@ -145,6 +145,18 @@ LDAPController::LDAPController(TQWidget *parent, const char *name, const TQStrin
LDAPController : : ~ LDAPController ( ) {
}
void system_safe ( const char * cmdstr ) {
if ( system ( cmdstr ) < 0 ) {
printf ( " [ERROR] System call to '%s' failed! \n \r " , cmdstr ) ;
}
}
void chown_safe ( const char * file , uid_t user , gid_t group ) {
if ( chown ( file , user , group ) < 0 ) {
printf ( " [ERROR] Chown call to '%s' for %d:%d failed! \n \r " , file , user , group ) ;
}
}
void LDAPController : : systemRoleChanged ( ) {
int previousRole = m_prevRole ;
@ -264,8 +276,8 @@ void LDAPController::systemRoleChanged() {
pdialog . setStatusMessage ( i18n ( " Purging local configuration... " ) ) ;
tqApp - > processEvents ( ) ;
system ( TQString ( " rm -f %1 " ) . arg ( CRON_UPDATE_PRIMARY_REALM_CERTIFICATES_FILE ) ) ;
system ( TQString ( " rm -rf %1 " ) . arg ( TDE_CERTIFICATE_DIR ) ) ;
system _safe ( TQString ( " rm -f %1 " ) . arg ( CRON_UPDATE_PRIMARY_REALM_CERTIFICATES_FILE ) ) ;
system _safe ( TQString ( " rm -rf %1 " ) . arg ( TDE_CERTIFICATE_DIR ) ) ;
// Write the TDE realm configuration file
LDAPRealmConfigList realms ;
@ -536,7 +548,6 @@ void LDAPController::btnkrbExportCert() {
}
void LDAPController : : btnldapRegenerate ( ) {
struct stat sb ;
uid_t slapd_uid = 0 ;
gid_t slapd_gid = 0 ;
@ -769,7 +780,7 @@ void replacePlaceholdersInFile(TQString infile, TQString outfile, LDAPRealmConfi
// Set permissions
if ( ( userid > 0 ) & & ( groupid > 0 ) ) {
chown ( outfile . ascii ( ) , userid , groupid ) ;
chown _safe ( outfile . ascii ( ) , userid , groupid ) ;
}
}
else {
@ -833,17 +844,17 @@ int LDAPController::controlHeimdalServer(sc_command command, uid_t userid, gid_t
}
if ( command = = SC_PURGE ) {
controlHeimdalServer ( SC_STOP ) ;
system ( " rm -f " + TQString ( LDAP_KEYTAB_FILE ) ) ;
system _safe ( " rm -f " + TQString ( LDAP_KEYTAB_FILE ) ) ;
// FIXME
// This assumes Debian
system ( " rm -f /etc/krb5.keytab " ) ;
system ( " rm -rf /var/lib/heimdal-kdc/* " ) ;
system _safe ( " rm -f /etc/krb5.keytab " ) ;
system _safe ( " rm -rf /var/lib/heimdal-kdc/* " ) ;
}
if ( command = = SC_SETDBPERMS ) {
if ( ( userid > 0 ) & & ( groupid > 0 ) ) {
TQString command ;
command = TQString ( " chgrp %1 " + TQString ( LDAP_KEYTAB_FILE ) ) . arg ( groupid ) ;
system ( command . ascii ( ) ) ;
system _safe ( command . ascii ( ) ) ;
chmod ( LDAP_KEYTAB_FILE , S_IRUSR | S_IWUSR | S_IRGRP ) ;
}
}
@ -870,8 +881,8 @@ int LDAPController::controlLDAPServer(sc_command command, uid_t userid, gid_t gr
controlLDAPServer ( SC_STOP ) ;
// FIXME
// This assumes Debian!
system ( " rm -rf /var/lib/ldap/* " ) ;
system ( " rm -rf /etc/ldap/slapd.d/* " ) ;
system _safe ( " rm -rf /var/lib/ldap/* " ) ;
system _safe ( " rm -rf /etc/ldap/slapd.d/* " ) ;
}
if ( command = = SC_SETDBPERMS ) {
if ( ( userid > 0 ) & & ( groupid > 0 ) ) {
@ -879,21 +890,30 @@ int LDAPController::controlLDAPServer(sc_command command, uid_t userid, gid_t gr
// This assumes Debian!
TQString command ;
command = TQString ( " chown -R %1 /var/lib/ldap/* " ) . arg ( userid ) ;
system ( command . ascii ( ) ) ;
system _safe ( command . ascii ( ) ) ;
command = TQString ( " chgrp -R %1 /var/lib/ldap/* " ) . arg ( groupid ) ;
system ( command . ascii ( ) ) ;
system _safe ( command . ascii ( ) ) ;
command = TQString ( " chown -R %1 /etc/ldap/slapd.d/* " ) . arg ( userid ) ;
system ( command . ascii ( ) ) ;
system _safe ( command . ascii ( ) ) ;
command = TQString ( " chgrp -R %1 /etc/ldap/slapd.d/* " ) . arg ( groupid ) ;
system ( command . ascii ( ) ) ;
system _safe ( command . ascii ( ) ) ;
}
}
return - 2 ;
}
// WARNING
// kadmin does not have a standard "waiting for user input" character or sequence
// To make matters worse, the colon does not uniquely designate the end of a line; for example the response "kadmin: ext openldap/foo.bar.baz: Principal does not exist"
// One way around this would be to see if the first colon is part of a "kadmin:" string; if so, then the colon is not a reliable end of line indicator for the current line
// (in fact only '\r' should be used as the end of line indicator in that case)
TQString readFullLineFromPtyProcess ( PtyProcess * proc ) {
TQString result = " " ;
while ( ( ! result . contains ( " \r " ) ) & & ( ! result . contains ( " : " ) ) & & ( ! result . contains ( " > " ) ) ) {
while ( ( ! result . contains ( " \r " ) ) & &
( ! result . contains ( " > " ) ) & &
( ! ( ( ! result . contains ( " kadmin: " ) ) & & result . contains ( " : " ) ) ) & &
( ! ( ( result . contains ( " kadmin: " ) ) & & result . contains ( " \r " ) ) )
) {
result = result + TQString ( proc - > readLine ( false ) ) ;
tqApp - > processEvents ( ) ;
}
@ -1232,9 +1252,9 @@ int LDAPController::createRealmCertificates(LDAPCertConfig certinfo, LDAPRealmCo
// Certificate authority certificate
TQString command ;
command = TQString ( " openssl genrsa -out %1 %2 " ) . arg ( KERBEROS_PKI_PEMKEY_FILE ) . arg ( KEY_STRENGTH ) ;
system ( command ) ;
system _safe ( command ) ;
chmod ( KERBEROS_PKI_PEMKEY_FILE , S_IRUSR | S_IWUSR ) ;
chown ( KERBEROS_PKI_PEMKEY_FILE , 0 , 0 ) ;
chown _safe ( KERBEROS_PKI_PEMKEY_FILE , 0 , 0 ) ;
LDAPManager : : generatePublicKerberosCACertificate ( certinfo ) ;
@ -1246,9 +1266,9 @@ int LDAPController::createRealmCertificates(LDAPCertConfig certinfo, LDAPRealmCo
kdc_keyfile . replace ( " @@@KDCSERVER@@@ " , realmconfig . kdc ) ;
kdc_reqfile . replace ( " @@@KDCSERVER@@@ " , realmconfig . kdc ) ;
command = TQString ( " openssl genrsa -out %1 %2 " ) . arg ( kdc_keyfile ) . arg ( KEY_STRENGTH ) ;
system ( command ) ;
system _safe ( command ) ;
chmod ( kdc_keyfile . ascii ( ) , S_IRUSR | S_IWUSR ) ;
chown ( kdc_keyfile . ascii ( ) , 0 , 0 ) ;
chown _safe ( kdc_keyfile . ascii ( ) , 0 , 0 ) ;
LDAPManager : : generatePublicKerberosCertificate ( certinfo , realmconfig ) ;
@ -1260,9 +1280,9 @@ int LDAPController::createRealmCertificates(LDAPCertConfig certinfo, LDAPRealmCo
ldap_keyfile . replace ( " @@@ADMINSERVER@@@ " , realmconfig . admin_server ) ;
ldap_reqfile . replace ( " @@@ADMINSERVER@@@ " , realmconfig . admin_server ) ;
command = TQString ( " openssl genrsa -out %1 %2 " ) . arg ( ldap_keyfile ) . arg ( KEY_STRENGTH ) ;
system ( command ) ;
system _safe ( command ) ;
chmod ( ldap_keyfile . ascii ( ) , S_IRUSR | S_IWUSR ) ;
chown ( ldap_keyfile . ascii ( ) , ldap_uid , ldap_gid ) ;
chown _safe ( ldap_keyfile . ascii ( ) , ldap_uid , ldap_gid ) ;
LDAPManager : : generatePublicLDAPCertificate ( certinfo , realmconfig , ldap_uid , ldap_gid ) ;
@ -1356,9 +1376,13 @@ int LDAPController::createNewSecondaryController(TQWidget* dialogparent, LDAPRea
// 2.) Bond machine to Kerberos
// 3.) Set up LDAP replication
// 4.) Point local Kerberos and SASL instances to this LDAP server
return - 1 ;
}
int LDAPController : : createNewLDAPRealm ( TQWidget * dialogparent , LDAPRealmConfig realmconfig , TQString adminUserName , TQString adminGroupName , TQString machineAdminGroupName , TQString standardUserGroupName , const char * adminPassword , TQString rootUserName , const char * rootPassword , TQString adminRealm , LDAPCertConfig certinfo , TQString * errstr ) {
Q_UNUSED ( adminRealm )
int ldifSchemaNumber ;
ProcessingDialog pdialog ( dialogparent ) ;
@ -1453,15 +1477,14 @@ int LDAPController::createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig r
// FIXME
// This assumes Debian!
// Grant LDAP access to SASL mux pipe
system ( " dpkg-statoverride --remove --quiet /var/run/saslauthd " ) ;
system ( TQString ( " dpkg-statoverride --add root %1 710 /var/run/saslauthd " ) . arg ( m_ldapGroupName ) . ascii ( ) ) ;
system _safe ( " dpkg-statoverride --remove --quiet /var/run/saslauthd " ) ;
system _safe ( TQString ( " dpkg-statoverride --add root %1 710 /var/run/saslauthd " ) . arg ( m_ldapGroupName ) . ascii ( ) ) ;
// FIXME
// This assumes Debian!
system ( " ln -s /etc/heimdal-kdc/kadmind.acl /var/lib/heimdal-kdc/kadmind.acl " ) ;
system ( " ln -s /etc/heimdal-kdc/kdc.conf /var/lib/heimdal-kdc/kdc.conf " ) ;
system _safe ( " ln -s /etc/heimdal-kdc/kadmind.acl /var/lib/heimdal-kdc/kadmind.acl " ) ;
system _safe ( " ln -s /etc/heimdal-kdc/kdc.conf /var/lib/heimdal-kdc/kdc.conf " ) ;
struct stat sb ;
uid_t slapd_uid = 0 ;
gid_t slapd_gid = 0 ;
@ -1511,7 +1534,7 @@ int LDAPController::createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig r
// Set permissions
chmod ( TQString ( HEIMDAL_DEFAULT_FILE ) . ascii ( ) , S_IRUSR | S_IWUSR | S_IRGRP ) ;
chmod ( TQString ( HEIMDAL_ACL_FILE ) . ascii ( ) , S_IRUSR | S_IWUSR | S_IRGRP ) ;
chown ( TQString ( HEIMDAL_ACL_FILE ) . ascii ( ) , slapd_uid , 0 ) ;
chown _safe ( TQString ( HEIMDAL_ACL_FILE ) . ascii ( ) , slapd_uid , 0 ) ;
chmod ( TQString ( destDir + " heimdal-kdc/kdc.conf " ) . ascii ( ) , S_IRUSR | S_IWUSR | S_IRGRP ) ;
chmod ( TQString ( destDir + " krb5.conf " ) . ascii ( ) , S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH ) ;
@ -1552,31 +1575,31 @@ int LDAPController::createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig r
// There has GOT to be a better way to do this than system()!!!
TQString command ;
command = TQString ( " cp %1 %2 " ) . arg ( certinfo . provided_kerberos_pem ) . arg ( KERBEROS_PKI_PEMKEY_FILE ) ;
system ( command ) ;
system _safe ( command ) ;
command = TQString ( " cp %1 %2 " ) . arg ( certinfo . provided_kerberos_pemkey ) . arg ( KERBEROS_PKI_PEM_FILE ) ;
system ( command ) ;
system _safe ( command ) ;
command = TQString ( " cp %1 %2 " ) . arg ( certinfo . provided_kerberos_crt ) . arg ( kdc_certfile ) ;
system ( command ) ;
system _safe ( command ) ;
command = TQString ( " cp %1 %2 " ) . arg ( certinfo . provided_kerberos_key ) . arg ( kdc_keyfile ) ;
system ( command ) ;
system _safe ( command ) ;
command = TQString ( " cp %1 %2 " ) . arg ( certinfo . provided_ldap_crt ) . arg ( ldap_certfile ) ;
system ( command ) ;
system _safe ( command ) ;
command = TQString ( " cp %1 %2 " ) . arg ( certinfo . provided_ldap_key ) . arg ( ldap_keyfile ) ;
system ( command ) ;
system _safe ( command ) ;
// Set permissions
chmod ( KERBEROS_PKI_PEMKEY_FILE , S_IRUSR | S_IWUSR ) ;
chown ( KERBEROS_PKI_PEMKEY_FILE , 0 , 0 ) ;
chown _safe ( KERBEROS_PKI_PEMKEY_FILE , 0 , 0 ) ;
chmod ( KERBEROS_PKI_PEM_FILE , S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH ) ;
chown ( KERBEROS_PKI_PEM_FILE , 0 , 0 ) ;
chown _safe ( KERBEROS_PKI_PEM_FILE , 0 , 0 ) ;
chmod ( kdc_keyfile . ascii ( ) , S_IRUSR | S_IWUSR ) ;
chown ( kdc_keyfile . ascii ( ) , 0 , 0 ) ;
chown _safe ( kdc_keyfile . ascii ( ) , 0 , 0 ) ;
chmod ( kdc_certfile . ascii ( ) , S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH ) ;
chown ( kdc_certfile . ascii ( ) , 0 , 0 ) ;
chown _safe ( kdc_certfile . ascii ( ) , 0 , 0 ) ;
chmod ( ldap_keyfile . ascii ( ) , S_IRUSR | S_IWUSR ) ;
chown ( ldap_keyfile . ascii ( ) , slapd_uid , slapd_gid ) ;
chown _safe ( ldap_keyfile . ascii ( ) , slapd_uid , slapd_gid ) ;
chmod ( ldap_certfile . ascii ( ) , S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH ) ;
chown ( ldap_certfile . ascii ( ) , slapd_uid , slapd_gid ) ;
chown _safe ( ldap_certfile . ascii ( ) , slapd_uid , slapd_gid ) ;
}
pdialog . setStatusMessage ( i18n ( " Loading initial database into LDAP... " ) ) ;
Timothy Pearson
12 years ago