Use tdeldap library PKI certificate generation methods

pull/1/head
Timothy Pearson 9 years ago
parent 4df015f326
commit 18c4c37897

@ -1,5 +1,5 @@
/***************************************************************************
* Copyright (C) 2012 by Timothy Pearson *
* Copyright (C) 2012 - 2015 by Timothy Pearson *
* kb9vqf@pearsoncomputing.net *
* *
* This program is free software; you can redistribute it and/or modify *
@ -73,7 +73,7 @@ int main(int argc, char *argv[])
{
TDEAboutData aboutData( "primaryrccertupdater", I18N_NOOP("Realm Certificate Updater"),
version, description, TDEAboutData::License_GPL,
"(c) 2012-2013, Timothy Pearson");
"(c) 2012-2015, Timothy Pearson");
aboutData.addAuthor("Timothy Pearson",0, "kb9vqf@pearsoncomputing.net");
TDECmdLineArgs::init( argc, argv, &aboutData );
TDECmdLineArgs::addCmdLineOptions(options);
@ -160,7 +160,7 @@ int main(int argc, char *argv[])
}
if (force_update || (certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
printf("Regenerating certificate %s...\n", TQString(KERBEROS_PKI_PEM_FILE).ascii()); fflush(stdout);
LDAPManager::generatePublicKerberosCACertificate(m_certconfig);
LDAPManager::generatePublicKerberosCACertificate(m_certconfig, m_realmconfig[m_defaultRealm]);
TQString realmname = m_defaultRealm.upper();
LDAPCredentials* credentials = new LDAPCredentials;

@ -14,6 +14,3 @@ ldapldifskel_DATA = openldap/ldif/*
saslskeldir = $(confskeldir)/sasl
saslskel_DATA = sasl/*
sslskeldir = $(confskeldir)/openssl
sslskel_DATA = openssl/*

@ -1,61 +0,0 @@
[ kdc_cert ]
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
#Pkinit EKU
extendedKeyUsage = 1.3.6.1.5.2.3.5
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# Copy subject details
issuerAltName=issuer:copy
# Add id-pkinit-san (pkinit subjectAlternativeName)
subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name
[kdc_princ_name]
realm = EXP:0, GeneralString:@@@REALM_UCNAME@@@
principal_name = EXP:1, SEQUENCE:kdc_principal_seq
[kdc_principal_seq]
name_type = EXP:0, INTEGER:1
name_string = EXP:1, SEQUENCE:kdc_principals
[kdc_principals]
princ1 = GeneralString:krbtgt
princ2 = GeneralString:@@@REALM_UCNAME@@@
[ client_cert ]
# These extensions are added when 'ca' signs a request.
basicConstraints=CA:FALSE
keyUsage = digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage = 1.3.6.1.5.2.3.4
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name
# Copy subject details
issuerAltName=issuer:copy
[princ_name]
realm = EXP:0, GeneralString:@@@REALM_UCNAME@@@
principal_name = EXP:1, SEQUENCE:principal_seq
[principal_seq]
name_type = EXP:0, INTEGER:1
name_string = EXP:1, SEQUENCE:principals
[principals]
princ1 = GeneralString:@@@KDCSERVER@@@

@ -590,7 +590,7 @@ void LDAPController::btncaSetMaster() {
return;
}
LDAPManager::generatePublicKerberosCACertificate(m_certconfig);
LDAPManager::generatePublicKerberosCACertificate(m_certconfig, m_realmconfig[m_defaultRealm]);
// Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server
if (uploadKerberosCAFileToLDAP(ldap_mgr, &errorstring) != 0) {
@ -604,7 +604,7 @@ void LDAPController::btncaSetMaster() {
}
void LDAPController::btncaRegenerate() {
LDAPManager::generatePublicKerberosCACertificate(m_certconfig);
LDAPManager::generatePublicKerberosCACertificate(m_certconfig, m_realmconfig[m_defaultRealm]);
TQString realmname = m_defaultRealm.upper();
LDAPCredentials* credentials = new LDAPCredentials;
@ -1591,7 +1591,7 @@ int LDAPController::createRealmCertificates(LDAPCertConfig certinfo, LDAPRealmCo
chmod(KERBEROS_PKI_PEMKEY_FILE, S_IRUSR|S_IWUSR);
chown_safe(KERBEROS_PKI_PEMKEY_FILE, 0, 0);
LDAPManager::generatePublicKerberosCACertificate(certinfo);
LDAPManager::generatePublicKerberosCACertificate(certinfo, m_realmconfig[m_defaultRealm]);
// KDC certificate
TQString kdc_certfile = KERBEROS_PKI_KDC_FILE;
@ -1807,7 +1807,7 @@ int LDAPController::createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig r
replacePlaceholdersInFile(templateDir + "sasl/slapd.conf", SASL_CONTROL_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, standardUserGroupName, adminPassword, rootUserName, rootPassword);
// OpenSSL
replacePlaceholdersInFile(templateDir + "openssl/pki_extensions", OPENSSL_EXTENSIONS_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, standardUserGroupName, adminPassword, rootUserName, rootPassword);
LDAPManager::writeOpenSSLConfigurationFile(realmconfig);
// FIXME
// This assumes Debian!

Loading…
Cancel
Save