Create missing symlink for nss configuration file

Clean up build warnings and be verbose about configuration failures
pull/1/head
Timothy Pearson 12 years ago
parent 8113210613
commit 5ac43b8c56

@ -56,6 +56,7 @@
// This assumes Debian! // This assumes Debian!
#define LDAP_FILE "/etc/ldap/ldap.conf" #define LDAP_FILE "/etc/ldap/ldap.conf"
#define LDAP_SECONDARY_FILE "/etc/ldap.conf" #define LDAP_SECONDARY_FILE "/etc/ldap.conf"
#define LDAP_TERTIARY_FILE "/etc/libnss-ldap.conf"
#define TDELDAP_SUDO_D_FILE "/etc/sudoers.d/tde-realm-admins" #define TDELDAP_SUDO_D_FILE "/etc/sudoers.d/tde-realm-admins"
#define CRON_UPDATE_NSS_FILE "/etc/cron.daily/upd-local-nss-db" #define CRON_UPDATE_NSS_FILE "/etc/cron.daily/upd-local-nss-db"
@ -1019,7 +1020,13 @@ KerberosTicketInfoList LDAPManager::getKerberosTicketList(TQString cache, TQStri
TQString global_cachevers; TQString global_cachevers;
TQString line; TQString line;
FILE *output = popen("klist -v 2>&1", "r"); FILE *output;
if (cache != "") {
output = popen((TQString("klist --cache=%1 -v 2>&1").arg(cache)).ascii(), "r");
}
else {
output = popen("klist -v 2>&1", "r");
}
TQFile f; TQFile f;
f.open(IO_ReadOnly, output); f.open(IO_ReadOnly, output);
TQTextStream stream(&f); TQTextStream stream(&f);
@ -1496,8 +1503,6 @@ int LDAPManager::addGroupInfo(LDAPGroupInfo group) {
} }
int LDAPManager::addServiceInfo(LDAPServiceInfo service, TQString *errstr) { int LDAPManager::addServiceInfo(LDAPServiceInfo service, TQString *errstr) {
int retcode;
int i;
LDAPGroupInfo serviceinfo; LDAPGroupInfo serviceinfo;
if (bind() < 0) { if (bind() < 0) {
@ -1907,7 +1912,6 @@ LDAPMachineInfoList LDAPManager::machines(int* mretcode) {
} }
LDAPServiceInfoList LDAPManager::services(int* mretcode) { LDAPServiceInfoList LDAPManager::services(int* mretcode) {
int retcode;
LDAPServiceInfoList services; LDAPServiceInfoList services;
if (bind() < 0) { if (bind() < 0) {
@ -2090,18 +2094,17 @@ int LDAPManager::moveKerberosEntries(TQString newSuffix, TQString* errstr) {
void LDAPManager::writeLDAPConfFile(LDAPRealmConfig realmcfg) { void LDAPManager::writeLDAPConfFile(LDAPRealmConfig realmcfg) {
KSimpleConfig* systemconfig; KSimpleConfig* systemconfig;
TQString m_defaultRealm; TQString m_defaultRealm;
int m_ticketLifetime;
int m_ldapVersion; int m_ldapVersion;
int m_ldapTimeout; int m_ldapTimeout;
TQString m_bindPolicy; TQString m_bindPolicy;
int m_ldapBindTimeout; int m_ldapBindTimeout;
TQString m_passwordHash; TQString m_passwordHash;
TQString m_ignoredUsers; TQString m_ignoredUsers;
TQString command;
systemconfig = new KSimpleConfig( TQString::fromLatin1( KDE_CONFDIR "/ldap/ldapconfigrc" )); systemconfig = new KSimpleConfig( TQString::fromLatin1( KDE_CONFDIR "/ldap/ldapconfigrc" ));
systemconfig->setGroup(NULL); systemconfig->setGroup(NULL);
m_defaultRealm = systemconfig->readEntry("DefaultRealm", TQString::null); m_defaultRealm = systemconfig->readEntry("DefaultRealm", TQString::null);
m_ticketLifetime = systemconfig->readNumEntry("TicketLifetime", 86400);
m_ldapVersion = systemconfig->readNumEntry("ConnectionLDAPVersion", 3); m_ldapVersion = systemconfig->readNumEntry("ConnectionLDAPVersion", 3);
m_ldapTimeout = systemconfig->readNumEntry("ConnectionLDAPTimeout", 2); m_ldapTimeout = systemconfig->readNumEntry("ConnectionLDAPTimeout", 2);
@ -2134,9 +2137,32 @@ void LDAPManager::writeLDAPConfFile(LDAPRealmConfig realmcfg) {
file.close(); file.close();
} }
chmod(LDAP_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); if (chmod(LDAP_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH) < 0) {
printf("ERROR: Unable to change permissions of \"%s\"\n\r", LDAP_FILE);
return;
}
system(TQString("ln -s %1 %2").arg(LDAP_FILE).arg(LDAP_SECONDARY_FILE).ascii()); // Create symbolic link to secondary LDAP configuration file
if (unlink(LDAP_SECONDARY_FILE) < 0) {
printf("ERROR: Unable to unlink \"%s\"\n\r", LDAP_SECONDARY_FILE);
return;
}
command = TQString("ln -s %1 %2").arg(LDAP_FILE).arg(LDAP_SECONDARY_FILE);
if (system(command) < 0) {
printf("ERROR: Execution of \"%s\" failed!\n\r", command.ascii());
return;
}
// Create symbolic link to tertiary LDAP configuration file
if (unlink(LDAP_TERTIARY_FILE) < 0) {
printf("ERROR: Unable to unlink \"%s\"\n\r", LDAP_TERTIARY_FILE);
return;
}
command = TQString("ln -s %1 %2").arg(LDAP_FILE).arg(LDAP_TERTIARY_FILE);
if (system(command) < 0) {
printf("ERROR: Execution of \"%s\" failed!\n\r", command.ascii());
return;
}
delete systemconfig; delete systemconfig;
} }
@ -2306,8 +2332,14 @@ int LDAPManager::writeSudoersConfFile(TQString *errstr) {
file.close(); file.close();
} }
chown(TDELDAP_SUDO_D_FILE, 0, 0); if (chown(TDELDAP_SUDO_D_FILE, 0, 0) < 0) {
chmod(TDELDAP_SUDO_D_FILE, S_IRUSR|S_IRGRP); printf("ERROR: Unable to change owner of \"%s\"\n\r", TDELDAP_SUDO_D_FILE);
return -1;
}
if (chmod(TDELDAP_SUDO_D_FILE, S_IRUSR|S_IRGRP) < 0) {
printf("ERROR: Unable to change permissions of \"%s\"\n\r", TDELDAP_SUDO_D_FILE);
return -1;
}
return 0; return 0;
} }
@ -2326,7 +2358,10 @@ void LDAPManager::writeCronFiles() {
file.close(); file.close();
} }
system(CRON_UPDATE_NSS_COMMAND); if (system(CRON_UPDATE_NSS_COMMAND) < 0) {
printf("ERROR: Execution of \"%s\" failed!\n\r", CRON_UPDATE_NSS_COMMAND);
return;
}
} }
void LDAPManager::writePrimaryRealmCertificateUpdateCronFile() { void LDAPManager::writePrimaryRealmCertificateUpdateCronFile() {
@ -2343,7 +2378,10 @@ void LDAPManager::writePrimaryRealmCertificateUpdateCronFile() {
file.close(); file.close();
} }
system(CRON_UPDATE_PRIMARY_REALM_CERTIFICATES_COMMAND); if (system(CRON_UPDATE_PRIMARY_REALM_CERTIFICATES_COMMAND) < 0) {
printf("ERROR: Execution of \"%s\" failed!\n\r", CRON_UPDATE_PRIMARY_REALM_CERTIFICATES_COMMAND);
return;
}
} }
LDAPRealmConfigList LDAPManager::readTDERealmList(KSimpleConfig* config, bool disableAllBonds) { LDAPRealmConfigList LDAPManager::readTDERealmList(KSimpleConfig* config, bool disableAllBonds) {
@ -2447,9 +2485,18 @@ int LDAPManager::generatePublicKerberosCACertificate(LDAPCertConfig certinfo) {
TQString command; TQString command;
command = TQString("openssl req -key %1 -new -x509 -out %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(certinfo.commonName).arg(certinfo.emailAddress); command = TQString("openssl req -key %1 -new -x509 -out %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(certinfo.commonName).arg(certinfo.emailAddress);
system(command); if (system(command) < 0) {
chmod(KERBEROS_PKI_PEM_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); printf("ERROR: Execution of \"%s\" failed!\n\r", command.ascii());
chown(KERBEROS_PKI_PEM_FILE, 0, 0); return -1;
}
if (chmod(KERBEROS_PKI_PEM_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH) < 0) {
printf("ERROR: Unable to change permissions of \"%s\"\n\r", KERBEROS_PKI_PEM_FILE);
return -1;
}
if (chown(KERBEROS_PKI_PEM_FILE, 0, 0) < 0) {
printf("ERROR: Unable to change owner of \"%s\"\n\r", KERBEROS_PKI_PEM_FILE);
return -1;
}
return 0; return 0;
} }
@ -2465,12 +2512,27 @@ int LDAPManager::generatePublicKerberosCertificate(LDAPCertConfig certinfo, LDAP
kdc_reqfile.replace("@@@KDCSERVER@@@", realmcfg.kdc); kdc_reqfile.replace("@@@KDCSERVER@@@", realmcfg.kdc);
command = TQString("openssl req -new -out %1 -key %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(kdc_reqfile).arg(kdc_keyfile).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(certinfo.commonName).arg(certinfo.emailAddress); command = TQString("openssl req -new -out %1 -key %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(kdc_reqfile).arg(kdc_keyfile).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(certinfo.commonName).arg(certinfo.emailAddress);
system(command); if (system(command) < 0) {
printf("ERROR: Execution of \"%s\" failed!\n\r", command.ascii());
return -1;
}
command = TQString("openssl x509 -req -in %1 -CAkey %2 -CA %3 -out %4 -extfile %5 -extensions kdc_cert -CAcreateserial").arg(kdc_reqfile).arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(kdc_certfile).arg(OPENSSL_EXTENSIONS_FILE); command = TQString("openssl x509 -req -in %1 -CAkey %2 -CA %3 -out %4 -extfile %5 -extensions kdc_cert -CAcreateserial").arg(kdc_reqfile).arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(kdc_certfile).arg(OPENSSL_EXTENSIONS_FILE);
system(command); if (system(command) < 0) {
chmod(kdc_certfile.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); printf("ERROR: Execution of \"%s\" failed!\n\r", command.ascii());
chown(kdc_certfile.ascii(), 0, 0); return -1;
unlink(kdc_reqfile.ascii()); }
if (chmod(kdc_certfile.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH) < 0) {
printf("ERROR: Unable to change permissions of \"%s\"\n\r", kdc_certfile.ascii());
return -1;
}
if (chown(kdc_certfile.ascii(), 0, 0) < 0) {
printf("ERROR: Unable to change owner of \"%s\"\n\r", kdc_certfile.ascii());
return -1;
}
if (unlink(kdc_reqfile.ascii()) < 0) {
printf("ERROR: Unable to unlink \"%s\"\n\r", kdc_reqfile.ascii());
return -1;
}
return 0; return 0;
} }
@ -2486,12 +2548,27 @@ int LDAPManager::generatePublicLDAPCertificate(LDAPCertConfig certinfo, LDAPReal
ldap_reqfile.replace("@@@ADMINSERVER@@@", realmcfg.admin_server); ldap_reqfile.replace("@@@ADMINSERVER@@@", realmcfg.admin_server);
command = TQString("openssl req -new -out %1 -key %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(ldap_reqfile).arg(ldap_keyfile).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(realmcfg.admin_server).arg(certinfo.emailAddress); command = TQString("openssl req -new -out %1 -key %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(ldap_reqfile).arg(ldap_keyfile).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(realmcfg.admin_server).arg(certinfo.emailAddress);
system(command); if (system(command) < 0) {
printf("ERROR: Execution of \"%s\" failed!\n\r", command.ascii());
return -1;
}
command = TQString("openssl x509 -req -in %1 -CAkey %2 -CA %3 -out %4 -CAcreateserial").arg(ldap_reqfile).arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(ldap_certfile); command = TQString("openssl x509 -req -in %1 -CAkey %2 -CA %3 -out %4 -CAcreateserial").arg(ldap_reqfile).arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(ldap_certfile);
system(command); if (system(command) < 0) {
chmod(ldap_certfile.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); printf("ERROR: Execution of \"%s\" failed!\n\r", command.ascii());
chown(ldap_certfile.ascii(), ldap_uid, ldap_gid); return -1;
unlink(ldap_reqfile.ascii()); }
if (chmod(ldap_certfile.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH) < 0) {
printf("ERROR: Unable to change permissions of \"%s\"\n\r", ldap_certfile.ascii());
return -1;
}
if (chown(ldap_certfile.ascii(), ldap_uid, ldap_gid) < 0) {
printf("ERROR: Unable to change owner of \"%s\"\n\r", ldap_certfile.ascii());
return -1;
}
if (unlink(ldap_reqfile.ascii()) < 0) {
printf("ERROR: Unable to unlink \"%s\"\n\r", ldap_reqfile.ascii());
return -1;
}
return 0; return 0;
} }

Loading…
Cancel
Save