TDE
/
kcmldapcontroller
mirror of https://mirror.git.trinitydesktop.org/gitea/TDE/kcmldapcontroller
0
0
Fork 0
Code Issues Releases Wiki Activity

Move primary realm wizard sources to separate directory

Browse Source 
Add cert-updater
pull/1/head
Timothy Pearson 12 years ago
parent 02cfa8d8af
commit ec23f4b717
25 changed files with 251 additions and 17 deletions
Show Stats Download Patch File Download Diff File

10
cert-updater/Makefile.am
Unescape View File

@ -0,0 +1,10 @@
INCLUDES= $(all_includes) $(KDE_INCLUDES)/tde
bin_PROGRAMS = primaryrccertupdater
primaryrccertupdater_SOURCES = main.cpp
primaryrccertupdater_METASOURCES = AUTO
primaryrccertupdater_LDFLAGS = $(all_libraries) $(KDE_RPATH) $(LIB_QT) -lDCOP $(LIB_TDECORE) $(LIB_TDEUI) -ltdefx $(LIB_KIO) -lktexteditor -ltdeldap
KDE_OPTIONS = nofinal

184
cert-updater/main.cpp
Unescape View File

@ -0,0 +1,184 @@
/***************************************************************************
* Copyright (C) 2012 by Timothy Pearson *
* kb9vqf@pearsoncomputing.net *
* *
* This program is free software; you can redistribute it and/or modify *
* it under the terms of the GNU General Public License as published by *
* the Free Software Foundation; either version 2 of the License, or *
* (at your option) any later version. *
* *
* This program is distributed in the hope that it will be useful, *
* but WITHOUT ANY WARRANTY; without even the implied warranty of *
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
* GNU General Public License for more details. *
* *
* You should have received a copy of the GNU General Public License *
* along with this program; if not, write to the *
* Free Software Foundation, Inc., *
* 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. *
***************************************************************************/
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <pwd.h>
#include <kapplication.h>
#include <kstartupinfo.h>
#include <kcmdlineargs.h>
#include <kaboutdata.h>
#include <ksimpleconfig.h>
#include <tqdatetime.h>
#include <tqfile.h>
#include <libtdeldap.h>
// FIXME
// Connect this to CMake/Automake
#define KDE_CONFDIR "/etc/trinity"
static const char description[] =
I18N_NOOP("TDE utility for updating realm certificates");
static const char version[] = "v0.0.1";
int uploadKerberosCAFileToLDAP(LDAPManager* ldap_mgr, TQString* errstr) {
// Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server
TQFile cafile(KERBEROS_PKI_PEM_FILE);
if (cafile.open(IO_ReadOnly)) {
TQByteArray cafiledata = cafile.readAll();
if (ldap_mgr->writeCertificateFileIntoDirectory(cafiledata, "publicRootCertificate", errstr) != 0) {
return -1;
}
return 0;
}
return -1;
}
int main(int argc, char *argv[])
{
KAboutData aboutData( "primaryrccertupdater", I18N_NOOP("Real Certificate Updater"),
version, description, KAboutData::License_GPL,
"(c) 2012, Timothy Pearson");
aboutData.addAuthor("Timothy Pearson",0, "kb9vqf@pearsoncomputing.net");
KCmdLineArgs::init( argc, argv, &aboutData );
KApplication::disableAutoDcopRegistration();
KApplication app(false, false);
KStartupInfo::appStarted();
//======================================================================================================================================================
//
// Updater code follows
//
//======================================================================================================================================================
// FIXME
// This assumes Debian!
TQString m_ldapUserName = "openldap";
TQString m_ldapGroupName = "openldap";
KSimpleConfig* m_systemconfig = new KSimpleConfig( TQString::fromLatin1( KDE_CONFDIR "/ldap/ldapconfigrc" ));
LDAPRealmConfigList m_realmconfig = LDAPManager::readTDERealmList(m_systemconfig, false);
// Load cert config
m_systemconfig->setGroup("Certificates");
LDAPCertConfig m_certconfig;
m_certconfig.countryName = m_systemconfig->readEntry("countryName");
m_certconfig.stateOrProvinceName = m_systemconfig->readEntry("stateOrProvinceName");
m_certconfig.localityName = m_systemconfig->readEntry("localityName");
m_certconfig.organizationName = m_systemconfig->readEntry("organizationName");
m_certconfig.orgUnitName = m_systemconfig->readEntry("orgUnitName");
m_certconfig.commonName = m_systemconfig->readEntry("commonName");
m_certconfig.emailAddress = m_systemconfig->readEntry("emailAddress");
// Load other defaults
m_systemconfig->setGroup(NULL);
TQString m_defaultRealm = m_systemconfig->readEntry("DefaultRealm");
TQDateTime certExpiry;
TQDateTime now = TQDateTime::currentDateTime();
TQDateTime soon = now.addDays(7); // Keep in sync with src/ldapcontroller.cpp
TQString kdc_certfile = KERBEROS_PKI_KDC_FILE;
kdc_certfile.replace("@@@KDCSERVER@@@", m_realmconfig[m_defaultRealm].kdc);
TQString ldap_certfile = LDAP_CERT_FILE;
ldap_certfile.replace("@@@ADMINSERVER@@@", m_realmconfig[m_defaultRealm].admin_server);
// Certificate Authority
if (TQFile::exists(KERBEROS_PKI_PEM_FILE)) {
certExpiry = LDAPManager::getCertificateExpiration(KERBEROS_PKI_PEM_FILE);
if (certExpiry >= now) {
printf("Certificate %s expires %s\n\r", TQString(KERBEROS_PKI_PEM_FILE).ascii(), certExpiry.toString().ascii()); fflush(stdout);
}
if ((certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
printf("Regenerating certificate %s...\n\r", TQString(KERBEROS_PKI_PEM_FILE).ascii()); fflush(stdout);
// RAJA FIXME FIXME FIXME
LDAPManager::generatePublicKerberosCACertificate(m_certconfig);
TQString realmname = m_defaultRealm.upper();
LDAPCredentials* credentials = new LDAPCredentials;
credentials->username = "";
credentials->password = "";
credentials->realm = realmname;
LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials);
// Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server
TQString errorstring;
if (uploadKerberosCAFileToLDAP(ldap_mgr, &errorstring) != 0) {
printf("[ERROR] Unable to upload new certificate to LDAP server!\n\r%s\n\r", errorstring.ascii()); fflush(stdout);
}
delete ldap_mgr;
}
}
else {
printf("[WARNING] Certificate file %s not found!\n\r", TQString(KERBEROS_PKI_PEM_FILE).ascii()); fflush(stdout);
}
// Kerberos
if (TQFile::exists(kdc_certfile)) {
certExpiry = LDAPManager::getCertificateExpiration(kdc_certfile);
if (certExpiry >= now) {
printf("Certificate %s expires %s\n\r", kdc_certfile.ascii(), certExpiry.toString().ascii()); fflush(stdout);
}
if ((certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
printf("Regenerating certificate %s...\n\r", kdc_certfile.ascii()); fflush(stdout);
LDAPManager::generatePublicKerberosCertificate(m_certconfig, m_realmconfig[m_defaultRealm]);
}
}
else {
printf("[WARNING] Certificate file %s not found!\n\r", kdc_certfile.ascii()); fflush(stdout);
}
// LDAP
if (TQFile::exists(ldap_certfile)) {
certExpiry = LDAPManager::getCertificateExpiration(ldap_certfile);
if (certExpiry >= now) {
printf("Certificate %s expires %s\n\r", ldap_certfile.ascii(), certExpiry.toString().ascii()); fflush(stdout);
}
if ((certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
printf("Regenerating certificate %s...\n\r", ldap_certfile.ascii()); fflush(stdout);
uid_t slapd_uid = 0;
gid_t slapd_gid = 0;
// Get LDAP user uid/gid
struct passwd *pwd;
pwd = getpwnam(m_ldapUserName);
slapd_uid = pwd->pw_uid;
slapd_gid = pwd->pw_gid;
LDAPManager::generatePublicLDAPCertificate(m_certconfig, m_realmconfig[m_defaultRealm], slapd_uid, slapd_gid);
}
}
else {
printf("[WARNING] Certificate file %s not found!\n\r", ldap_certfile.ascii()); fflush(stdout);
}
delete m_systemconfig;
//======================================================================================================================================================
return 0;
}

2
confskel/openldap/ldif/olcDatabase.ldif
Unescape View File

@ -4,7 +4,7 @@ objectClass: olcHdbConfig
olcDatabase: {@@@LDIFSCHEMANUMBER@@@}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: @@@REALM_DCNAME@@@
olcAccess: {0}to attrs=userPassword,shadowLastChange,krb5Key,krb5PrincipalName,krb5KeyVersionNumber,krb5MaxLife,krb5MaxRenew,krb5KDCFlags
olcAccess: {0}to attrs=userPassword,shadowLastChange,krb5Key,krb5PrincipalName,krb5KeyVersionNumber,krb5MaxLife,krb5MaxRenew,krb5KDCFlags,privateRootCertificateKey
by group/groupOfNames/member.exact="cn=@@@ADMINGROUP@@@,ou=groups,ou=core,ou=realm,@@@REALM_DCNAME@@@" write
by dn.base="uid=@@@ADMINUSER@@@,ou=users,ou=core,ou=realm,@@@REALM_DCNAME@@@"
by sockurl.regex="^ldapi:///$" write

12
confskel/openldap/ldif/tde-core.ldif
Unescape View File

@ -17,13 +17,15 @@ olcAttributeTypes: {11} ( 1.3.6.1.4.1.99999.1.1.12 NAME 'lastLogon' DESC 'Timest
olcAttributeTypes: {12} ( 1.3.6.1.4.1.99999.1.1.13 NAME 'lastLogoff' DESC 'Timestamp of last logoff' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# Used for storing sharable certificates and keys
olcAttributeTypes: {13} ( 1.3.6.1.4.1.99999.1.1.14 NAME 'publicRootCertificate' DESC 'Certificate authority root certificate' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 SINGLE-VALUE )
# Used for storing private certificates and keys
olcAttributeTypes: {14} ( 1.3.6.1.4.1.99999.1.1.15 NAME 'privateRootCertificateKey' DESC 'Certificate authority root private key' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 SINGLE-VALUE )
# Used for storing builtin user/group names
olcAttributeTypes: {14} ( 1.3.6.1.4.1.99999.1.1.15 NAME 'builtinRealmAdminAccount' DESC 'Built-in realm administrative account distinguished name' SUP name )
olcAttributeTypes: {15} ( 1.3.6.1.4.1.99999.1.1.16 NAME 'builtinRealmAdminGroup' DESC 'Built-in realm administrative group distinguished name' SUP name )
olcAttributeTypes: {16} ( 1.3.6.1.4.1.99999.1.1.17 NAME 'builtinMachineAdminGroup' DESC 'Built-in local machine administrative group distinguished name' SUP name )
olcAttributeTypes: {17} ( 1.3.6.1.4.1.99999.1.1.18 NAME 'builtinStandardUserGroup' DESC 'Built-in standard user group distinguished name' SUP name )
olcAttributeTypes: {15} ( 1.3.6.1.4.1.99999.1.1.16 NAME 'builtinRealmAdminAccount' DESC 'Built-in realm administrative account distinguished name' SUP name )
olcAttributeTypes: {16} ( 1.3.6.1.4.1.99999.1.1.17 NAME 'builtinRealmAdminGroup' DESC 'Built-in realm administrative group distinguished name' SUP name )
olcAttributeTypes: {17} ( 1.3.6.1.4.1.99999.1.1.18 NAME 'builtinMachineAdminGroup' DESC 'Built-in local machine administrative group distinguished name' SUP name )
olcAttributeTypes: {18} ( 1.3.6.1.4.1.99999.1.1.19 NAME 'builtinStandardUserGroup' DESC 'Built-in standard user group distinguished name' SUP name )
olcObjectClasses: {0} ( 1.3.6.1.4.1.99999.1.2.1 NAME 'tdeExtendedUserData' SUP top AUXILIARY MAY ( website
URL $ managerName $ secretaryName $ teletexId $ preferredDelivery $ locallyUniqueID $ notes $ pwdLastSet $ badPwdCount $ badPasswordTime $ lastLogon $ lastLogoff ) )
olcObjectClasses: {1} ( 1.3.6.1.4.1.99999.1.2.2 NAME 'tdeAccountObject' SUP top AUXILIARY MAY tdeBuiltinAccount )
olcObjectClasses: {2} ( 1.3.6.1.4.1.99999.1.2.3 NAME 'tdeCertificateStore' SUP top AUXILIARY MAY ( tdeBuiltinAccount $ publicRootCertificate ) )
olcObjectClasses: {2} ( 1.3.6.1.4.1.99999.1.2.3 NAME 'tdeCertificateStore' SUP top AUXILIARY MAY ( tdeBuiltinAccount $ publicRootCertificate $ privateRootCertificateKey ) )
olcObjectClasses: {3} ( 1.3.6.1.4.1.99999.1.2.4 NAME 'tdeBuiltinStore' SUP top AUXILIARY MAY ( tdeBuiltinAccount $ builtinRealmAdminAccount $ builtinRealmAdminGroup $ builtinMachineAdminGroup $ builtinStandardUserGroup ) )

2
confskel/openldap/skel.ldif
Unescape View File

@ -205,7 +205,7 @@ emsdescription: Group
emsplugins: PosixGroup
emsplugins: KerberosGroup
emstype: GroupEntry
gidNumber: 901
gidNumber: 902
objectClass: groupOfNames
objectClass: emsGroup
objectClass: posixGroup

2
debian/control vendored
Unescape View File

@ -7,6 +7,6 @@ Standards-Version: 3.8.4
Package: kcontrol-ldap-controller-trinity
Architecture: any
Depends: ${shlibs:Depends}, ${misc:Depends}, heimdal-clients, heimdal-kdc, slapd, libsasl2-modules-gssapi-heimdal, sasl2-bin
Depends: ${shlibs:Depends}, ${misc:Depends}, heimdal-clients, heimdal-kdc, slapd, libsasl2-modules-gssapi-heimdal, sasl2-bin, openssl
Description: LDAP realm controller module for the TDE control center
LDAP Controller is a TDE control center module to configure an LDAP Realm Controller

8
src/Makefile.am
Unescape View File

@ -1,13 +1,13 @@
INCLUDES = $(all_includes) $(KDE_INCLUDES)/tde
METASOURCES = AUTO
SUBDIRS = primaryrealmwizard
# Install this plugin in the KDE modules directory
kde_module_LTLIBRARIES = kcm_ldapcontroller.la
kcm_ldapcontroller_la_SOURCES = ldapcontroller.cpp ldapcontrollerconfigbase.ui realmwizard.cpp realmintropagedlg.ui certconfigpagedlg.ui certconfigpage.cpp realmintropage.cpp realmconfigpagedlg.ui realmconfigpage.cpp realmfinishpagedlg.ui realmfinishpage.cpp processingdialog.cpp sha1.cc
kcm_ldapcontroller_la_LIBADD = -lkio $(LIB_TDEUI) -ltdeldap
kcm_ldapcontroller_la_LDFLAGS = -avoid-version -module -no-undefined \
$(all_libraries)
kcm_ldapcontroller_la_SOURCES = ldapcontroller.cpp ldapcontrollerconfigbase.ui processingdialog.cpp sha1.cc
kcm_ldapcontroller_la_LIBADD = primaryrealmwizard/libprimaryrealmwizard.la -lkio $(LIB_TDEUI) -ltdeldap
kcm_ldapcontroller_la_LDFLAGS = -avoid-version -module -no-undefined $(all_libraries)
xdg_apps_DATA = ldapcontroller.desktop

36
src/ldapcontroller.cpp
Unescape View File

@ -51,9 +51,11 @@
#include "sha1.h"
#include "ldapcontroller.h"
#include "realmwizard.h"
#include "primaryrealmwizard/realmwizard.h"
#include "processingdialog.h"
#include "ldapcontrollerconfigbase.h"
// FIXME
// Connect this to CMake/Automake
#define KDE_CONFDIR "/etc/trinity"
@ -76,6 +78,9 @@
#define KEY_STRENGTH 2048
// RAJA FIXME
// Certificate manager/updater (CLI, callable from crontab) still needs to be written...
typedef KGenericFactory<LDAPController, TQWidget> ldapFactory;
K_EXPORT_COMPONENT_FACTORY( kcm_ldapcontroller, ldapFactory("kcmldapcontroller"))
@ -345,7 +350,7 @@ void LDAPController::load() {
void LDAPController::updateCertDisplay() {
TQDateTime certExpiry;
TQDateTime now = TQDateTime::currentDateTime();
TQDateTime soon = now.addDays(7);
TQDateTime soon = now.addDays(7); // Keep in sync with cert-updater/main.cpp
TQString kdc_certfile = KERBEROS_PKI_KDC_FILE;
kdc_certfile.replace("@@@KDCSERVER@@@", m_realmconfig[m_defaultRealm].kdc);
@ -397,7 +402,7 @@ void LDAPController::updateCertDisplay() {
}
// LDAP
if (TQFile::exists(kdc_certfile)) {
if (TQFile::exists(ldap_certfile)) {
certExpiry = LDAPManager::getCertificateExpiration(ldap_certfile);
if (certExpiry >= now) {
m_base->ldapExpiryString->setText("Expires " + certExpiry.toString());
@ -435,6 +440,8 @@ void LDAPController::btncaRegenerate() {
KMessageBox::error(0, i18n("<qt>Unable to upload new certificate to LDAP server!<p>%1</qt>").arg(errorstring), i18n("Internal Failure"));
}
delete ldap_mgr;
load();
}
@ -1173,6 +1180,19 @@ int LDAPController::uploadKerberosCAFileToLDAP(LDAPManager* ldap_mgr, TQString*
return -1;
}
int LDAPController::uploadKerberosCAKeyFileToLDAP(LDAPManager* ldap_mgr, TQString* errstr) {
// Upload the contents of KERBEROS_PKI_PEMKEY_FILE to the LDAP server
TQFile cafile(KERBEROS_PKI_PEMKEY_FILE);
if (cafile.open(IO_ReadOnly)) {
TQByteArray cafiledata = cafile.readAll();
if (ldap_mgr->writeCertificateFileIntoDirectory(cafiledata, "privateRootCertificateKey", errstr) != 0) {
return -1;
}
return 0;
}
return -1;
}
// #define STRICT_SETUP 1
int LDAPController::createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig realmconfig, TQString adminUserName, TQString adminGroupName, TQString machineAdminGroupName, TQString standardUserGroupName, const char * adminPassword, TQString rootUserName, const char * rootPassword, TQString adminRealm, LDAPCertConfig certinfo, TQString *errstr) {
@ -1201,7 +1221,6 @@ int LDAPController::createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig r
KTempDir configTempDir;
configTempDir.setAutoDelete(true);
configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME
TQString destDir = "/etc/";
pdialog.setStatusMessage(i18n("Stopping servers..."));
@ -1486,6 +1505,15 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME
return -1;
}
// Upload the contents of KERBEROS_PKI_PEMKEY_FILE to the LDAP server
if (uploadKerberosCAKeyFileToLDAP(ldap_mgr, &errorstring) != 0) {
delete ldap_mgr;
delete credentials;
if (errstr) *errstr = errorstring;
pdialog.closeDialog();
return -1;
}
// Set @@@ADMINUSER@@@ password in kadmin
LDAPCredentials adminuser;
adminuser.username = adminUserName;

3
src/ldapcontroller.h
Unescape View File

@ -34,7 +34,7 @@
#include <libtdeldap.h>
#include "ldapcontrollerconfigbase.h"
class LDAPControllerConfigBase;
enum sc_command {
SC_START,
@ -92,6 +92,7 @@ class LDAPController: public KCModule
int setKerberosPasswordForUser(LDAPCredentials user, TQString *errstr);
int createRealmCertificates(LDAPCertConfig certinfo, LDAPRealmConfig realmconfig, uid_t ldap_uid, gid_t ldap_gid);
int uploadKerberosCAFileToLDAP(LDAPManager* ldap_mgr, TQString* errstr=0);
int uploadKerberosCAKeyFileToLDAP(LDAPManager* ldap_mgr, TQString* errstr=0);
private:
KAboutData *myAboutData;

5
src/primaryrealmwizard/Makefile.am
Unescape View File

@ -0,0 +1,5 @@
INCLUDES = $(all_includes) $(KDE_INCLUDES)/tde -I$(top_srcdir)/src
METASOURCES = AUTO
noinst_LTLIBRARIES = libprimaryrealmwizard.la
libprimaryrealmwizard_la_SOURCES = realmwizard.cpp realmintropagedlg.ui certconfigpagedlg.ui certconfigpage.cpp realmintropage.cpp realmconfigpagedlg.ui realmconfigpage.cpp realmfinishpagedlg.ui realmfinishpage.cpp

0
src/certconfigpage.cpp → src/primaryrealmwizard/certconfigpage.cpp
Unescape View File

0
src/certconfigpage.h → src/primaryrealmwizard/certconfigpage.h
Unescape View File

0
src/certconfigpagedlg.ui → src/primaryrealmwizard/certconfigpagedlg.ui
Unescape View File

0
src/realmconfigpage.cpp → src/primaryrealmwizard/realmconfigpage.cpp
Unescape View File

0
src/realmconfigpage.h → src/primaryrealmwizard/realmconfigpage.h
Unescape View File

0
src/realmconfigpagedlg.ui → src/primaryrealmwizard/realmconfigpagedlg.ui
Unescape View File

0
src/realmfinishpage.cpp → src/primaryrealmwizard/realmfinishpage.cpp
Unescape View File

0
src/realmfinishpage.h → src/primaryrealmwizard/realmfinishpage.h
Unescape View File

0
src/realmfinishpagedlg.ui → src/primaryrealmwizard/realmfinishpagedlg.ui
Unescape View File

0
src/realmintropage.cpp → src/primaryrealmwizard/realmintropage.cpp
Unescape View File

0
src/realmintropage.h → src/primaryrealmwizard/realmintropage.h
Unescape View File

0
src/realmintropagedlg.ui → src/primaryrealmwizard/realmintropagedlg.ui
Unescape View File

3
src/realmwizard.cpp → src/primaryrealmwizard/realmwizard.cpp
Unescape View File

@ -152,6 +152,9 @@ void RealmWizard::next() {
}
else if (currentPage()==certpage) {
// Save certificate information
// RAJA FIXME
// If generate_certs == false, we need to load m_certconfig structure with data from the provided certificate!
// If this is not done, the automatic certificate updater will fail!!!
m_certconfig.generate_certs = certpage->generateKeysEnabled->isOn();
m_certconfig.provided_kerberos_pem = certpage->kerberosPEM->url();
m_certconfig.provided_kerberos_pemkey = certpage->kerberosPEMKEY->url();

0
src/realmwizard.h → src/primaryrealmwizard/realmwizard.h
Unescape View File

1
subdirs
Unescape View File

@ -1,4 +1,5 @@
acl-updater
cert-updater
confskel
doc
po

Write Preview
Loading…
Cancel
Save