TDE
/
kcmldapcontroller
mirror of https://mirror.git.trinitydesktop.org/gitea/TDE/kcmldapcontroller
0
0
Fork 0
Code Issues Releases Wiki Activity

Add initial support for realm-wide certificate authority certificates

Browse Source
pull/1/head
Timothy Pearson 11 years ago
parent f5f1d1557d
commit 2a0b3a4f1d
6 changed files with 324 additions and 82 deletions
Show Stats Download Patch File Download Diff File

170
cert-updater/main.cpp
Unescape View File

@ -44,6 +44,18 @@ static const char description[] =
static const char version[] = "v0.0.1";
static const TDECmdLineOptions options[] =
{
{ "force", I18N_NOOP("Force certificate update"), 0 },
TDECmdLineLastOption // End of options.
};
void chown_safe(const char * file, uid_t user, gid_t group) {
if (chown(file, user, group) < 0) {
printf("[ERROR] Chown call to '%s' for %d:%d failed!\n\r", file, user, group);
}
}
int uploadKerberosCAFileToLDAP(LDAPManager* ldap_mgr, TQString* errstr) {
// Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server
TQFile cafile(KERBEROS_PKI_PEM_FILE);
@ -61,15 +73,23 @@ int main(int argc, char *argv[])
{
TDEAboutData aboutData( "primaryrccertupdater", I18N_NOOP("Realm Certificate Updater"),
version, description, TDEAboutData::License_GPL,
"(c) 2012, Timothy Pearson");
"(c) 2012-2013, Timothy Pearson");
aboutData.addAuthor("Timothy Pearson",0, "kb9vqf@pearsoncomputing.net");
TDECmdLineArgs::init( argc, argv, &aboutData );
TDECmdLineArgs::addCmdLineOptions(options);
TDEApplication::disableAutoDcopRegistration();
TDEApplication app(false, false);
TDEStartupInfo::appStarted();
TDECmdLineArgs *args = TDECmdLineArgs::parsedArgs();
bool force_update = false;
if (args->isSet("force")) {
force_update = true;
}
//======================================================================================================================================================
//
// Updater code follows
@ -107,33 +127,133 @@ int main(int argc, char *argv[])
ldap_certfile.replace("@@@ADMINSERVER@@@", m_realmconfig[m_defaultRealm].admin_server);
// Certificate Authority
if (TQFile::exists(KERBEROS_PKI_PEM_FILE)) {
certExpiry = LDAPManager::getCertificateExpiration(KERBEROS_PKI_PEM_FILE);
if (certExpiry >= now) {
printf("Certificate %s expires %s\n", TQString(KERBEROS_PKI_PEM_FILE).ascii(), certExpiry.toString().ascii()); fflush(stdout);
}
if ((certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
printf("Regenerating certificate %s...\n", TQString(KERBEROS_PKI_PEM_FILE).ascii()); fflush(stdout);
LDAPManager::generatePublicKerberosCACertificate(m_certconfig);
TQString realmname = m_defaultRealm.upper();
LDAPCredentials* credentials = new LDAPCredentials;
credentials->username = "";
credentials->password = "";
credentials->realm = realmname;
LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials);
// Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server
TQString errorstring;
if (uploadKerberosCAFileToLDAP(ldap_mgr, &errorstring) != 0) {
printf("[ERROR] Unable to upload new certificate to LDAP server!\n%s\n", errorstring.ascii()); fflush(stdout);
TQString fqdn = LDAPManager::getMachineFQDN();
TQString defaultRealm = m_systemconfig->readEntry("DefaultRealm");
// Connect to LDAP
TQString realmname = defaultRealm.upper();
LDAPCredentials* credentials = new LDAPCredentials;
credentials->username = "";
credentials->password = "";
credentials->realm = realmname;
LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials);
TQString errorstring;
TQString basedn = ldap_mgr->basedn();
// Get certificate settings from LDAP
TQString realmCAMaster = ldap_mgr->getRealmCAMaster(&errorstring);
delete ldap_mgr;
delete credentials;
if (realmCAMaster == fqdn) {
printf("This server is the realm CA master\n"); fflush(stdout);
if (TQFile::exists(KERBEROS_PKI_PEM_FILE)) {
certExpiry = LDAPManager::getCertificateExpiration(KERBEROS_PKI_PEM_FILE);
if (certExpiry >= now) {
printf("Certificate %s expires %s\n", TQString(KERBEROS_PKI_PEM_FILE).ascii(), certExpiry.toString().ascii()); fflush(stdout);
}
if (force_update || (certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
printf("Regenerating certificate %s...\n", TQString(KERBEROS_PKI_PEM_FILE).ascii()); fflush(stdout);
LDAPManager::generatePublicKerberosCACertificate(m_certconfig);
TQString realmname = m_defaultRealm.upper();
LDAPCredentials* credentials = new LDAPCredentials;
credentials->username = "";
credentials->password = "";
credentials->realm = realmname;
LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials);
// Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server
TQString errorstring;
if (uploadKerberosCAFileToLDAP(ldap_mgr, &errorstring) != 0) {
printf("[ERROR] Unable to upload new certificate to LDAP server!\n%s\n", errorstring.ascii()); fflush(stdout);
}
delete ldap_mgr;
}
delete ldap_mgr;
// Set permissions
chmod(KERBEROS_PKI_PEMKEY_FILE, S_IRUSR|S_IWUSR);
chown_safe(KERBEROS_PKI_PEMKEY_FILE, 0, 0);
chmod(KERBEROS_PKI_PEM_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
chown_safe(KERBEROS_PKI_PEM_FILE, 0, 0);
}
else {
printf("[WARNING] Certificate file %s not found!\n", TQString(KERBEROS_PKI_PEM_FILE).ascii()); fflush(stdout);
}
}
else {
printf("[WARNING] Certificate file %s not found!\n", TQString(KERBEROS_PKI_PEM_FILE).ascii()); fflush(stdout);
printf("This server is a realm CA slave\n"); fflush(stdout);
// Connect to LDAP
TQString realmname = defaultRealm.upper();
LDAPCredentials* credentials = new LDAPCredentials;
credentials->username = "cn=admin," + basedn;
m_systemconfig->setGroup("Replication");
credentials->password = m_systemconfig->readEntry("Password");
m_systemconfig->setGroup(NULL);
credentials->realm = realmname;
LDAPManager* ldap_mgr = new LDAPManager(realmname, TQString("ldaps://%1/").arg(realmCAMaster), credentials);
TQString errorstring;
if (ldap_mgr->getTDECertificate("privateRootCertificateKey", KERBEROS_PKI_PEMKEY_FILE ".tmp", &errorstring) != 0) {
printf("[ERROR] Unable to get private CA certificate key from LDAP server!\n%s\n", errorstring.ascii()); fflush(stdout);
}
if (ldap_mgr->getTDECertificate("publicRootCertificate", KERBEROS_PKI_PEM_FILE ".tmp", &errorstring) != 0) {
printf("[ERROR] Unable to get public CA certificate from LDAP server!\n%s\n", errorstring.ascii()); fflush(stdout);
}
delete ldap_mgr;
delete credentials;
TQByteArray originalPemKeyFile;
TQByteArray originalPemFile;
TQByteArray newPemKeyFile;
TQByteArray newPemFile;
TQFile* cafile;
cafile = new TQFile(KERBEROS_PKI_PEMKEY_FILE);
if (cafile->open(IO_ReadOnly)) {
originalPemKeyFile = cafile->readAll();
}
delete cafile;
cafile = new TQFile(KERBEROS_PKI_PEM_FILE);
if (cafile->open(IO_ReadOnly)) {
originalPemFile = cafile->readAll();
}
delete cafile;
cafile = new TQFile(KERBEROS_PKI_PEMKEY_FILE ".tmp");
if (cafile->open(IO_ReadOnly)) {
newPemKeyFile = cafile->readAll();
}
delete cafile;
cafile = new TQFile(KERBEROS_PKI_PEM_FILE ".tmp");
if (cafile->open(IO_ReadOnly)) {
newPemFile = cafile->readAll();
}
delete cafile;
if ((originalPemKeyFile == newPemKeyFile) && (originalPemFile == newPemFile)) {
unlink(KERBEROS_PKI_PEMKEY_FILE ".tmp");
unlink(KERBEROS_PKI_PEM_FILE ".tmp");
printf("Certificates have not changed since last update\n");
}
else {
unlink(KERBEROS_PKI_PEMKEY_FILE);
unlink(KERBEROS_PKI_PEM_FILE);
rename(KERBEROS_PKI_PEMKEY_FILE ".tmp", KERBEROS_PKI_PEMKEY_FILE);
rename(KERBEROS_PKI_PEM_FILE ".tmp", KERBEROS_PKI_PEM_FILE);
force_update = true;
printf("Certificates have changed, forcing certificate regeneration\n");
}
// Set permissions
chmod(KERBEROS_PKI_PEMKEY_FILE, S_IRUSR|S_IWUSR);
chown_safe(KERBEROS_PKI_PEMKEY_FILE, 0, 0);
chmod(KERBEROS_PKI_PEM_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
chown_safe(KERBEROS_PKI_PEM_FILE, 0, 0);
}
// Kerberos
@ -142,7 +262,7 @@ int main(int argc, char *argv[])
if (certExpiry >= now) {
printf("Certificate %s expires %s\n", kdc_certfile.ascii(), certExpiry.toString().ascii()); fflush(stdout);
}
if ((certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
if (force_update || (certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
printf("Regenerating certificate %s...\n", kdc_certfile.ascii()); fflush(stdout);
LDAPManager::generatePublicKerberosCertificate(m_certconfig, m_realmconfig[m_defaultRealm]);
}
@ -157,7 +277,7 @@ int main(int argc, char *argv[])
if (certExpiry >= now) {
printf("Certificate %s expires %s\n", ldap_certfile.ascii(), certExpiry.toString().ascii()); fflush(stdout);
}
if ((certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
if (force_update || (certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
printf("Regenerating certificate %s...\n", ldap_certfile.ascii()); fflush(stdout);
uid_t slapd_uid = 0;
gid_t slapd_gid = 0;

4
confskel/openldap/ldif/tde-core.ldif
Unescape View File

@ -24,8 +24,10 @@ olcAttributeTypes: {15} ( 1.3.6.1.4.1.40364.1.1.16 NAME 'builtinRealmAdminAccoun
olcAttributeTypes: {16} ( 1.3.6.1.4.1.40364.1.1.17 NAME 'builtinRealmAdminGroup' DESC 'Built-in realm administrative group distinguished name' SUP name )
olcAttributeTypes: {17} ( 1.3.6.1.4.1.40364.1.1.18 NAME 'builtinMachineAdminGroup' DESC 'Built-in local machine administrative group distinguished name' SUP name )
olcAttributeTypes: {18} ( 1.3.6.1.4.1.40364.1.1.19 NAME 'builtinStandardUserGroup' DESC 'Built-in standard user group distinguished name' SUP name )
# Used for storing certificate management settings
olcAttributeTypes: {19} ( 1.3.6.1.4.1.40364.1.1.20 NAME 'publicRootCertificateOriginServer' DESC 'Certificate authority root certificate origin server' SUP name )
olcObjectClasses: {0} ( 1.3.6.1.4.1.40364.1.2.1 NAME 'tdeExtendedUserData' SUP top AUXILIARY MAY ( website
URL $ managerName $ secretaryName $ teletexId $ preferredDelivery $ locallyUniqueID $ notes $ pwdLastSet $ badPwdCount $ badPasswordTime $ lastLogon $ lastLogoff ) )
olcObjectClasses: {1} ( 1.3.6.1.4.1.40364.1.2.2 NAME 'tdeAccountObject' SUP top AUXILIARY MAY tdeBuiltinAccount )
olcObjectClasses: {2} ( 1.3.6.1.4.1.40364.1.2.3 NAME 'tdeCertificateStore' SUP top AUXILIARY MAY ( tdeBuiltinAccount $ publicRootCertificate $ privateRootCertificateKey ) )
olcObjectClasses: {2} ( 1.3.6.1.4.1.40364.1.2.3 NAME 'tdeCertificateStore' SUP top AUXILIARY MAY ( tdeBuiltinAccount $ publicRootCertificate $ privateRootCertificateKey $ publicRootCertificateOriginServer ) )
olcObjectClasses: {3} ( 1.3.6.1.4.1.40364.1.2.4 NAME 'tdeBuiltinStore' SUP top AUXILIARY MAY ( tdeBuiltinAccount $ builtinRealmAdminAccount $ builtinRealmAdminGroup $ builtinMachineAdminGroup $ builtinStandardUserGroup ) )

154
src/ldapcontroller.cpp
Unescape View File

@ -118,6 +118,8 @@ LDAPController::LDAPController(TQWidget *parent, const char *name, const TQStrin
connect(m_base->systemEnableSupport, TQT_SIGNAL(clicked()), this, TQT_SLOT(processLockouts()));
connect(m_base->systemRole, TQT_SIGNAL(activated(const TQString&)), this, TQT_SLOT(systemRoleChanged()));
connect(m_base->caSetMaster, TQT_SIGNAL(clicked()), this, TQT_SLOT(btncaSetMaster()));
connect(m_base->caRegenerate, TQT_SIGNAL(clicked()), this, TQT_SLOT(btncaRegenerate()));
connect(m_base->caExportKey, TQT_SIGNAL(clicked()), this, TQT_SLOT(btncaExportKey()));
connect(m_base->caExportCert, TQT_SIGNAL(clicked()), this, TQT_SLOT(btncaExportCert()));
@ -161,13 +163,13 @@ LDAPController::~LDAPController() {
void system_safe(const char * cmdstr) {
if (system(cmdstr) < 0) {
printf("[ERROR] System call to '%s' failed!\n", cmdstr);
printf("[ERROR] System call to '%s' failed!\n\r", cmdstr);
}
}
void chown_safe(const char * file, uid_t user, gid_t group) {
if (chown(file, user, group) < 0) {
printf("[ERROR] Chown call to '%s' for %d:%d failed!\n", file, user, group);
printf("[ERROR] Chown call to '%s' for %d:%d failed!\n\r", file, user, group);
}
}
@ -298,6 +300,7 @@ void LDAPController::systemRoleChanged() {
LDAPManager::writeTDERealmList(realms, m_systemconfig);
m_systemconfig->setGroup(NULL);
m_systemconfig->deleteEntry("DefaultRealm");
m_systemconfig->deleteGroup("Replication", true, false);
m_systemconfig->sync();
pdialog.closeDialog();
@ -357,33 +360,16 @@ void LDAPController::load() {
}
if (ldapRole == "Primary Realm Controller") {
m_base->systemRole->setCurrentItem(ROLE_PRIMARY_REALM_CONTROLLER);
// Connect to LDAP
TQString realmname = m_defaultRealm.upper();
LDAPCredentials* credentials = new LDAPCredentials;
credentials->username = "";
credentials->password = "";
credentials->realm = realmname;
LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials);
TQString errorstring;
// Get replication mappings from LDAP
LDAPMasterReplicationInfo replicationsettings = ldap_mgr->getLDAPMasterReplicationSettings(&errorstring);
m_base->advancedEnableMultiMasterReplication->setChecked(replicationsettings.enabled);
m_base->multiMasterReplicationMappings->clear();
LDAPMasterReplicationMap::iterator it;
for (it = replicationsettings.serverIDs.begin(); it != replicationsettings.serverIDs.end(); ++it) {
new TQListViewItem(m_base->multiMasterReplicationMappings, TQString("%1").arg((*it).id), (*it).fqdn);
}
delete ldap_mgr;
delete credentials;
}
else {
m_base->systemRole->setCurrentItem(ROLE_WORKSTATION);
}
m_prevRole = m_base->systemRole->currentItem();
// Load server-specific replication settings
m_systemconfig->setGroup("Replication");
m_base->ignoreReplicationSSLFailures->setChecked(m_systemconfig->readBoolEntry("IgnoreSSLFailures", false));
// Load cert config
m_systemconfig->setGroup("Certificates");
m_certconfig.countryName = m_systemconfig->readEntry("countryName");
@ -415,9 +401,12 @@ void LDAPController::load() {
// Display builtin account and group names, and provide a password reset button for each builtin user (yes, this includes the LDAP admin account!)
// FIXME
// root account should not be locked to "admin"!
// when fixing, please fix the other instance of locked "admin" in realmwizard.cpp ::accept()
// when fixing, please fix the two instances of locked "admin":
// 1.) in realmwizard.cpp ::accept()
// 2.) in LDAPManager::setLDAPMasterReplicationSettings()
m_base->ldapRootUser->setText(TQString("cn=%1,").arg("admin") + LDAPManager::ldapdnForRealm(m_defaultRealm));
// Connect to LDAP
TQString realmname = m_defaultRealm.upper();
LDAPCredentials* credentials = new LDAPCredentials;
credentials->username = "";
@ -425,7 +414,22 @@ void LDAPController::load() {
credentials->realm = realmname;
LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials);
TQString errorstring;
// Get builtin TDE account mappings from LDAP
LDAPTDEBuiltinsInfo builtins = ldap_mgr->getTDEBuiltinMappings(&errorstring);
// Get replication mappings from LDAP
LDAPMasterReplicationInfo replicationsettings = ldap_mgr->getLDAPMasterReplicationSettings(&errorstring);
m_base->advancedEnableMultiMasterReplication->setChecked(replicationsettings.enabled);
m_base->multiMasterReplicationMappings->clear();
LDAPMasterReplicationMap::iterator it;
for (it = replicationsettings.serverIDs.begin(); it != replicationsettings.serverIDs.end(); ++it) {
new TQListViewItem(m_base->multiMasterReplicationMappings, TQString("%1").arg((*it).id), (*it).fqdn);
}
// Get certificate settings from LDAP
TQString realmCAMaster = ldap_mgr->getRealmCAMaster(&errorstring);
delete ldap_mgr;
delete credentials;
@ -434,6 +438,14 @@ void LDAPController::load() {
m_base->realmMachineAdminGroup->setText(LDAPManager::cnFromDn(builtins.builtinMachineAdminGroup));
m_base->realmStandardUserGroup->setText(LDAPManager::cnFromDn(builtins.builtinStandardUserGroup));
m_base->caCurrentMaster->setText(realmCAMaster);
if (m_fqdn == realmCAMaster) {
m_base->caSetMaster->setEnabled(false);
}
else {
m_base->caSetMaster->setEnabled(true);
}
updateCertDisplay();
m_certRefreshTimer.start(60*1000);
}
@ -533,6 +545,37 @@ void LDAPController::updateCertDisplay() {
}
}
void LDAPController::btncaSetMaster() {
if (KMessageBox::warningYesNo(this, i18n("<qt><b>You are about to promote the server '%1' to the role of Certificate Authority Master</b><p>Are you sure you want to proceed?</qt>").arg(m_fqdn), i18n("Confirmation Required")) == KMessageBox::Yes) {
TQString errorstring;
TQString realmname = m_defaultRealm.upper();
LDAPCredentials* credentials = new LDAPCredentials;
credentials->username = "";
credentials->password = "";
credentials->realm = realmname;
LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials);
if (ldap_mgr->setRealmCAMaster(m_fqdn, &errorstring) != 0) {
KMessageBox::error(0, i18n("<qt>Unable to change certificate authority master server!<p>%1</qt>").arg(errorstring), i18n("Internal Failure"));
delete ldap_mgr;
load();
return;
}
LDAPManager::generatePublicKerberosCACertificate(m_certconfig);
// Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server
if (uploadKerberosCAFileToLDAP(ldap_mgr, &errorstring) != 0) {
KMessageBox::error(0, i18n("<qt>Unable to upload new certificate to LDAP server!<p>%1</qt>").arg(errorstring), i18n("Internal Failure"));
}
delete ldap_mgr;
load();
}
}
void LDAPController::btncaRegenerate() {
LDAPManager::generatePublicKerberosCACertificate(m_certconfig);
@ -723,6 +766,11 @@ void LDAPController::btnChangeRealmAdminPassword() {
if (adminuserinfo.informationValid) {
adminuserinfo.new_password = adminPassword;
ldap_mgr->setPasswordForUser(adminuserinfo, &errorstring);
m_systemconfig->setGroup("Replication");
m_systemconfig->writeEntry("Password", adminPassword.data());
m_systemconfig->setGroup(NULL);
m_systemconfig->sync();
}
delete ldap_mgr;
@ -853,6 +901,10 @@ void LDAPController::save() {
m_systemconfig->writeEntry("HostFQDN", m_fqdn);
m_systemconfig->writeEntry("LDAPRole", m_base->systemRole->currentText());
// Write server-specific replication settings
m_systemconfig->setGroup("Replication");
m_systemconfig->writeEntry("IgnoreSSLFailures", m_base->ignoreReplicationSSLFailures->isChecked());
// Write cert config
m_systemconfig->setGroup("Certificates");
m_systemconfig->writeEntry("countryName", m_certconfig.countryName);
@ -891,6 +943,14 @@ void LDAPController::save() {
replicationSettings.serverIDs.append(mapping);
++it;
}
// Use the local password for inter-master authentication
// All realm controllers in a realm must (obviously) use the same admin/config password!
m_systemconfig->setGroup("Replication");
replicationSettings.syncPassword = m_systemconfig->readEntry("Password");
m_systemconfig->setGroup(NULL);
replicationSettings.ignore_ssl_failure = m_base->ignoreReplicationSSLFailures->isChecked();
if (ldap_mgr->setLDAPMasterReplicationSettings(replicationSettings, NULL) != 0) {
// ERROR
}
@ -983,13 +1043,13 @@ void replacePlaceholdersInFile(TQString infile, TQString outfile, LDAPRealmConfi
}
else {
//KMessageBox::error(0, i18n("<qt>Unable to open output schema file %1 for writing</qt>").arg(outfile), i18n("Internal Failure"));
printf("[INTERNAL FAILURE] Unable to open output schema file %s for writing\n", outfile.ascii()); fflush(stdout);
printf("[INTERNAL FAILURE] Unable to open output schema file %s for writing\n\r", outfile.ascii()); fflush(stdout);
}
ifile.close();
}
else {
//KMessageBox::error(0, i18n("<qt>Unable to open template schema file %1</qt>").arg(infile), i18n("Internal Failure"));
printf("[INTERNAL FAILURE] Unable to open template schema file %s\n", infile.ascii()); fflush(stdout);
printf("[INTERNAL FAILURE] Unable to open template schema file %s\n\r", infile.ascii()); fflush(stdout);
}
// Keep UI responsive
@ -1117,7 +1177,7 @@ int LDAPController::initializeNewKerberosRealm(TQString realmName, TQString *err
kadminProc.writeLine(command, true);
do { // Discard our own input
prompt = LDAPManager::readFullLineFromPtyProcess(&kadminProc);
printf("(kadmin) '%s'\n", prompt.ascii());
printf("(kadmin) '%s'\n\r", prompt.ascii());
} while (prompt == TQString(command));
prompt = prompt.stripWhiteSpace();
if (prompt.contains("authentication failed")) {
@ -1132,7 +1192,7 @@ int LDAPController::initializeNewKerberosRealm(TQString realmName, TQString *err
kadminProc.writeLine(command, true);
do { // Discard our own input
prompt = LDAPManager::readFullLineFromPtyProcess(&kadminProc);
printf("(kadmin) '%s'\n", prompt.ascii());
printf("(kadmin) '%s'\n\r", prompt.ascii());
} while (prompt == TQString(command));
prompt = prompt.stripWhiteSpace();
if (prompt.startsWith("Realm max")) {
@ -1141,7 +1201,7 @@ int LDAPController::initializeNewKerberosRealm(TQString realmName, TQString *err
kadminProc.writeLine(command, true);
do { // Discard our own input
prompt = LDAPManager::readFullLineFromPtyProcess(&kadminProc);
printf("(kadmin) '%s'\n", prompt.ascii());
printf("(kadmin) '%s'\n\r", prompt.ascii());
} while (prompt == TQString(command));
prompt = prompt.stripWhiteSpace();
}
@ -1187,7 +1247,7 @@ int LDAPController::addHostEntryToKerberosRealm(TQString kerberosHost, TQString
kadminProc.writeLine(command, true);
do { // Discard our own input
prompt = LDAPManager::readFullLineFromPtyProcess(&kadminProc);
printf("(kadmin) '%s'\n", prompt.ascii());
printf("(kadmin) '%s'\n\r", prompt.ascii());
} while (prompt == TQString(command));
prompt = prompt.stripWhiteSpace();
if (prompt.contains("authentication failed")) {
@ -1210,7 +1270,7 @@ int LDAPController::addHostEntryToKerberosRealm(TQString kerberosHost, TQString
kadminProc.writeLine(command, true);
do { // Discard our own input
prompt = LDAPManager::readFullLineFromPtyProcess(&kadminProc);
printf("(kadmin) '%s'\n", prompt.ascii());
printf("(kadmin) '%s'\n\r", prompt.ascii());
} while (prompt == TQString(command));
prompt = prompt.stripWhiteSpace();
// Use all defaults
@ -1235,7 +1295,7 @@ int LDAPController::addHostEntryToKerberosRealm(TQString kerberosHost, TQString
kadminProc.writeLine(command, true);
do { // Discard our own input
prompt = LDAPManager::readFullLineFromPtyProcess(&kadminProc);
printf("(kadmin) '%s'\n", prompt.ascii());
printf("(kadmin) '%s'\n\r", prompt.ascii());
} while (prompt == TQString(command));
prompt = prompt.stripWhiteSpace();
}
@ -1245,7 +1305,7 @@ int LDAPController::addHostEntryToKerberosRealm(TQString kerberosHost, TQString
kadminProc.writeLine(command, true);
do { // Discard our own input
prompt = LDAPManager::readFullLineFromPtyProcess(&kadminProc);
printf("(kadmin) '%s'\n", prompt.ascii());
printf("(kadmin) '%s'\n\r", prompt.ascii());
} while (prompt == TQString(command));
prompt = prompt.stripWhiteSpace();
if (prompt != "kadmin>") {
@ -1296,7 +1356,7 @@ int LDAPController::addLDAPEntryToKerberosRealm(TQString ldapProcessOwnerName, T
kadminProc.writeLine(command, true);
do { // Discard our own input
prompt = LDAPManager::readFullLineFromPtyProcess(&kadminProc);
printf("(kadmin) '%s'\n", prompt.ascii());
printf("(kadmin) '%s'\n\r", prompt.ascii());
} while (prompt.startsWith("ext --keytab="));
prompt = prompt.stripWhiteSpace();
if (prompt.contains("authentication failed")) {
@ -1319,7 +1379,7 @@ int LDAPController::addLDAPEntryToKerberosRealm(TQString ldapProcessOwnerName, T
kadminProc.writeLine(command, true);
do { // Discard our own input
prompt = LDAPManager::readFullLineFromPtyProcess(&kadminProc);
printf("(kadmin) '%s'\n", prompt.ascii());
printf("(kadmin) '%s'\n\r", prompt.ascii());
} while (prompt == TQString(command));
prompt = prompt.stripWhiteSpace();
// Use all defaults
@ -1344,7 +1404,7 @@ int LDAPController::addLDAPEntryToKerberosRealm(TQString ldapProcessOwnerName, T
kadminProc.writeLine(command, true);
do { // Discard our own input
prompt = LDAPManager::readFullLineFromPtyProcess(&kadminProc);
printf("(kadmin) '%s'\n", prompt.ascii());
printf("(kadmin) '%s'\n\r", prompt.ascii());
} while (prompt == TQString(command));
prompt = prompt.stripWhiteSpace();
}
@ -1354,7 +1414,7 @@ int LDAPController::addLDAPEntryToKerberosRealm(TQString ldapProcessOwnerName, T
kadminProc.writeLine(command, true);
do { // Discard our own input
prompt = LDAPManager::readFullLineFromPtyProcess(&kadminProc);
printf("(kadmin) '%s'\n", prompt.ascii());
printf("(kadmin) '%s'\n\r", prompt.ascii());
} while (prompt.startsWith("ext --keytab="));
prompt = prompt.stripWhiteSpace();
if (prompt != "kadmin>") {
@ -1407,7 +1467,7 @@ int LDAPController::setKerberosPasswordForUser(LDAPCredentials user, TQString *e
kadminProc.writeLine(command, true);
do { // Discard our own input
prompt = LDAPManager::readFullLineFromPtyProcess(&kadminProc);
printf("(kadmin) '%s'\n", prompt.ascii());
printf("(kadmin) '%s'\n\r", prompt.ascii());
} while (prompt == TQString(command));
prompt = prompt.stripWhiteSpace();
if (prompt.contains("authentication failed")) {
@ -1421,7 +1481,7 @@ int LDAPController::setKerberosPasswordForUser(LDAPCredentials user, TQString *e
kadminProc.writeLine(user.password, true);
do { // Discard our own input
prompt = LDAPManager::readFullLineFromPtyProcess(&kadminProc);
printf("(kadmin) '%s'\n", prompt.ascii());
printf("(kadmin) '%s'\n\r", prompt.ascii());
} while (prompt == "");
prompt = prompt.stripWhiteSpace();
if ((prompt.endsWith(" Password:")) && (prompt.startsWith("Verify"))) {
@ -1429,7 +1489,7 @@ int LDAPController::setKerberosPasswordForUser(LDAPCredentials user, TQString *e
kadminProc.writeLine(user.password, true);
do { // Discard our own input
prompt = LDAPManager::readFullLineFromPtyProcess(&kadminProc);
printf("(kadmin) '%s'\n", prompt.ascii());
printf("(kadmin) '%s'\n\r", prompt.ascii());
} while (prompt == "");
prompt = prompt.stripWhiteSpace();
}
@ -1897,6 +1957,15 @@ int LDAPController::createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig r
return -1;
}
// Set CA master
if (ldap_mgr->setRealmCAMaster(m_fqdn, &errorstring) != 0) {
delete ldap_mgr;
delete credentials;
if (errstr) *errstr = errorstring;
pdialog.closeDialog();
return -1;
}
// Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server
if (uploadKerberosCAFileToLDAP(ldap_mgr, &errorstring) != 0) {
delete ldap_mgr;
@ -1937,6 +2006,11 @@ int LDAPController::createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig r
LDAPManager::writeTDERealmList(realms, m_systemconfig);
m_systemconfig->setGroup(NULL);
m_systemconfig->writeEntry("DefaultRealm", realmconfig.name);
m_systemconfig->setGroup("Replication");
m_systemconfig->writeEntry("Password", adminPassword);
m_systemconfig->setGroup(NULL);
m_systemconfig->sync();
LDAPManager::writeLDAPConfFile(realmconfig);

1
src/ldapcontroller.h
Unescape View File

@ -68,6 +68,7 @@ class LDAPController: public TDECModule
void processLockouts();
void updateCertDisplay();
void btncaSetMaster();
void btncaRegenerate();
void btncaExportKey();
void btncaExportCert();

75
src/ldapcontrollerconfigbase.ui
Unescape View File

@ -186,7 +186,31 @@
<property name="name">
<cstring>unnamed</cstring>
</property>
<widget class="TQLabel" row="0" column="0" colspan="1">
<widget class="TQLabel" row="0" column="0" colspan="1" rowspan="1">
<property name="name">
<cstring>unnamed10</cstring>
</property>
<property name="text">
<cstring>Certificate Authority Master:</cstring>
</property>
</widget>
<widget class="TQLabel" row="0" column="2" colspan="1" rowspan="1">
<property name="name">
<cstring>caCurrentMaster</cstring>
</property>
<property name="text">
<cstring></cstring>
</property>
</widget>
<widget class="TQPushButton" row="0" column="3" colspan="2" rowspan="1">
<property name="name">
<cstring>caSetMaster</cstring>
</property>
<property name="text">
<cstring>Promote This Server To CA Master</cstring>
</property>
</widget>
<widget class="TQLabel" row="1" column="0" colspan="1">
<property name="name">
<cstring>unnamed</cstring>
</property>
@ -194,12 +218,12 @@
<cstring>Certificate Authority:</cstring>
</property>
</widget>
<widget class="TQLabel" row="1" column="0" colspan="1">
<widget class="TQLabel" row="2" column="0" colspan="1">
<property name="name">
<cstring>caExpiryString</cstring>
</property>
</widget>
<widget class="TQPushButton" row="0" column="2" colspan="1" rowspan="2">
<widget class="TQPushButton" row="1" column="2" colspan="1" rowspan="2">
<property name="name">
<cstring>caRegenerate</cstring>
</property>
@ -207,7 +231,7 @@
<cstring>Regenerate Certificate</cstring>
</property>
</widget>
<widget class="TQPushButton" row="0" column="3" colspan="1" rowspan="2">
<widget class="TQPushButton" row="1" column="3" colspan="1" rowspan="2">
<property name="name">
<cstring>caExportKey</cstring>
</property>
@ -215,7 +239,7 @@
<cstring>Export Private Key</cstring>
</property>
</widget>
<widget class="TQPushButton" row="0" column="4" colspan="1" rowspan="2">
<widget class="TQPushButton" row="1" column="4" colspan="1" rowspan="2">
<property name="name">
<cstring>caExportCert</cstring>
</property>
@ -223,7 +247,7 @@
<cstring>Export Public Certificate</cstring>
</property>
</widget>
<widget class="TQLabel" row="2" column="0" colspan="1">
<widget class="TQLabel" row="3" column="0" colspan="1">
<property name="name">
<cstring>unnamed</cstring>
</property>
@ -231,12 +255,12 @@
<cstring>Kerberos:</cstring>
</property>
</widget>
<widget class="TQLabel" row="3" column="0" colspan="1">
<widget class="TQLabel" row="4" column="0" colspan="1">
<property name="name">
<cstring>krbExpiryString</cstring>
</property>
</widget>
<widget class="TQPushButton" row="2" column="2" colspan="1" rowspan="2">
<widget class="TQPushButton" row="3" column="2" colspan="1" rowspan="2">
<property name="name">
<cstring>krbRegenerate</cstring>
</property>
@ -244,7 +268,7 @@
<cstring>Regenerate Certificate</cstring>
</property>
</widget>
<widget class="TQPushButton" row="2" column="3" colspan="1" rowspan="2">
<widget class="TQPushButton" row="3" column="3" colspan="1" rowspan="2">
<property name="name">
<cstring>krbExportKey</cstring>
</property>
@ -252,7 +276,7 @@
<cstring>Export Private Key</cstring>
</property>
</widget>
<widget class="TQPushButton" row="2" column="4" colspan="1" rowspan="2">
<widget class="TQPushButton" row="3" column="4" colspan="1" rowspan="2">
<property name="name">
<cstring>krbExportCert</cstring>
</property>
@ -260,7 +284,7 @@
<cstring>Export Public Certificate</cstring>
</property>
</widget>
<widget class="TQLabel" row="4" column="0" colspan="1">
<widget class="TQLabel" row="5" column="0" colspan="1">
<property name="name">
<cstring>unnamed</cstring>
</property>
@ -268,12 +292,12 @@
<cstring>LDAP TLS:</cstring>
</property>
</widget>
<widget class="TQLabel" row="5" column="0" colspan="1">
<widget class="TQLabel" row="6" column="0" colspan="1">
<property name="name">
<cstring>ldapExpiryString</cstring>
</property>
</widget>
<widget class="TQPushButton" row="4" column="2" colspan="1" rowspan="2">
<widget class="TQPushButton" row="5" column="2" colspan="1" rowspan="2">
<property name="name">
<cstring>ldapRegenerate</cstring>
</property>
@ -281,7 +305,7 @@
<cstring>Regenerate Certificate</cstring>
</property>
</widget>
<widget class="TQPushButton" row="4" column="3" colspan="1" rowspan="2">
<widget class="TQPushButton" row="5" column="3" colspan="1" rowspan="2">
<property name="name">
<cstring>ldapExportKey</cstring>
</property>
@ -289,7 +313,7 @@
<cstring>Export Private Key</cstring>
</property>
</widget>
<widget class="TQPushButton" row="4" column="4" colspan="1" rowspan="2">
<widget class="TQPushButton" row="5" column="4" colspan="1" rowspan="2">
<property name="name">
<cstring>ldapExportCert</cstring>
</property>
@ -404,6 +428,27 @@
</widget>
</grid>
</widget>
<widget class="TQGroupBox" row="1" column="0">
<property name="name">
<cstring>groupMultiMasterReplication</cstring>
</property>
<property name="title">
<string>Advanced Replication Settings</string>
</property>
<grid>
<property name="name">
<cstring>unnamed</cstring>
</property>
<widget class="TQCheckBox" row="0" column="0" colspan="1">
<property name="name">
<cstring>ignoreReplicationSSLFailures</cstring>
</property>
<property name="text">
<string>&amp;Ignore SSL Failures</string>
</property>
</widget>
</grid>
</widget>
</grid>
</widget>
</widget>

2
src/primaryrealmwizard/certconfigpagedlg.ui
Unescape View File

@ -203,7 +203,7 @@
<number>25</number>
</property>
<property name="filter">
<cstring>*.key|Private Key (*.key)</cstring>
<cstring>*.key.pem|PKI Private Key (*.key.pem)</cstring>
</property>
</widget>
<widget class="TQLabel" row="13" column="0">

Write Preview
Loading…
Cancel
Save