|
|
|
|
@ -26,6 +26,7 @@
|
|
|
|
|
|
|
|
|
|
#include <tqfile.h>
|
|
|
|
|
#include <tqcheckbox.h>
|
|
|
|
|
#include <kapplication.h>
|
|
|
|
|
|
|
|
|
|
#include <klocale.h>
|
|
|
|
|
#include <kmessagebox.h>
|
|
|
|
|
@ -82,6 +83,23 @@ LDAPManager::~LDAPManager() {
|
|
|
|
|
unbind(true);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
TQString LDAPManager::ldapdnForRealm(TQString realm) {
|
|
|
|
|
TQStringList domainChunks = TQStringList::split(".", realm.lower());
|
|
|
|
|
TQString basedc = "dc=" + domainChunks.join(",dc=");
|
|
|
|
|
return basedc;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
TQString LDAPManager::cnFromDn(TQString dn) {
|
|
|
|
|
int eqpos = dn.find("=")+1;
|
|
|
|
|
int cmpos = dn.find(",", eqpos);
|
|
|
|
|
if ((eqpos < 0) || (cmpos < 0)) {
|
|
|
|
|
return dn;
|
|
|
|
|
}
|
|
|
|
|
dn.truncate(cmpos);
|
|
|
|
|
dn.remove(0, eqpos);
|
|
|
|
|
return dn;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
TQString LDAPManager::basedn() {
|
|
|
|
|
return m_basedc;
|
|
|
|
|
}
|
|
|
|
|
@ -829,6 +847,87 @@ int LDAPManager::updateUserInfo(LDAPUserInfo user) {
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
TQString readFullLineFromPtyProcess(PtyProcess* proc) {
|
|
|
|
|
TQString result = "";
|
|
|
|
|
while ((!result.contains("\n")) && (!result.contains(":")) && (!result.contains(">"))) {
|
|
|
|
|
result = result + TQString(proc->readLine(false));
|
|
|
|
|
tqApp->processEvents();
|
|
|
|
|
}
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int LDAPManager::setPasswordForUser(LDAPUserInfo user, TQString *errstr) {
|
|
|
|
|
if (user.new_password == "") {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
LDAPCredentials admincreds = currentLDAPCredentials();
|
|
|
|
|
|
|
|
|
|
// RAJA FIXME
|
|
|
|
|
// How to handle GSSAPI auth?
|
|
|
|
|
|
|
|
|
|
TQCString command = "kadmin";
|
|
|
|
|
QCStringList args;
|
|
|
|
|
if (m_host.startsWith("ldapi://")) {
|
|
|
|
|
args << TQCString("-l") << TQCString("-r") << TQCString(admincreds.realm.upper());
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
args << TQCString("-p") << TQCString(admincreds.username.lower()+"@"+(admincreds.realm.upper())) << TQCString("-r") << TQCString(admincreds.realm.upper());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
TQString prompt;
|
|
|
|
|
PtyProcess kadminProc;
|
|
|
|
|
kadminProc.exec(command, args);
|
|
|
|
|
prompt = kadminProc.readLine(true);
|
|
|
|
|
prompt = prompt.stripWhiteSpace();
|
|
|
|
|
if (prompt == "kadmin>") {
|
|
|
|
|
kadminProc.writeLine(TQCString("passwd "+user.name), true);
|
|
|
|
|
prompt = kadminProc.readLine(true); // Discard our own input
|
|
|
|
|
prompt = readFullLineFromPtyProcess(&kadminProc);
|
|
|
|
|
prompt = prompt.stripWhiteSpace();
|
|
|
|
|
if ((prompt.endsWith(" Password:")) && (prompt.startsWith(TQString(user.name + "@")))) {
|
|
|
|
|
kadminProc.writeLine(user.new_password, true);
|
|
|
|
|
prompt = kadminProc.readLine(true); // Discard our own input
|
|
|
|
|
prompt = kadminProc.readLine(true);
|
|
|
|
|
prompt = prompt.stripWhiteSpace();
|
|
|
|
|
if ((prompt.endsWith(" Password:")) && (prompt.startsWith("Verify"))) {
|
|
|
|
|
kadminProc.writeLine(user.new_password, true);
|
|
|
|
|
prompt = kadminProc.readLine(true); // Discard our own input
|
|
|
|
|
prompt = kadminProc.readLine(true);
|
|
|
|
|
prompt = prompt.stripWhiteSpace();
|
|
|
|
|
}
|
|
|
|
|
if (prompt.endsWith(" Password:")) {
|
|
|
|
|
kadminProc.writeLine(admincreds.password, true);
|
|
|
|
|
prompt = kadminProc.readLine(true); // Discard our own input
|
|
|
|
|
prompt = kadminProc.readLine(true);
|
|
|
|
|
prompt = prompt.stripWhiteSpace();
|
|
|
|
|
}
|
|
|
|
|
if (prompt != "kadmin>") {
|
|
|
|
|
if (errstr) *errstr = prompt;
|
|
|
|
|
kadminProc.writeLine("quit", true);
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Success!
|
|
|
|
|
kadminProc.writeLine("quit", true);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
else if (prompt == "kadmin>") {
|
|
|
|
|
// Success!
|
|
|
|
|
kadminProc.writeLine("quit", true);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Failure
|
|
|
|
|
if (errstr) *errstr = prompt;
|
|
|
|
|
kadminProc.writeLine("quit", true);
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (errstr) *errstr = "Internal error. Verify that kadmin exists and can be executed.";
|
|
|
|
|
return 1; // Failure
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int LDAPManager::updateGroupInfo(LDAPGroupInfo group) {
|
|
|
|
|
int retcode;
|
|
|
|
|
int i;
|
|
|
|
|
@ -913,7 +1012,7 @@ int LDAPManager::addUserInfo(LDAPUserInfo user) {
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
// Create the base DN entry
|
|
|
|
|
int number_of_parameters = 13; // 13 primary attributes
|
|
|
|
|
int number_of_parameters = 14; // 14 primary attributes
|
|
|
|
|
LDAPMod *mods[number_of_parameters+1];
|
|
|
|
|
for (i=0;i<number_of_parameters;i++) {
|
|
|
|
|
mods[i] = new LDAPMod;
|
|
|
|
|
@ -1644,6 +1743,45 @@ void LDAPManager::writeCronFiles() {
|
|
|
|
|
system(CRON_UPDATE_NSS_COMMAND);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
LDAPRealmConfigList LDAPManager::readTDERealmList(KSimpleConfig* config, bool disableAllBonds) {
|
|
|
|
|
LDAPRealmConfigList realms;
|
|
|
|
|
|
|
|
|
|
TQStringList cfgRealms = config->groupList();
|
|
|
|
|
for (TQStringList::Iterator it(cfgRealms.begin()); it != cfgRealms.end(); ++it) {
|
|
|
|
|
if ((*it).startsWith("LDAPRealm-")) {
|
|
|
|
|
config->setGroup(*it);
|
|
|
|
|
TQString realmName=*it;
|
|
|
|
|
realmName.remove(0,strlen("LDAPRealm-"));
|
|
|
|
|
if (!realms.contains(realmName)) {
|
|
|
|
|
// Read in realm data
|
|
|
|
|
LDAPRealmConfig realmcfg;
|
|
|
|
|
realmcfg.name = realmName;
|
|
|
|
|
if (!disableAllBonds) {
|
|
|
|
|
realmcfg.bonded = config->readBoolEntry("bonded");
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
realmcfg.bonded = false;
|
|
|
|
|
}
|
|
|
|
|
realmcfg.uid_offset = config->readNumEntry("uid_offset");
|
|
|
|
|
realmcfg.gid_offset = config->readNumEntry("gid_offset");
|
|
|
|
|
realmcfg.domain_mappings = config->readListEntry("domain_mappings");
|
|
|
|
|
realmcfg.kdc = config->readEntry("kdc");
|
|
|
|
|
realmcfg.kdc_port = config->readNumEntry("kdc_port");
|
|
|
|
|
realmcfg.admin_server = config->readEntry("admin_server");
|
|
|
|
|
realmcfg.admin_server_port = config->readNumEntry("admin_server_port");
|
|
|
|
|
realmcfg.pkinit_require_eku = config->readBoolEntry("pkinit_require_eku");
|
|
|
|
|
realmcfg.pkinit_require_krbtgt_otherName = config->readBoolEntry("pkinit_require_krbtgt_otherName");
|
|
|
|
|
realmcfg.win2k_pkinit = config->readBoolEntry("win2k_pkinit");
|
|
|
|
|
realmcfg.win2k_pkinit_require_binding = config->readBoolEntry("win2k_pkinit_require_binding");
|
|
|
|
|
// Add realm to list
|
|
|
|
|
realms.insert(realmName, realmcfg);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return realms;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void LDAPManager::writeTDERealmList(LDAPRealmConfigList realms, KSimpleConfig* config) {
|
|
|
|
|
LDAPRealmConfigList::Iterator it;
|
|
|
|
|
for (it = realms.begin(); it != realms.end(); ++it) {
|
|
|
|
|
@ -1713,6 +1851,48 @@ int LDAPManager::generatePublicKerberosCACertificate(LDAPCertConfig certinfo) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int LDAPManager::generatePublicKerberosCertificate(LDAPCertConfig certinfo, LDAPRealmConfig realmcfg) {
|
|
|
|
|
TQString command;
|
|
|
|
|
|
|
|
|
|
TQString kdc_certfile = KERBEROS_PKI_KDC_FILE;
|
|
|
|
|
TQString kdc_keyfile = KERBEROS_PKI_KDCKEY_FILE;
|
|
|
|
|
TQString kdc_reqfile = KERBEROS_PKI_KDCREQ_FILE;
|
|
|
|
|
kdc_certfile.replace("@@@KDCSERVER@@@", realmcfg.kdc);
|
|
|
|
|
kdc_keyfile.replace("@@@KDCSERVER@@@", realmcfg.kdc);
|
|
|
|
|
kdc_reqfile.replace("@@@KDCSERVER@@@", realmcfg.kdc);
|
|
|
|
|
|
|
|
|
|
command = TQString("openssl req -new -out %1 -key %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(kdc_reqfile).arg(kdc_keyfile).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(certinfo.commonName).arg(certinfo.emailAddress);
|
|
|
|
|
system(command);
|
|
|
|
|
command = TQString("openssl x509 -req -in %1 -CAkey %2 -CA %3 -out %4 -extfile %5 -extensions kdc_cert -CAcreateserial").arg(kdc_reqfile).arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(kdc_certfile).arg(OPENSSL_EXTENSIONS_FILE);
|
|
|
|
|
system(command);
|
|
|
|
|
chmod(kdc_certfile.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
|
|
|
|
|
chown(kdc_certfile.ascii(), 0, 0);
|
|
|
|
|
unlink(kdc_reqfile.ascii());
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int LDAPManager::generatePublicLDAPCertificate(LDAPCertConfig certinfo, LDAPRealmConfig realmcfg, uid_t ldap_uid, gid_t ldap_gid) {
|
|
|
|
|
TQString command;
|
|
|
|
|
|
|
|
|
|
TQString ldap_certfile = LDAP_CERT_FILE;
|
|
|
|
|
TQString ldap_keyfile = LDAP_CERTKEY_FILE;
|
|
|
|
|
TQString ldap_reqfile = LDAP_CERTREQ_FILE;
|
|
|
|
|
ldap_certfile.replace("@@@ADMINSERVER@@@", realmcfg.admin_server);
|
|
|
|
|
ldap_keyfile.replace("@@@ADMINSERVER@@@", realmcfg.admin_server);
|
|
|
|
|
ldap_reqfile.replace("@@@ADMINSERVER@@@", realmcfg.admin_server);
|
|
|
|
|
|
|
|
|
|
command = TQString("openssl req -new -out %1 -key %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(ldap_reqfile).arg(ldap_keyfile).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(realmcfg.admin_server).arg(certinfo.emailAddress);
|
|
|
|
|
system(command);
|
|
|
|
|
command = TQString("openssl x509 -req -in %1 -CAkey %2 -CA %3 -out %4 -CAcreateserial").arg(ldap_reqfile).arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(ldap_certfile);
|
|
|
|
|
system(command);
|
|
|
|
|
chmod(ldap_certfile.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
|
|
|
|
|
chown(ldap_certfile.ascii(), ldap_uid, ldap_gid);
|
|
|
|
|
unlink(ldap_reqfile.ascii());
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
TQString LDAPManager::getMachineFQDN() {
|
|
|
|
|
struct addrinfo hints, *info, *p;
|
|
|
|
|
int gai_result;
|
|
|
|
|
|
Timothy Pearson
13 years ago