From d6f004658dac16c19a6e4a6109b93b5b52adddc0 Mon Sep 17 00:00:00 2001 From: Timothy Pearson Date: Tue, 25 Aug 2015 11:13:14 -0500 Subject: [PATCH] Allow certificate expiry to be set --- src/libtdeldap.cpp | 41 +++++++++++++++++++++++++++++++++++++---- src/libtdeldap.h | 8 ++++++++ 2 files changed, 45 insertions(+), 4 deletions(-) diff --git a/src/libtdeldap.cpp b/src/libtdeldap.cpp index 0e551b4..f009297 100644 --- a/src/libtdeldap.cpp +++ b/src/libtdeldap.cpp @@ -2658,7 +2658,6 @@ int LDAPManager::writeCertificateFileIntoDirectory(TQByteArray cert, TQString at TQString LDAPManager::getRealmCAMaster(TQString* errstr) { int retcode; - int i; TQString realmCAMaster; TQString dn = TQString("cn=certificate store,o=tde,cn=tde realm data,ou=master services,ou=core,ou=realm,%1").arg(m_basedc); @@ -3743,6 +3742,8 @@ LDAPRealmConfigList LDAPManager::readTDERealmList(KSimpleConfig* config, bool di } int LDAPManager::writeTDERealmList(LDAPRealmConfigList realms, KSimpleConfig* config, TQString *errstr) { + Q_UNUSED(errstr) + LDAPRealmConfigList::Iterator it; for (it = realms.begin(); it != realms.end(); ++it) { LDAPRealmConfig realmcfg = it.data(); @@ -3805,8 +3806,9 @@ TQDateTime LDAPManager::getCertificateExpiration(TQString certfile) { int LDAPManager::generatePublicKerberosCACertificate(LDAPCertConfig certinfo) { TQString command; TQString subject; + subject = TQString("\"/C=%1/ST=%2/L=%3/O=%4/OU=%5/CN=%6/emailAddress=%7\"").arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(certinfo.commonName).arg(certinfo.emailAddress); - command = TQString("openssl req -days %1 -key %2 -new -x509 -out %3 -subj %4").arg(KERBEROS_PKI_PEMKEY_EXPIRY_DAYS).arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(subject); + command = TQString("openssl req -days %1 -key %2 -new -x509 -out %3 -subj %4").arg(certinfo.caExpiryDays).arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(subject); if (system(command) < 0) { printf("ERROR: Execution of \"%s\" failed!\n", command.ascii()); return -1; @@ -3825,6 +3827,7 @@ int LDAPManager::generatePublicKerberosCACertificate(LDAPCertConfig certinfo) { int LDAPManager::generatePublicKerberosCertificate(LDAPCertConfig certinfo, LDAPRealmConfig realmcfg) { TQString command; + TQString subject; TQString kdc_certfile = KERBEROS_PKI_KDC_FILE; TQString kdc_keyfile = KERBEROS_PKI_KDCKEY_FILE; @@ -3833,7 +3836,8 @@ int LDAPManager::generatePublicKerberosCertificate(LDAPCertConfig certinfo, LDAP kdc_keyfile.replace("@@@KDCSERVER@@@", realmcfg.name.lower()); kdc_reqfile.replace("@@@KDCSERVER@@@", realmcfg.name.lower()); - command = TQString("openssl req -new -out %1 -key %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(kdc_reqfile).arg(kdc_keyfile).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(certinfo.commonName).arg(certinfo.emailAddress); + subject = TQString("\"/C=%1/ST=%2/L=%3/O=%4/OU=%5/CN=%6/emailAddress=%7\"").arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(certinfo.commonName).arg(certinfo.emailAddress); + command = TQString("openssl req -days %1 -new -out %2 -key %3 -subj %4").arg(certinfo.kerberosExpiryDays).arg(kdc_reqfile).arg(kdc_keyfile).arg(subject); if (system(command) < 0) { printf("ERROR: Execution of \"%s\" failed!\n", command.ascii()); return -1; @@ -3863,6 +3867,7 @@ int LDAPManager::generatePublicKerberosCertificate(LDAPCertConfig certinfo, LDAP int LDAPManager::generatePublicLDAPCertificate(LDAPCertConfig certinfo, LDAPRealmConfig realmcfg, uid_t ldap_uid, gid_t ldap_gid) { TQString command; + TQString subject; TQString ldap_certfile = LDAP_CERT_FILE; TQString ldap_keyfile = LDAP_CERTKEY_FILE; @@ -3871,7 +3876,8 @@ int LDAPManager::generatePublicLDAPCertificate(LDAPCertConfig certinfo, LDAPReal ldap_keyfile.replace("@@@ADMINSERVER@@@", realmcfg.name.lower()); ldap_reqfile.replace("@@@ADMINSERVER@@@", realmcfg.name.lower()); - command = TQString("openssl req -new -out %1 -key %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(ldap_reqfile).arg(ldap_keyfile).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(realmcfg.admin_server).arg(certinfo.emailAddress); + subject = TQString("\"/C=%1/ST=%2/L=%3/O=%4/OU=%5/CN=%6/emailAddress=%7\"").arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(certinfo.commonName).arg(certinfo.emailAddress); + command = TQString("openssl req -days %1 -new -out %2 -key %3 -subj %4").arg(certinfo.ldapExpiryDays).arg(ldap_reqfile).arg(ldap_keyfile).arg(subject); if (system(command) < 0) { printf("ERROR: Execution of \"%s\" failed!\n", command.ascii()); return -1; @@ -3957,6 +3963,8 @@ LDAPClientRealmConfig LDAPManager::loadClientRealmConfig(KSimpleConfig* config, } int LDAPManager::saveClientRealmConfig(LDAPClientRealmConfig clientRealmConfig, KSimpleConfig* config, TQString *errstr) { + Q_UNUSED(errstr) + config->setGroup(NULL); config->writeEntry("EnableLDAP", clientRealmConfig.enable_bonding); config->writeEntry("HostFQDN", clientRealmConfig.hostFQDN); @@ -4030,6 +4038,11 @@ int LDAPManager::writeClientKrb5ConfFile(LDAPClientRealmConfig clientRealmConfig file.close(); } + else { + if (errstr) { + *errstr = i18n("Could not open file '%1' for writing").arg(file.name()); + } + } return 0; } @@ -4058,6 +4071,11 @@ int LDAPManager::writeNSSwitchFile(TQString *errstr) { file.close(); } + else { + if (errstr) { + *errstr = i18n("Could not open file '%1' for writing").arg(file.name()); + } + } return 0; } @@ -4076,6 +4094,11 @@ int LDAPManager::writePAMFiles(LDAPPamConfig pamConfig, TQString *errstr) { file.close(); } + else { + if (errstr) { + *errstr = i18n("Could not open file '%1' for writing").arg(file.name()); + } + } TQFile file2(PAMD_DIRECTORY PAMD_COMMON_AUTH); if (file2.open(IO_WriteOnly)) { @@ -4095,6 +4118,11 @@ int LDAPManager::writePAMFiles(LDAPPamConfig pamConfig, TQString *errstr) { file2.close(); } + else { + if (errstr) { + *errstr = i18n("Could not open file '%1' for writing").arg(file2.name()); + } + } TQFile file3(PAMD_DIRECTORY PAMD_COMMON_SESSION); if (file3.open(IO_WriteOnly)) { @@ -4126,6 +4154,11 @@ int LDAPManager::writePAMFiles(LDAPPamConfig pamConfig, TQString *errstr) { file3.close(); } + else { + if (errstr) { + *errstr = i18n("Could not open file '%1' for writing").arg(file3.name()); + } + } return 0; } diff --git a/src/libtdeldap.h b/src/libtdeldap.h index a1573c7..09db75d 100644 --- a/src/libtdeldap.h +++ b/src/libtdeldap.h @@ -65,6 +65,10 @@ // 1 year #define KERBEROS_PKI_PEMKEY_EXPIRY_DAYS 365 +// 1 month +#define KERBEROS_PKI_KRB_EXPIRY_DAYS 30 +#define KERBEROS_PKI_LDAP_EXPIRY_DAYS 30 + // Values from hdb.asn1 enum LDAPKRB5Flags { KRB5_INITIAL = 0x00000001, @@ -190,6 +194,10 @@ class LDAPCertConfig TQString provided_ldap_crt; TQString provided_ldap_key; + int caExpiryDays; + int kerberosExpiryDays; + int ldapExpiryDays; + TQString countryName; TQString stateOrProvinceName; TQString localityName;