Preferentially use TLS when connecting to LDAP server

pull/1/head
Timothy Pearson 13 years ago
parent 4ada10136e
commit c1419e3a4c

@ -80,6 +80,14 @@
<cstring>ldapAdminRealm</cstring> <cstring>ldapAdminRealm</cstring>
</property> </property>
</widget> </widget>
<widget class="TQCheckBox" row="4" column="0" colspan="3">
<property name="name">
<cstring>ldapUseTLS</cstring>
</property>
<property name="text">
<string>Use LDAP TLS to encrypt this connection (recommended)</string>
</property>
</widget>
</grid> </grid>
</widget> </widget>
<layoutdefaults spacing="3" margin="6"/> <layoutdefaults spacing="3" margin="6"/>

@ -19,10 +19,13 @@
***************************************************************************/ ***************************************************************************/
#include <sys/types.h> #include <sys/types.h>
#include <sys/stat.h>
#include <sys/socket.h> #include <sys/socket.h>
#include <netdb.h> #include <netdb.h>
#include <pwd.h>
#include <tqfile.h> #include <tqfile.h>
#include <tqcheckbox.h>
#include <klocale.h> #include <klocale.h>
#include <kmessagebox.h> #include <kmessagebox.h>
@ -44,7 +47,7 @@
// FIXME // FIXME
// Connect this to CMake/Automake // Connect this to CMake/Automake
#define KDE_CONFDIR "/etc/trinity" #define KDE_CONFDIR "/etc/trinity"
#define LDAP_FILE "/etc/ldap.conf" #define LDAP_FILE "/etc/ldap/ldap.conf"
int requested_ldap_version = LDAP_VERSION3; int requested_ldap_version = LDAP_VERSION3;
int requested_ldap_auth_method = LDAP_AUTH_SIMPLE; // Is this safe and secure over an untrusted connection? int requested_ldap_auth_method = LDAP_AUTH_SIMPLE; // Is this safe and secure over an untrusted connection?
@ -91,13 +94,21 @@ TQString ldapLikelyErrorCause(int errcode, int location) {
TQString ret; TQString ret;
if (location == ERRORCAUSE_LOCATION_BIND) { if (location == ERRORCAUSE_LOCATION_BIND) {
if (errcode == LDAP_SERVER_DOWN) {
ret = " * LDAP server down<br> * Invalid LDAP Certificate Authority file on client";
}
if (LDAP_NAME_ERROR(errcode)) { if (LDAP_NAME_ERROR(errcode)) {
ret = "Unknown user name or incorrect user name format"; ret = "Unknown user name or incorrect user name format";
} }
} }
if (ret != "") { if (ret != "") {
ret.prepend("<p>" + i18n("Likely cause") + ":<br>"); if (ret.contains("<br>")) {
ret.prepend("<p>" + i18n("Potential causes") + ":<br>");
}
else {
ret.prepend("<p>" + i18n("Potential cause") + ":<br>");
}
} }
return ret; return ret;
@ -109,7 +120,31 @@ printf("[RAJA DEBUG 600.0] In LDAPManager::bind(%p)\n\r", errstr); fflush(stdout
return 0; return 0;
} }
int use_secure_connection = 0; bool using_ldapi = false;
if (m_host.startsWith("ldapi://")) {
using_ldapi = true;
}
bool havepass = false;
if (m_creds || using_ldapi) {
havepass = true;
}
else {
printf("[RAJA DEBUG 660.1] using_ldapi: %d\n\r", using_ldapi); fflush(stdout);
LDAPPasswordDialog passdlg(0);
passdlg.m_base->ldapAdminRealm->setEnabled(false);
passdlg.m_base->ldapAdminRealm->insertItem(m_realm);
passdlg.m_base->ldapUseTLS->setChecked(true);
if (passdlg.exec() == TQDialog::Accepted) {
havepass = true;
if (!m_creds) {
m_creds = new LDAPCredentials();
m_creds->username = passdlg.m_base->ldapAdminUsername->text();
m_creds->password = passdlg.m_base->ldapAdminPassword->password();
m_creds->realm = passdlg.m_base->ldapAdminRealm->currentText();
m_creds->use_tls = passdlg.m_base->ldapUseTLS->isOn();
}
}
}
TQString uri; TQString uri;
if (m_host.contains("://")) { if (m_host.contains("://")) {
@ -122,7 +157,7 @@ printf("[RAJA DEBUG 600.0] In LDAPManager::bind(%p)\n\r", errstr); fflush(stdout
} }
} }
else { else {
if (use_secure_connection == 1) { if (m_creds->use_tls) {
m_port = LDAP_SECURE_PORT; m_port = LDAP_SECURE_PORT;
uri = TQString("ldaps://%1:%2").arg(m_host).arg(m_port); uri = TQString("ldaps://%1:%2").arg(m_host).arg(m_port);
} }
@ -148,25 +183,6 @@ printf("[RAJA DEBUG 600.1] URI: %s\n\r", uri.ascii()); fflush(stdout);
printf("[RAJA DEBUG 660.0]\n\r"); fflush(stdout); printf("[RAJA DEBUG 660.0]\n\r"); fflush(stdout);
TQString errorString; TQString errorString;
bool havepass = false;
if (m_creds) {
havepass = true;
}
else {
printf("[RAJA DEBUG 660.1]\n\r"); fflush(stdout);
LDAPPasswordDialog passdlg(0);
passdlg.m_base->ldapAdminRealm->setEnabled(false);
passdlg.m_base->ldapAdminRealm->insertItem(m_realm);
if (passdlg.exec() == TQDialog::Accepted) {
havepass = true;
if (!m_creds) {
m_creds = new LDAPCredentials();
m_creds->username = passdlg.m_base->ldapAdminUsername->text();
m_creds->password = passdlg.m_base->ldapAdminPassword->password();
m_creds->realm = passdlg.m_base->ldapAdminRealm->currentText();
}
}
}
if (havepass == true) { if (havepass == true) {
char* mechanism = NULL; char* mechanism = NULL;
struct berval cred; struct berval cred;
@ -175,7 +191,7 @@ printf("[RAJA DEBUG 660.1]\n\r"); fflush(stdout);
cred.bv_val = pass.data(); cred.bv_val = pass.data();
cred.bv_len = pass.length(); cred.bv_len = pass.length();
printf("[RAJA DEBUG 660.2]\n\r"); fflush(stdout); printf("[RAJA DEBUG 660.2]\n\r"); fflush(stdout);
if (!uri.startsWith("ldapi://")) { if (!using_ldapi) {
if (!ldap_dn.contains(",")) { if (!ldap_dn.contains(",")) {
// Look for a POSIX account with anonymous bind and the specified account name // Look for a POSIX account with anonymous bind and the specified account name
TQString uri; TQString uri;
@ -184,7 +200,7 @@ printf("[RAJA DEBUG 660.2]\n\r"); fflush(stdout);
uri = m_host; uri = m_host;
} }
else { else {
if (use_secure_connection == 1) { if (m_creds->use_tls) {
m_port = LDAP_SECURE_PORT; m_port = LDAP_SECURE_PORT;
uri = TQString("ldaps://%1:%2").arg(m_host).arg(m_port); uri = TQString("ldaps://%1:%2").arg(m_host).arg(m_port);
} }
@ -1398,11 +1414,14 @@ void LDAPManager::writeLDAPConfFile(LDAPRealmConfig realmcfg) {
stream << "bind_policy " << m_bindPolicy.lower() << "\n"; stream << "bind_policy " << m_bindPolicy.lower() << "\n";
stream << "pam_password " << m_passwordHash.lower() << "\n"; stream << "pam_password " << m_passwordHash.lower() << "\n";
stream << "nss_initgroups_ignoreusers " << m_ignoredUsers << "\n"; stream << "nss_initgroups_ignoreusers " << m_ignoredUsers << "\n";
stream << "tls_cacert /etc/trinity/ldap/tde-ca/public/argus5.starlink.edu.ldap.crt" << "\n";
} }
file.close(); file.close();
} }
chmod(LDAP_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
delete systemconfig; delete systemconfig;
} }
@ -1473,6 +1492,15 @@ TQString LDAPManager::getMachineFQDN() {
// //
// =============================================================================================================== // ===============================================================================================================
LDAPCredentials::LDAPCredentials() {
// TQStrings are always initialized to TQString::null, so they don't need initialization here...
use_tls = true;
}
LDAPCredentials::~LDAPCredentials() {
//
}
LDAPUserInfo::LDAPUserInfo() { LDAPUserInfo::LDAPUserInfo() {
// TQStrings are always initialized to TQString::null, so they don't need initialization here... // TQStrings are always initialized to TQString::null, so they don't need initialization here...
informationValid = false; informationValid = false;

@ -65,10 +65,15 @@ typedef TQValueList<gid_t> GroupList;
class LDAPCredentials class LDAPCredentials
{ {
public:
LDAPCredentials();
~LDAPCredentials();
public: public:
TQString username; TQString username;
TQCString password; TQCString password;
TQString realm; TQString realm;
bool use_tls;
}; };
// PRIVATE // PRIVATE

Loading…
Cancel
Save