From c1419e3a4c17f30aa504d9277a7750ce0a6b6a5a Mon Sep 17 00:00:00 2001 From: Timothy Pearson Date: Wed, 6 Jun 2012 13:04:14 -0500 Subject: [PATCH] Preferentially use TLS when connecting to LDAP server --- src/ldaplogindlgbase.ui | 8 +++++ src/libtdeldap.cpp | 78 ++++++++++++++++++++++++++++------------- src/libtdeldap.h | 5 +++ 3 files changed, 66 insertions(+), 25 deletions(-) diff --git a/src/ldaplogindlgbase.ui b/src/ldaplogindlgbase.ui index 43ac9b4..a3e855b 100644 --- a/src/ldaplogindlgbase.ui +++ b/src/ldaplogindlgbase.ui @@ -80,6 +80,14 @@ ldapAdminRealm + + + ldapUseTLS + + + Use LDAP TLS to encrypt this connection (recommended) + + diff --git a/src/libtdeldap.cpp b/src/libtdeldap.cpp index 2bbacf4..47f5057 100644 --- a/src/libtdeldap.cpp +++ b/src/libtdeldap.cpp @@ -19,10 +19,13 @@ ***************************************************************************/ #include +#include #include #include +#include #include +#include #include #include @@ -44,7 +47,7 @@ // FIXME // Connect this to CMake/Automake #define KDE_CONFDIR "/etc/trinity" -#define LDAP_FILE "/etc/ldap.conf" +#define LDAP_FILE "/etc/ldap/ldap.conf" int requested_ldap_version = LDAP_VERSION3; int requested_ldap_auth_method = LDAP_AUTH_SIMPLE; // Is this safe and secure over an untrusted connection? @@ -91,13 +94,21 @@ TQString ldapLikelyErrorCause(int errcode, int location) { TQString ret; if (location == ERRORCAUSE_LOCATION_BIND) { + if (errcode == LDAP_SERVER_DOWN) { + ret = " * LDAP server down
* Invalid LDAP Certificate Authority file on client"; + } if (LDAP_NAME_ERROR(errcode)) { ret = "Unknown user name or incorrect user name format"; } } if (ret != "") { - ret.prepend("

" + i18n("Likely cause") + ":
"); + if (ret.contains("
")) { + ret.prepend("

" + i18n("Potential causes") + ":
"); + } + else { + ret.prepend("

" + i18n("Potential cause") + ":
"); + } } return ret; @@ -109,7 +120,31 @@ printf("[RAJA DEBUG 600.0] In LDAPManager::bind(%p)\n\r", errstr); fflush(stdout return 0; } - int use_secure_connection = 0; + bool using_ldapi = false; + if (m_host.startsWith("ldapi://")) { + using_ldapi = true; + } + bool havepass = false; + if (m_creds || using_ldapi) { + havepass = true; + } + else { +printf("[RAJA DEBUG 660.1] using_ldapi: %d\n\r", using_ldapi); fflush(stdout); + LDAPPasswordDialog passdlg(0); + passdlg.m_base->ldapAdminRealm->setEnabled(false); + passdlg.m_base->ldapAdminRealm->insertItem(m_realm); + passdlg.m_base->ldapUseTLS->setChecked(true); + if (passdlg.exec() == TQDialog::Accepted) { + havepass = true; + if (!m_creds) { + m_creds = new LDAPCredentials(); + m_creds->username = passdlg.m_base->ldapAdminUsername->text(); + m_creds->password = passdlg.m_base->ldapAdminPassword->password(); + m_creds->realm = passdlg.m_base->ldapAdminRealm->currentText(); + m_creds->use_tls = passdlg.m_base->ldapUseTLS->isOn(); + } + } + } TQString uri; if (m_host.contains("://")) { @@ -122,7 +157,7 @@ printf("[RAJA DEBUG 600.0] In LDAPManager::bind(%p)\n\r", errstr); fflush(stdout } } else { - if (use_secure_connection == 1) { + if (m_creds->use_tls) { m_port = LDAP_SECURE_PORT; uri = TQString("ldaps://%1:%2").arg(m_host).arg(m_port); } @@ -148,25 +183,6 @@ printf("[RAJA DEBUG 600.1] URI: %s\n\r", uri.ascii()); fflush(stdout); printf("[RAJA DEBUG 660.0]\n\r"); fflush(stdout); TQString errorString; - bool havepass = false; - if (m_creds) { - havepass = true; - } - else { -printf("[RAJA DEBUG 660.1]\n\r"); fflush(stdout); - LDAPPasswordDialog passdlg(0); - passdlg.m_base->ldapAdminRealm->setEnabled(false); - passdlg.m_base->ldapAdminRealm->insertItem(m_realm); - if (passdlg.exec() == TQDialog::Accepted) { - havepass = true; - if (!m_creds) { - m_creds = new LDAPCredentials(); - m_creds->username = passdlg.m_base->ldapAdminUsername->text(); - m_creds->password = passdlg.m_base->ldapAdminPassword->password(); - m_creds->realm = passdlg.m_base->ldapAdminRealm->currentText(); - } - } - } if (havepass == true) { char* mechanism = NULL; struct berval cred; @@ -175,7 +191,7 @@ printf("[RAJA DEBUG 660.1]\n\r"); fflush(stdout); cred.bv_val = pass.data(); cred.bv_len = pass.length(); printf("[RAJA DEBUG 660.2]\n\r"); fflush(stdout); - if (!uri.startsWith("ldapi://")) { + if (!using_ldapi) { if (!ldap_dn.contains(",")) { // Look for a POSIX account with anonymous bind and the specified account name TQString uri; @@ -184,7 +200,7 @@ printf("[RAJA DEBUG 660.2]\n\r"); fflush(stdout); uri = m_host; } else { - if (use_secure_connection == 1) { + if (m_creds->use_tls) { m_port = LDAP_SECURE_PORT; uri = TQString("ldaps://%1:%2").arg(m_host).arg(m_port); } @@ -1398,11 +1414,14 @@ void LDAPManager::writeLDAPConfFile(LDAPRealmConfig realmcfg) { stream << "bind_policy " << m_bindPolicy.lower() << "\n"; stream << "pam_password " << m_passwordHash.lower() << "\n"; stream << "nss_initgroups_ignoreusers " << m_ignoredUsers << "\n"; + stream << "tls_cacert /etc/trinity/ldap/tde-ca/public/argus5.starlink.edu.ldap.crt" << "\n"; } file.close(); } + chmod(LDAP_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); + delete systemconfig; } @@ -1473,6 +1492,15 @@ TQString LDAPManager::getMachineFQDN() { // // =============================================================================================================== +LDAPCredentials::LDAPCredentials() { + // TQStrings are always initialized to TQString::null, so they don't need initialization here... + use_tls = true; +} + +LDAPCredentials::~LDAPCredentials() { + // +} + LDAPUserInfo::LDAPUserInfo() { // TQStrings are always initialized to TQString::null, so they don't need initialization here... informationValid = false; diff --git a/src/libtdeldap.h b/src/libtdeldap.h index 38ae847..bf0106a 100644 --- a/src/libtdeldap.h +++ b/src/libtdeldap.h @@ -65,10 +65,15 @@ typedef TQValueList GroupList; class LDAPCredentials { + public: + LDAPCredentials(); + ~LDAPCredentials(); + public: TQString username; TQCString password; TQString realm; + bool use_tls; }; // PRIVATE