|
|
@ -56,6 +56,7 @@
|
|
|
|
// This assumes Debian!
|
|
|
|
// This assumes Debian!
|
|
|
|
#define LDAP_FILE "/etc/ldap/ldap.conf"
|
|
|
|
#define LDAP_FILE "/etc/ldap/ldap.conf"
|
|
|
|
#define LDAP_SECONDARY_FILE "/etc/ldap.conf"
|
|
|
|
#define LDAP_SECONDARY_FILE "/etc/ldap.conf"
|
|
|
|
|
|
|
|
#define LDAP_TERTIARY_FILE "/etc/libnss-ldap.conf"
|
|
|
|
#define TDELDAP_SUDO_D_FILE "/etc/sudoers.d/tde-realm-admins"
|
|
|
|
#define TDELDAP_SUDO_D_FILE "/etc/sudoers.d/tde-realm-admins"
|
|
|
|
#define CRON_UPDATE_NSS_FILE "/etc/cron.daily/upd-local-nss-db"
|
|
|
|
#define CRON_UPDATE_NSS_FILE "/etc/cron.daily/upd-local-nss-db"
|
|
|
|
|
|
|
|
|
|
|
@ -1019,7 +1020,13 @@ KerberosTicketInfoList LDAPManager::getKerberosTicketList(TQString cache, TQStri
|
|
|
|
TQString global_cachevers;
|
|
|
|
TQString global_cachevers;
|
|
|
|
|
|
|
|
|
|
|
|
TQString line;
|
|
|
|
TQString line;
|
|
|
|
FILE *output = popen("klist -v 2>&1", "r");
|
|
|
|
FILE *output;
|
|
|
|
|
|
|
|
if (cache != "") {
|
|
|
|
|
|
|
|
output = popen((TQString("klist --cache=%1 -v 2>&1").arg(cache)).ascii(), "r");
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
else {
|
|
|
|
|
|
|
|
output = popen("klist -v 2>&1", "r");
|
|
|
|
|
|
|
|
}
|
|
|
|
TQFile f;
|
|
|
|
TQFile f;
|
|
|
|
f.open(IO_ReadOnly, output);
|
|
|
|
f.open(IO_ReadOnly, output);
|
|
|
|
TQTextStream stream(&f);
|
|
|
|
TQTextStream stream(&f);
|
|
|
@ -1496,8 +1503,6 @@ int LDAPManager::addGroupInfo(LDAPGroupInfo group) {
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int LDAPManager::addServiceInfo(LDAPServiceInfo service, TQString *errstr) {
|
|
|
|
int LDAPManager::addServiceInfo(LDAPServiceInfo service, TQString *errstr) {
|
|
|
|
int retcode;
|
|
|
|
|
|
|
|
int i;
|
|
|
|
|
|
|
|
LDAPGroupInfo serviceinfo;
|
|
|
|
LDAPGroupInfo serviceinfo;
|
|
|
|
|
|
|
|
|
|
|
|
if (bind() < 0) {
|
|
|
|
if (bind() < 0) {
|
|
|
@ -1907,7 +1912,6 @@ LDAPMachineInfoList LDAPManager::machines(int* mretcode) {
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
LDAPServiceInfoList LDAPManager::services(int* mretcode) {
|
|
|
|
LDAPServiceInfoList LDAPManager::services(int* mretcode) {
|
|
|
|
int retcode;
|
|
|
|
|
|
|
|
LDAPServiceInfoList services;
|
|
|
|
LDAPServiceInfoList services;
|
|
|
|
|
|
|
|
|
|
|
|
if (bind() < 0) {
|
|
|
|
if (bind() < 0) {
|
|
|
@ -2090,18 +2094,17 @@ int LDAPManager::moveKerberosEntries(TQString newSuffix, TQString* errstr) {
|
|
|
|
void LDAPManager::writeLDAPConfFile(LDAPRealmConfig realmcfg) {
|
|
|
|
void LDAPManager::writeLDAPConfFile(LDAPRealmConfig realmcfg) {
|
|
|
|
KSimpleConfig* systemconfig;
|
|
|
|
KSimpleConfig* systemconfig;
|
|
|
|
TQString m_defaultRealm;
|
|
|
|
TQString m_defaultRealm;
|
|
|
|
int m_ticketLifetime;
|
|
|
|
|
|
|
|
int m_ldapVersion;
|
|
|
|
int m_ldapVersion;
|
|
|
|
int m_ldapTimeout;
|
|
|
|
int m_ldapTimeout;
|
|
|
|
TQString m_bindPolicy;
|
|
|
|
TQString m_bindPolicy;
|
|
|
|
int m_ldapBindTimeout;
|
|
|
|
int m_ldapBindTimeout;
|
|
|
|
TQString m_passwordHash;
|
|
|
|
TQString m_passwordHash;
|
|
|
|
TQString m_ignoredUsers;
|
|
|
|
TQString m_ignoredUsers;
|
|
|
|
|
|
|
|
TQString command;
|
|
|
|
|
|
|
|
|
|
|
|
systemconfig = new KSimpleConfig( TQString::fromLatin1( KDE_CONFDIR "/ldap/ldapconfigrc" ));
|
|
|
|
systemconfig = new KSimpleConfig( TQString::fromLatin1( KDE_CONFDIR "/ldap/ldapconfigrc" ));
|
|
|
|
systemconfig->setGroup(NULL);
|
|
|
|
systemconfig->setGroup(NULL);
|
|
|
|
m_defaultRealm = systemconfig->readEntry("DefaultRealm", TQString::null);
|
|
|
|
m_defaultRealm = systemconfig->readEntry("DefaultRealm", TQString::null);
|
|
|
|
m_ticketLifetime = systemconfig->readNumEntry("TicketLifetime", 86400);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
m_ldapVersion = systemconfig->readNumEntry("ConnectionLDAPVersion", 3);
|
|
|
|
m_ldapVersion = systemconfig->readNumEntry("ConnectionLDAPVersion", 3);
|
|
|
|
m_ldapTimeout = systemconfig->readNumEntry("ConnectionLDAPTimeout", 2);
|
|
|
|
m_ldapTimeout = systemconfig->readNumEntry("ConnectionLDAPTimeout", 2);
|
|
|
@ -2134,9 +2137,32 @@ void LDAPManager::writeLDAPConfFile(LDAPRealmConfig realmcfg) {
|
|
|
|
file.close();
|
|
|
|
file.close();
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
chmod(LDAP_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
|
|
|
|
if (chmod(LDAP_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH) < 0) {
|
|
|
|
|
|
|
|
printf("ERROR: Unable to change permissions of \"%s\"\n\r", LDAP_FILE);
|
|
|
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
system(TQString("ln -s %1 %2").arg(LDAP_FILE).arg(LDAP_SECONDARY_FILE).ascii());
|
|
|
|
// Create symbolic link to secondary LDAP configuration file
|
|
|
|
|
|
|
|
if (unlink(LDAP_SECONDARY_FILE) < 0) {
|
|
|
|
|
|
|
|
printf("ERROR: Unable to unlink \"%s\"\n\r", LDAP_SECONDARY_FILE);
|
|
|
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
command = TQString("ln -s %1 %2").arg(LDAP_FILE).arg(LDAP_SECONDARY_FILE);
|
|
|
|
|
|
|
|
if (system(command) < 0) {
|
|
|
|
|
|
|
|
printf("ERROR: Execution of \"%s\" failed!\n\r", command.ascii());
|
|
|
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// Create symbolic link to tertiary LDAP configuration file
|
|
|
|
|
|
|
|
if (unlink(LDAP_TERTIARY_FILE) < 0) {
|
|
|
|
|
|
|
|
printf("ERROR: Unable to unlink \"%s\"\n\r", LDAP_TERTIARY_FILE);
|
|
|
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
command = TQString("ln -s %1 %2").arg(LDAP_FILE).arg(LDAP_TERTIARY_FILE);
|
|
|
|
|
|
|
|
if (system(command) < 0) {
|
|
|
|
|
|
|
|
printf("ERROR: Execution of \"%s\" failed!\n\r", command.ascii());
|
|
|
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
delete systemconfig;
|
|
|
|
delete systemconfig;
|
|
|
|
}
|
|
|
|
}
|
|
|
@ -2306,8 +2332,14 @@ int LDAPManager::writeSudoersConfFile(TQString *errstr) {
|
|
|
|
file.close();
|
|
|
|
file.close();
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
chown(TDELDAP_SUDO_D_FILE, 0, 0);
|
|
|
|
if (chown(TDELDAP_SUDO_D_FILE, 0, 0) < 0) {
|
|
|
|
chmod(TDELDAP_SUDO_D_FILE, S_IRUSR|S_IRGRP);
|
|
|
|
printf("ERROR: Unable to change owner of \"%s\"\n\r", TDELDAP_SUDO_D_FILE);
|
|
|
|
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
if (chmod(TDELDAP_SUDO_D_FILE, S_IRUSR|S_IRGRP) < 0) {
|
|
|
|
|
|
|
|
printf("ERROR: Unable to change permissions of \"%s\"\n\r", TDELDAP_SUDO_D_FILE);
|
|
|
|
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
@ -2326,7 +2358,10 @@ void LDAPManager::writeCronFiles() {
|
|
|
|
file.close();
|
|
|
|
file.close();
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
system(CRON_UPDATE_NSS_COMMAND);
|
|
|
|
if (system(CRON_UPDATE_NSS_COMMAND) < 0) {
|
|
|
|
|
|
|
|
printf("ERROR: Execution of \"%s\" failed!\n\r", CRON_UPDATE_NSS_COMMAND);
|
|
|
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void LDAPManager::writePrimaryRealmCertificateUpdateCronFile() {
|
|
|
|
void LDAPManager::writePrimaryRealmCertificateUpdateCronFile() {
|
|
|
@ -2343,7 +2378,10 @@ void LDAPManager::writePrimaryRealmCertificateUpdateCronFile() {
|
|
|
|
file.close();
|
|
|
|
file.close();
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
system(CRON_UPDATE_PRIMARY_REALM_CERTIFICATES_COMMAND);
|
|
|
|
if (system(CRON_UPDATE_PRIMARY_REALM_CERTIFICATES_COMMAND) < 0) {
|
|
|
|
|
|
|
|
printf("ERROR: Execution of \"%s\" failed!\n\r", CRON_UPDATE_PRIMARY_REALM_CERTIFICATES_COMMAND);
|
|
|
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
LDAPRealmConfigList LDAPManager::readTDERealmList(KSimpleConfig* config, bool disableAllBonds) {
|
|
|
|
LDAPRealmConfigList LDAPManager::readTDERealmList(KSimpleConfig* config, bool disableAllBonds) {
|
|
|
@ -2447,9 +2485,18 @@ int LDAPManager::generatePublicKerberosCACertificate(LDAPCertConfig certinfo) {
|
|
|
|
TQString command;
|
|
|
|
TQString command;
|
|
|
|
|
|
|
|
|
|
|
|
command = TQString("openssl req -key %1 -new -x509 -out %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(certinfo.commonName).arg(certinfo.emailAddress);
|
|
|
|
command = TQString("openssl req -key %1 -new -x509 -out %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(certinfo.commonName).arg(certinfo.emailAddress);
|
|
|
|
system(command);
|
|
|
|
if (system(command) < 0) {
|
|
|
|
chmod(KERBEROS_PKI_PEM_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
|
|
|
|
printf("ERROR: Execution of \"%s\" failed!\n\r", command.ascii());
|
|
|
|
chown(KERBEROS_PKI_PEM_FILE, 0, 0);
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
if (chmod(KERBEROS_PKI_PEM_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH) < 0) {
|
|
|
|
|
|
|
|
printf("ERROR: Unable to change permissions of \"%s\"\n\r", KERBEROS_PKI_PEM_FILE);
|
|
|
|
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
if (chown(KERBEROS_PKI_PEM_FILE, 0, 0) < 0) {
|
|
|
|
|
|
|
|
printf("ERROR: Unable to change owner of \"%s\"\n\r", KERBEROS_PKI_PEM_FILE);
|
|
|
|
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
@ -2465,12 +2512,27 @@ int LDAPManager::generatePublicKerberosCertificate(LDAPCertConfig certinfo, LDAP
|
|
|
|
kdc_reqfile.replace("@@@KDCSERVER@@@", realmcfg.kdc);
|
|
|
|
kdc_reqfile.replace("@@@KDCSERVER@@@", realmcfg.kdc);
|
|
|
|
|
|
|
|
|
|
|
|
command = TQString("openssl req -new -out %1 -key %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(kdc_reqfile).arg(kdc_keyfile).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(certinfo.commonName).arg(certinfo.emailAddress);
|
|
|
|
command = TQString("openssl req -new -out %1 -key %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(kdc_reqfile).arg(kdc_keyfile).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(certinfo.commonName).arg(certinfo.emailAddress);
|
|
|
|
system(command);
|
|
|
|
if (system(command) < 0) {
|
|
|
|
|
|
|
|
printf("ERROR: Execution of \"%s\" failed!\n\r", command.ascii());
|
|
|
|
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
}
|
|
|
|
command = TQString("openssl x509 -req -in %1 -CAkey %2 -CA %3 -out %4 -extfile %5 -extensions kdc_cert -CAcreateserial").arg(kdc_reqfile).arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(kdc_certfile).arg(OPENSSL_EXTENSIONS_FILE);
|
|
|
|
command = TQString("openssl x509 -req -in %1 -CAkey %2 -CA %3 -out %4 -extfile %5 -extensions kdc_cert -CAcreateserial").arg(kdc_reqfile).arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(kdc_certfile).arg(OPENSSL_EXTENSIONS_FILE);
|
|
|
|
system(command);
|
|
|
|
if (system(command) < 0) {
|
|
|
|
chmod(kdc_certfile.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
|
|
|
|
printf("ERROR: Execution of \"%s\" failed!\n\r", command.ascii());
|
|
|
|
chown(kdc_certfile.ascii(), 0, 0);
|
|
|
|
return -1;
|
|
|
|
unlink(kdc_reqfile.ascii());
|
|
|
|
}
|
|
|
|
|
|
|
|
if (chmod(kdc_certfile.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH) < 0) {
|
|
|
|
|
|
|
|
printf("ERROR: Unable to change permissions of \"%s\"\n\r", kdc_certfile.ascii());
|
|
|
|
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
if (chown(kdc_certfile.ascii(), 0, 0) < 0) {
|
|
|
|
|
|
|
|
printf("ERROR: Unable to change owner of \"%s\"\n\r", kdc_certfile.ascii());
|
|
|
|
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
if (unlink(kdc_reqfile.ascii()) < 0) {
|
|
|
|
|
|
|
|
printf("ERROR: Unable to unlink \"%s\"\n\r", kdc_reqfile.ascii());
|
|
|
|
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
@ -2486,12 +2548,27 @@ int LDAPManager::generatePublicLDAPCertificate(LDAPCertConfig certinfo, LDAPReal
|
|
|
|
ldap_reqfile.replace("@@@ADMINSERVER@@@", realmcfg.admin_server);
|
|
|
|
ldap_reqfile.replace("@@@ADMINSERVER@@@", realmcfg.admin_server);
|
|
|
|
|
|
|
|
|
|
|
|
command = TQString("openssl req -new -out %1 -key %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(ldap_reqfile).arg(ldap_keyfile).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(realmcfg.admin_server).arg(certinfo.emailAddress);
|
|
|
|
command = TQString("openssl req -new -out %1 -key %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(ldap_reqfile).arg(ldap_keyfile).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(realmcfg.admin_server).arg(certinfo.emailAddress);
|
|
|
|
system(command);
|
|
|
|
if (system(command) < 0) {
|
|
|
|
|
|
|
|
printf("ERROR: Execution of \"%s\" failed!\n\r", command.ascii());
|
|
|
|
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
}
|
|
|
|
command = TQString("openssl x509 -req -in %1 -CAkey %2 -CA %3 -out %4 -CAcreateserial").arg(ldap_reqfile).arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(ldap_certfile);
|
|
|
|
command = TQString("openssl x509 -req -in %1 -CAkey %2 -CA %3 -out %4 -CAcreateserial").arg(ldap_reqfile).arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(ldap_certfile);
|
|
|
|
system(command);
|
|
|
|
if (system(command) < 0) {
|
|
|
|
chmod(ldap_certfile.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
|
|
|
|
printf("ERROR: Execution of \"%s\" failed!\n\r", command.ascii());
|
|
|
|
chown(ldap_certfile.ascii(), ldap_uid, ldap_gid);
|
|
|
|
return -1;
|
|
|
|
unlink(ldap_reqfile.ascii());
|
|
|
|
}
|
|
|
|
|
|
|
|
if (chmod(ldap_certfile.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH) < 0) {
|
|
|
|
|
|
|
|
printf("ERROR: Unable to change permissions of \"%s\"\n\r", ldap_certfile.ascii());
|
|
|
|
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
if (chown(ldap_certfile.ascii(), ldap_uid, ldap_gid) < 0) {
|
|
|
|
|
|
|
|
printf("ERROR: Unable to change owner of \"%s\"\n\r", ldap_certfile.ascii());
|
|
|
|
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
if (unlink(ldap_reqfile.ascii()) < 0) {
|
|
|
|
|
|
|
|
printf("ERROR: Unable to unlink \"%s\"\n\r", ldap_reqfile.ascii());
|
|
|
|
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
|