|
|
|
|
@ -147,113 +147,118 @@ int main(int argc, char *argv[])
|
|
|
|
|
delete ldap_mgr;
|
|
|
|
|
delete credentials;
|
|
|
|
|
|
|
|
|
|
if (realmCAMaster == fqdn) {
|
|
|
|
|
printf("This server is the realm CA master\n"); fflush(stdout);
|
|
|
|
|
if (TQFile::exists(KERBEROS_PKI_PEM_FILE)) {
|
|
|
|
|
certExpiry = LDAPManager::getCertificateExpiration(KERBEROS_PKI_PEM_FILE);
|
|
|
|
|
if (certExpiry >= now) {
|
|
|
|
|
printf("Certificate %s expires %s\n", TQString(KERBEROS_PKI_PEM_FILE).ascii(), certExpiry.toString().ascii()); fflush(stdout);
|
|
|
|
|
}
|
|
|
|
|
if (force_update || (certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
|
|
|
|
|
printf("Regenerating certificate %s...\n", TQString(KERBEROS_PKI_PEM_FILE).ascii()); fflush(stdout);
|
|
|
|
|
LDAPManager::generatePublicKerberosCACertificate(m_certconfig);
|
|
|
|
|
|
|
|
|
|
TQString realmname = m_defaultRealm.upper();
|
|
|
|
|
LDAPCredentials* credentials = new LDAPCredentials;
|
|
|
|
|
credentials->username = "";
|
|
|
|
|
credentials->password = "";
|
|
|
|
|
credentials->realm = realmname;
|
|
|
|
|
LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials);
|
|
|
|
|
|
|
|
|
|
// Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server
|
|
|
|
|
TQString errorstring;
|
|
|
|
|
if (uploadKerberosCAFileToLDAP(ldap_mgr, &errorstring) != 0) {
|
|
|
|
|
printf("[ERROR] Unable to upload new certificate to LDAP server!\n%s\n", errorstring.ascii()); fflush(stdout);
|
|
|
|
|
if (realmCAMaster == "") {
|
|
|
|
|
printf("[WARNING] Unable to determine the realm CA master! CA will not be updated\n"); fflush(stdout);
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
if (realmCAMaster == fqdn) {
|
|
|
|
|
printf("This server is the realm CA master\n"); fflush(stdout);
|
|
|
|
|
if (TQFile::exists(KERBEROS_PKI_PEM_FILE)) {
|
|
|
|
|
certExpiry = LDAPManager::getCertificateExpiration(KERBEROS_PKI_PEM_FILE);
|
|
|
|
|
if (certExpiry >= now) {
|
|
|
|
|
printf("Certificate %s expires %s\n", TQString(KERBEROS_PKI_PEM_FILE).ascii(), certExpiry.toString().ascii()); fflush(stdout);
|
|
|
|
|
}
|
|
|
|
|
if (force_update || (certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
|
|
|
|
|
printf("Regenerating certificate %s...\n", TQString(KERBEROS_PKI_PEM_FILE).ascii()); fflush(stdout);
|
|
|
|
|
LDAPManager::generatePublicKerberosCACertificate(m_certconfig);
|
|
|
|
|
|
|
|
|
|
TQString realmname = m_defaultRealm.upper();
|
|
|
|
|
LDAPCredentials* credentials = new LDAPCredentials;
|
|
|
|
|
credentials->username = "";
|
|
|
|
|
credentials->password = "";
|
|
|
|
|
credentials->realm = realmname;
|
|
|
|
|
LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials);
|
|
|
|
|
|
|
|
|
|
// Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server
|
|
|
|
|
TQString errorstring;
|
|
|
|
|
if (uploadKerberosCAFileToLDAP(ldap_mgr, &errorstring) != 0) {
|
|
|
|
|
printf("[ERROR] Unable to upload new certificate to LDAP server!\n%s\n", errorstring.ascii()); fflush(stdout);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
delete ldap_mgr;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
delete ldap_mgr;
|
|
|
|
|
// Set permissions
|
|
|
|
|
chmod(KERBEROS_PKI_PEMKEY_FILE, S_IRUSR|S_IWUSR);
|
|
|
|
|
chown_safe(KERBEROS_PKI_PEMKEY_FILE, 0, 0);
|
|
|
|
|
chmod(KERBEROS_PKI_PEM_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
|
|
|
|
|
chown_safe(KERBEROS_PKI_PEM_FILE, 0, 0);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
else {
|
|
|
|
|
printf("[WARNING] Certificate file %s not found!\n", TQString(KERBEROS_PKI_PEM_FILE).ascii()); fflush(stdout);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
printf("This server is a realm CA slave\n"); fflush(stdout);
|
|
|
|
|
|
|
|
|
|
// Connect to LDAP
|
|
|
|
|
TQString realmname = defaultRealm.upper();
|
|
|
|
|
LDAPCredentials* credentials = new LDAPCredentials;
|
|
|
|
|
credentials->username = "cn=admin," + basedn;
|
|
|
|
|
m_systemconfig->setGroup("Replication");
|
|
|
|
|
credentials->password = m_systemconfig->readEntry("Password");
|
|
|
|
|
m_systemconfig->setGroup(NULL);
|
|
|
|
|
credentials->realm = realmname;
|
|
|
|
|
LDAPManager* ldap_mgr = new LDAPManager(realmname, TQString("ldaps://%1/").arg(realmCAMaster), credentials);
|
|
|
|
|
TQString errorstring;
|
|
|
|
|
|
|
|
|
|
if (ldap_mgr->getTDECertificate("privateRootCertificateKey", KERBEROS_PKI_PEMKEY_FILE ".tmp", &errorstring) != 0) {
|
|
|
|
|
printf("[ERROR] Unable to get private CA certificate key from LDAP server!\n%s\n", errorstring.ascii()); fflush(stdout);
|
|
|
|
|
}
|
|
|
|
|
if (ldap_mgr->getTDECertificate("publicRootCertificate", KERBEROS_PKI_PEM_FILE ".tmp", &errorstring) != 0) {
|
|
|
|
|
printf("[ERROR] Unable to get public CA certificate from LDAP server!\n%s\n", errorstring.ascii()); fflush(stdout);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
delete ldap_mgr;
|
|
|
|
|
delete credentials;
|
|
|
|
|
|
|
|
|
|
TQByteArray originalPemKeyFile;
|
|
|
|
|
TQByteArray originalPemFile;
|
|
|
|
|
TQByteArray newPemKeyFile;
|
|
|
|
|
TQByteArray newPemFile;
|
|
|
|
|
|
|
|
|
|
TQFile* cafile;
|
|
|
|
|
cafile = new TQFile(KERBEROS_PKI_PEMKEY_FILE);
|
|
|
|
|
if (cafile->open(IO_ReadOnly)) {
|
|
|
|
|
originalPemKeyFile = cafile->readAll();
|
|
|
|
|
}
|
|
|
|
|
delete cafile;
|
|
|
|
|
cafile = new TQFile(KERBEROS_PKI_PEM_FILE);
|
|
|
|
|
if (cafile->open(IO_ReadOnly)) {
|
|
|
|
|
originalPemFile = cafile->readAll();
|
|
|
|
|
}
|
|
|
|
|
delete cafile;
|
|
|
|
|
cafile = new TQFile(KERBEROS_PKI_PEMKEY_FILE ".tmp");
|
|
|
|
|
if (cafile->open(IO_ReadOnly)) {
|
|
|
|
|
newPemKeyFile = cafile->readAll();
|
|
|
|
|
}
|
|
|
|
|
delete cafile;
|
|
|
|
|
cafile = new TQFile(KERBEROS_PKI_PEM_FILE ".tmp");
|
|
|
|
|
if (cafile->open(IO_ReadOnly)) {
|
|
|
|
|
newPemFile = cafile->readAll();
|
|
|
|
|
}
|
|
|
|
|
delete cafile;
|
|
|
|
|
|
|
|
|
|
if ((originalPemKeyFile == newPemKeyFile) && (originalPemFile == newPemFile)) {
|
|
|
|
|
unlink(KERBEROS_PKI_PEMKEY_FILE ".tmp");
|
|
|
|
|
unlink(KERBEROS_PKI_PEM_FILE ".tmp");
|
|
|
|
|
printf("Certificates have not changed since last update\n");
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
unlink(KERBEROS_PKI_PEMKEY_FILE);
|
|
|
|
|
unlink(KERBEROS_PKI_PEM_FILE);
|
|
|
|
|
rename(KERBEROS_PKI_PEMKEY_FILE ".tmp", KERBEROS_PKI_PEMKEY_FILE);
|
|
|
|
|
rename(KERBEROS_PKI_PEM_FILE ".tmp", KERBEROS_PKI_PEM_FILE);
|
|
|
|
|
force_update = true;
|
|
|
|
|
printf("Certificates have changed, forcing certificate regeneration\n");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Set permissions
|
|
|
|
|
chmod(KERBEROS_PKI_PEMKEY_FILE, S_IRUSR|S_IWUSR);
|
|
|
|
|
chown_safe(KERBEROS_PKI_PEMKEY_FILE, 0, 0);
|
|
|
|
|
chmod(KERBEROS_PKI_PEM_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
|
|
|
|
|
chown_safe(KERBEROS_PKI_PEM_FILE, 0, 0);
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
printf("[WARNING] Certificate file %s not found!\n", TQString(KERBEROS_PKI_PEM_FILE).ascii()); fflush(stdout);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
printf("This server is a realm CA slave\n"); fflush(stdout);
|
|
|
|
|
|
|
|
|
|
// Connect to LDAP
|
|
|
|
|
TQString realmname = defaultRealm.upper();
|
|
|
|
|
LDAPCredentials* credentials = new LDAPCredentials;
|
|
|
|
|
credentials->username = "cn=admin," + basedn;
|
|
|
|
|
m_systemconfig->setGroup("Replication");
|
|
|
|
|
credentials->password = m_systemconfig->readEntry("Password");
|
|
|
|
|
m_systemconfig->setGroup(NULL);
|
|
|
|
|
credentials->realm = realmname;
|
|
|
|
|
LDAPManager* ldap_mgr = new LDAPManager(realmname, TQString("ldaps://%1/").arg(realmCAMaster), credentials);
|
|
|
|
|
TQString errorstring;
|
|
|
|
|
|
|
|
|
|
if (ldap_mgr->getTDECertificate("privateRootCertificateKey", KERBEROS_PKI_PEMKEY_FILE ".tmp", &errorstring) != 0) {
|
|
|
|
|
printf("[ERROR] Unable to get private CA certificate key from LDAP server!\n%s\n", errorstring.ascii()); fflush(stdout);
|
|
|
|
|
}
|
|
|
|
|
if (ldap_mgr->getTDECertificate("publicRootCertificate", KERBEROS_PKI_PEM_FILE ".tmp", &errorstring) != 0) {
|
|
|
|
|
printf("[ERROR] Unable to get public CA certificate from LDAP server!\n%s\n", errorstring.ascii()); fflush(stdout);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
delete ldap_mgr;
|
|
|
|
|
delete credentials;
|
|
|
|
|
|
|
|
|
|
TQByteArray originalPemKeyFile;
|
|
|
|
|
TQByteArray originalPemFile;
|
|
|
|
|
TQByteArray newPemKeyFile;
|
|
|
|
|
TQByteArray newPemFile;
|
|
|
|
|
|
|
|
|
|
TQFile* cafile;
|
|
|
|
|
cafile = new TQFile(KERBEROS_PKI_PEMKEY_FILE);
|
|
|
|
|
if (cafile->open(IO_ReadOnly)) {
|
|
|
|
|
originalPemKeyFile = cafile->readAll();
|
|
|
|
|
}
|
|
|
|
|
delete cafile;
|
|
|
|
|
cafile = new TQFile(KERBEROS_PKI_PEM_FILE);
|
|
|
|
|
if (cafile->open(IO_ReadOnly)) {
|
|
|
|
|
originalPemFile = cafile->readAll();
|
|
|
|
|
}
|
|
|
|
|
delete cafile;
|
|
|
|
|
cafile = new TQFile(KERBEROS_PKI_PEMKEY_FILE ".tmp");
|
|
|
|
|
if (cafile->open(IO_ReadOnly)) {
|
|
|
|
|
newPemKeyFile = cafile->readAll();
|
|
|
|
|
}
|
|
|
|
|
delete cafile;
|
|
|
|
|
cafile = new TQFile(KERBEROS_PKI_PEM_FILE ".tmp");
|
|
|
|
|
if (cafile->open(IO_ReadOnly)) {
|
|
|
|
|
newPemFile = cafile->readAll();
|
|
|
|
|
}
|
|
|
|
|
delete cafile;
|
|
|
|
|
|
|
|
|
|
if ((originalPemKeyFile == newPemKeyFile) && (originalPemFile == newPemFile)) {
|
|
|
|
|
unlink(KERBEROS_PKI_PEMKEY_FILE ".tmp");
|
|
|
|
|
unlink(KERBEROS_PKI_PEM_FILE ".tmp");
|
|
|
|
|
printf("Certificates have not changed since last update\n");
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
unlink(KERBEROS_PKI_PEMKEY_FILE);
|
|
|
|
|
unlink(KERBEROS_PKI_PEM_FILE);
|
|
|
|
|
rename(KERBEROS_PKI_PEMKEY_FILE ".tmp", KERBEROS_PKI_PEMKEY_FILE);
|
|
|
|
|
rename(KERBEROS_PKI_PEM_FILE ".tmp", KERBEROS_PKI_PEM_FILE);
|
|
|
|
|
force_update = true;
|
|
|
|
|
printf("Certificates have changed, forcing certificate regeneration\n");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Set permissions
|
|
|
|
|
chmod(KERBEROS_PKI_PEMKEY_FILE, S_IRUSR|S_IWUSR);
|
|
|
|
|
chown_safe(KERBEROS_PKI_PEMKEY_FILE, 0, 0);
|
|
|
|
|
chmod(KERBEROS_PKI_PEM_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
|
|
|
|
|
chown_safe(KERBEROS_PKI_PEM_FILE, 0, 0);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Kerberos
|
|
|
|
|
|
Timothy Pearson
12 years ago