From 5ac43b8c561ec81617a50c14c0a068b6d137dab9 Mon Sep 17 00:00:00 2001
From: Timothy Pearson <kb9vqf@pearsoncomputing.net>
Date: Sat, 12 Jan 2013 14:58:37 -0600
Subject: [PATCH] Create missing symlink for nss configuration file Clean up
 build warnings and be verbose about configuration failures

---
 src/libtdeldap.cpp | 127 ++++++++++++++++++++++++++++++++++++---------
 1 file changed, 102 insertions(+), 25 deletions(-)

diff --git a/src/libtdeldap.cpp b/src/libtdeldap.cpp
index de1ef0f..415a5a7 100644
--- a/src/libtdeldap.cpp
+++ b/src/libtdeldap.cpp
@@ -56,6 +56,7 @@
 // This assumes Debian!
 #define LDAP_FILE "/etc/ldap/ldap.conf"
 #define LDAP_SECONDARY_FILE "/etc/ldap.conf"
+#define LDAP_TERTIARY_FILE "/etc/libnss-ldap.conf"
 #define TDELDAP_SUDO_D_FILE "/etc/sudoers.d/tde-realm-admins"
 #define CRON_UPDATE_NSS_FILE "/etc/cron.daily/upd-local-nss-db"
 
@@ -1019,7 +1020,13 @@ KerberosTicketInfoList LDAPManager::getKerberosTicketList(TQString cache, TQStri
 	TQString global_cachevers;
 
 	TQString line;
-	FILE *output = popen("klist -v 2>&1", "r");
+	FILE *output;
+	if (cache != "") {
+		output = popen((TQString("klist --cache=%1 -v 2>&1").arg(cache)).ascii(), "r");
+	}
+	else {
+		output = popen("klist -v 2>&1", "r");
+	}
 	TQFile f;
 	f.open(IO_ReadOnly, output);
 	TQTextStream stream(&f);
@@ -1496,8 +1503,6 @@ int LDAPManager::addGroupInfo(LDAPGroupInfo group) {
 }
 
 int LDAPManager::addServiceInfo(LDAPServiceInfo service, TQString *errstr) {
-	int retcode;
-	int i;
 	LDAPGroupInfo serviceinfo;
 
 	if (bind() < 0) {
@@ -1907,7 +1912,6 @@ LDAPMachineInfoList LDAPManager::machines(int* mretcode) {
 }
 
 LDAPServiceInfoList LDAPManager::services(int* mretcode) {
-	int retcode;
 	LDAPServiceInfoList services;
 
 	if (bind() < 0) {
@@ -2090,18 +2094,17 @@ int LDAPManager::moveKerberosEntries(TQString newSuffix, TQString* errstr) {
 void LDAPManager::writeLDAPConfFile(LDAPRealmConfig realmcfg) {
 	KSimpleConfig* systemconfig;
 	TQString m_defaultRealm;
-	int m_ticketLifetime;
 	int m_ldapVersion;
 	int m_ldapTimeout;
 	TQString m_bindPolicy;
 	int m_ldapBindTimeout;
 	TQString m_passwordHash;
 	TQString m_ignoredUsers;
+	TQString command;
 
 	systemconfig = new KSimpleConfig( TQString::fromLatin1( KDE_CONFDIR "/ldap/ldapconfigrc" ));
 	systemconfig->setGroup(NULL);
 	m_defaultRealm = systemconfig->readEntry("DefaultRealm", TQString::null);
-	m_ticketLifetime = systemconfig->readNumEntry("TicketLifetime", 86400);
 
 	m_ldapVersion = systemconfig->readNumEntry("ConnectionLDAPVersion", 3);
 	m_ldapTimeout = systemconfig->readNumEntry("ConnectionLDAPTimeout", 2);
@@ -2134,9 +2137,32 @@ void LDAPManager::writeLDAPConfFile(LDAPRealmConfig realmcfg) {
 		file.close();
 	}
 
-	chmod(LDAP_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
+	if (chmod(LDAP_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH) < 0) {
+		printf("ERROR: Unable to change permissions of \"%s\"\n\r", LDAP_FILE);
+		return;
+	}
 
-	system(TQString("ln -s %1 %2").arg(LDAP_FILE).arg(LDAP_SECONDARY_FILE).ascii());
+	// Create symbolic link to secondary LDAP configuration file
+	if (unlink(LDAP_SECONDARY_FILE) < 0) {
+		printf("ERROR: Unable to unlink \"%s\"\n\r", LDAP_SECONDARY_FILE);
+		return;
+	}
+	command = TQString("ln -s %1 %2").arg(LDAP_FILE).arg(LDAP_SECONDARY_FILE);
+	if (system(command) < 0) {
+		printf("ERROR: Execution of \"%s\" failed!\n\r", command.ascii());
+		return;
+	}
+
+	// Create symbolic link to tertiary LDAP configuration file
+	if (unlink(LDAP_TERTIARY_FILE) < 0) {
+		printf("ERROR: Unable to unlink \"%s\"\n\r", LDAP_TERTIARY_FILE);
+		return;
+	}
+	command = TQString("ln -s %1 %2").arg(LDAP_FILE).arg(LDAP_TERTIARY_FILE);
+	if (system(command) < 0) {
+		printf("ERROR: Execution of \"%s\" failed!\n\r", command.ascii());
+		return;
+	}
 
 	delete systemconfig;
 }
@@ -2306,8 +2332,14 @@ int LDAPManager::writeSudoersConfFile(TQString *errstr) {
 		file.close();
 	}
 
-	chown(TDELDAP_SUDO_D_FILE, 0, 0);
-	chmod(TDELDAP_SUDO_D_FILE, S_IRUSR|S_IRGRP);
+	if (chown(TDELDAP_SUDO_D_FILE, 0, 0) < 0) {
+		printf("ERROR: Unable to change owner of \"%s\"\n\r", TDELDAP_SUDO_D_FILE);
+		return -1;
+	}
+	if (chmod(TDELDAP_SUDO_D_FILE, S_IRUSR|S_IRGRP) < 0) {
+		printf("ERROR: Unable to change permissions of \"%s\"\n\r", TDELDAP_SUDO_D_FILE);
+		return -1;
+	}
 
 	return 0;
 }
@@ -2326,7 +2358,10 @@ void LDAPManager::writeCronFiles() {
 		file.close();
 	}
 
-	system(CRON_UPDATE_NSS_COMMAND);
+	if (system(CRON_UPDATE_NSS_COMMAND) < 0) {
+		printf("ERROR: Execution of \"%s\" failed!\n\r", CRON_UPDATE_NSS_COMMAND);
+		return;
+	}
 }
 
 void LDAPManager::writePrimaryRealmCertificateUpdateCronFile() {
@@ -2343,7 +2378,10 @@ void LDAPManager::writePrimaryRealmCertificateUpdateCronFile() {
 		file.close();
 	}
 
-	system(CRON_UPDATE_PRIMARY_REALM_CERTIFICATES_COMMAND);
+	if (system(CRON_UPDATE_PRIMARY_REALM_CERTIFICATES_COMMAND) < 0) {
+		printf("ERROR: Execution of \"%s\" failed!\n\r", CRON_UPDATE_PRIMARY_REALM_CERTIFICATES_COMMAND);
+		return;
+	}
 }
 
 LDAPRealmConfigList LDAPManager::readTDERealmList(KSimpleConfig* config, bool disableAllBonds) {
@@ -2447,9 +2485,18 @@ int LDAPManager::generatePublicKerberosCACertificate(LDAPCertConfig certinfo) {
 	TQString command;
 
 	command = TQString("openssl req -key %1 -new -x509 -out %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(certinfo.commonName).arg(certinfo.emailAddress);
-	system(command);
-	chmod(KERBEROS_PKI_PEM_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
-	chown(KERBEROS_PKI_PEM_FILE, 0, 0);
+	if (system(command) < 0) {
+		printf("ERROR: Execution of \"%s\" failed!\n\r", command.ascii());
+		return -1;
+	}
+	if (chmod(KERBEROS_PKI_PEM_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH) < 0) {
+		printf("ERROR: Unable to change permissions of \"%s\"\n\r", KERBEROS_PKI_PEM_FILE);
+		return -1;
+	}
+	if (chown(KERBEROS_PKI_PEM_FILE, 0, 0) < 0) {
+		printf("ERROR: Unable to change owner of \"%s\"\n\r", KERBEROS_PKI_PEM_FILE);
+		return -1;
+	}
 
 	return 0;
 }
@@ -2465,12 +2512,27 @@ int LDAPManager::generatePublicKerberosCertificate(LDAPCertConfig certinfo, LDAP
 	kdc_reqfile.replace("@@@KDCSERVER@@@", realmcfg.kdc);
 
 	command = TQString("openssl req -new -out %1 -key %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(kdc_reqfile).arg(kdc_keyfile).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(certinfo.commonName).arg(certinfo.emailAddress);
-	system(command);
+	if (system(command) < 0) {
+		printf("ERROR: Execution of \"%s\" failed!\n\r", command.ascii());
+		return -1;
+	}
 	command = TQString("openssl x509 -req -in %1 -CAkey %2 -CA %3 -out %4 -extfile %5 -extensions kdc_cert -CAcreateserial").arg(kdc_reqfile).arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(kdc_certfile).arg(OPENSSL_EXTENSIONS_FILE);
-	system(command);
-	chmod(kdc_certfile.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
-	chown(kdc_certfile.ascii(), 0, 0);
-	unlink(kdc_reqfile.ascii());
+	if (system(command) < 0) {
+		printf("ERROR: Execution of \"%s\" failed!\n\r", command.ascii());
+		return -1;
+	}
+	if (chmod(kdc_certfile.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH) < 0) {
+		printf("ERROR: Unable to change permissions of \"%s\"\n\r", kdc_certfile.ascii());
+		return -1;
+	}
+	if (chown(kdc_certfile.ascii(), 0, 0) < 0) {
+		printf("ERROR: Unable to change owner of \"%s\"\n\r", kdc_certfile.ascii());
+		return -1;
+	}
+	if (unlink(kdc_reqfile.ascii()) < 0) {
+		printf("ERROR: Unable to unlink \"%s\"\n\r", kdc_reqfile.ascii());
+		return -1;
+	}
 
 	return 0;
 }
@@ -2486,12 +2548,27 @@ int LDAPManager::generatePublicLDAPCertificate(LDAPCertConfig certinfo, LDAPReal
 	ldap_reqfile.replace("@@@ADMINSERVER@@@", realmcfg.admin_server);
 
 	command = TQString("openssl req -new -out %1 -key %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(ldap_reqfile).arg(ldap_keyfile).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(realmcfg.admin_server).arg(certinfo.emailAddress);
-	system(command);
+	if (system(command) < 0) {
+		printf("ERROR: Execution of \"%s\" failed!\n\r", command.ascii());
+		return -1;
+	}
 	command = TQString("openssl x509 -req -in %1 -CAkey %2 -CA %3 -out %4 -CAcreateserial").arg(ldap_reqfile).arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(ldap_certfile);
-	system(command);
-	chmod(ldap_certfile.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
-	chown(ldap_certfile.ascii(), ldap_uid, ldap_gid);
-	unlink(ldap_reqfile.ascii());
+	if (system(command) < 0) {
+		printf("ERROR: Execution of \"%s\" failed!\n\r", command.ascii());
+		return -1;
+	}
+	if (chmod(ldap_certfile.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH) < 0) {
+		printf("ERROR: Unable to change permissions of \"%s\"\n\r", ldap_certfile.ascii());
+		return -1;
+	}
+	if (chown(ldap_certfile.ascii(), ldap_uid, ldap_gid) < 0) {
+		printf("ERROR: Unable to change owner of \"%s\"\n\r", ldap_certfile.ascii());
+		return -1;
+	}
+	if (unlink(ldap_reqfile.ascii()) < 0) {
+		printf("ERROR: Unable to unlink \"%s\"\n\r", ldap_reqfile.ascii());
+		return -1;
+	}
 
 	return 0;
 }