmconfig);
 	// FIXME
 	// This assumes Debian!