diff options
| author | Timothy Pearson <kb9vqf@pearsoncomputing.net> | 2015-09-18 17:50:49 -0500 |
|---|---|---|
| committer | Timothy Pearson <kb9vqf@pearsoncomputing.net> | 2015-09-18 17:50:49 -0500 |
| commit | 5f90079891a07dc451111174baa8ca8a625d460e (patch) | |
| tree | 760db1c34d2ccfd37ac2ecc9afd2c9812f832d7b | |
| parent | c14f2f4613cc75a6dd5ec0d1eebff9c855e40c46 (diff) | |
| download | kcmldap-5f90079891a07dc451111174baa8ca8a625d460e.tar.gz kcmldap-5f90079891a07dc451111174baa8ca8a625d460e.zip | |
Add PKCS login setup controls
| -rw-r--r-- | cert-updater/main.cpp | 27 | ||||
| -rw-r--r-- | src/ldapbonding.cpp | 14 | ||||
| -rw-r--r-- | src/ldapconfigbase.ui | 35 |
3 files changed, 72 insertions, 4 deletions
diff --git a/cert-updater/main.cpp b/cert-updater/main.cpp index 78ad0dc..354d9de 100644 --- a/cert-updater/main.cpp +++ b/cert-updater/main.cpp @@ -155,6 +155,7 @@ int main(int argc, char *argv[]) int prevSecondsToExpiry = (7*24*60*60); while (1) { + bool newCertDownloaded = false; bool allDownloadsOK = true; TQDateTime now = TQDateTime::currentDateTime(); TQDateTime earliestCertExpiry = now.addDays(14); // Recheck every 7 days regardless of last expiry check results @@ -174,7 +175,10 @@ int main(int argc, char *argv[]) printf("[INFO] Certificate %s expires %s\n", certificateFileName.ascii(), certExpiry.toString().ascii()); fflush(stdout); } if (immediate || (certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) { - if (get_certificate_from_server("publicRootCertificate", certificateFileName, realmcfg) != 0) { + if (get_certificate_from_server("publicRootCertificate", certificateFileName, realmcfg) == 0) { + newCertDownloaded = true; + } + else { allDownloadsOK = false; } } @@ -185,7 +189,10 @@ int main(int argc, char *argv[]) else { mkdir(TDE_CERTIFICATE_DIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH); mkdir(KERBEROS_PKI_PUBLICDIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH); - if (get_certificate_from_server("publicRootCertificate", certificateFileName, realmcfg) != 0) { + if (get_certificate_from_server("publicRootCertificate", certificateFileName, realmcfg) == 0) { + newCertDownloaded = true; + } + else { allDownloadsOK = false; } } @@ -196,7 +203,10 @@ int main(int argc, char *argv[]) printf("[INFO] CRL %s expires %s\n", crlFileName.ascii(), certExpiry.toString().ascii()); fflush(stdout); } if (immediate || (certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) { - if (get_certificate_from_server("publicRootCertificateRevocationList", crlFileName, realmcfg) != 0) { + if (get_certificate_from_server("publicRootCertificateRevocationList", crlFileName, realmcfg) == 0) { + newCertDownloaded = true; + } + else { allDownloadsOK = false; } } @@ -207,10 +217,19 @@ int main(int argc, char *argv[]) else { mkdir(TDE_CERTIFICATE_DIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH); mkdir(KERBEROS_PKI_PUBLICDIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH); - if (get_certificate_from_server("publicRootCertificateRevocationList", crlFileName, realmcfg) != 0) { + if (get_certificate_from_server("publicRootCertificateRevocationList", crlFileName, realmcfg) == 0) { + newCertDownloaded = true; + } + else { allDownloadsOK = false; } } + + if (newCertDownloaded) { + if (LDAPManager::rehashClientPKCSCertificates() != 0) { + printf("[WARNING] Unable to rehash client PKCS certificates\n"); fflush(stdout); + } + } } immediate = false; diff --git a/src/ldapbonding.cpp b/src/ldapbonding.cpp index bf20050..abe4e95 100644 --- a/src/ldapbonding.cpp +++ b/src/ldapbonding.cpp @@ -102,6 +102,9 @@ LDAPConfig::LDAPConfig(TQWidget *parent, const char *name, const TQStringList&) connect(base->passwordHash, TQT_SIGNAL(activated(int)), this, TQT_SLOT(changed())); connect(base->ignoredUsers, TQT_SIGNAL(textChanged(const TQString&)), this, TQT_SLOT(changed())); + connect(base->pamEnablePKCS11Logons, TQT_SIGNAL(clicked()), this, TQT_SLOT(changed())); + connect(base->pamEnablePKCS11Logons, TQT_SIGNAL(clicked()), this, TQT_SLOT(processLockouts())); + connect(base->pamPKCS11LoginCardSlot, TQT_SIGNAL(valueChanged(int)), this, TQT_SLOT(changed())); connect(base->pamEnableCachedLogons, TQT_SIGNAL(clicked()), this, TQT_SLOT(changed())); connect(base->pamCreateHomeDirectory, TQT_SIGNAL(clicked()), this, TQT_SLOT(changed())); connect(base->pamCreateHomeDirectory, TQT_SIGNAL(clicked()), this, TQT_SLOT(processLockouts())); @@ -165,6 +168,8 @@ void LDAPConfig::load(bool useDefaults ) } base->ignoredUsers->setText(m_clientRealmConfig.ignoredUsers); + base->pamEnablePKCS11Logons->setChecked(m_clientRealmConfig.pamConfig.enable_pkcs11_login); + base->pamPKCS11LoginCardSlot->setValue(m_clientRealmConfig.pamConfig.pkcs11_login_card_slot); base->pamEnableCachedLogons->setChecked(m_clientRealmConfig.pamConfig.enable_cached_credentials); base->pamCreateHomeDirectory->setChecked(m_clientRealmConfig.pamConfig.autocreate_user_directories_enable); base->pamCreateHomeDirectoryUmask->setValue(m_clientRealmConfig.pamConfig.autocreate_user_directories_umask); @@ -217,6 +222,8 @@ void LDAPConfig::save() { m_clientRealmConfig.passwordHash = base->passwordHash->currentText(); m_clientRealmConfig.ignoredUsers = base->ignoredUsers->text(); + m_clientRealmConfig.pamConfig.enable_pkcs11_login = base->pamEnablePKCS11Logons->isChecked(); + m_clientRealmConfig.pamConfig.pkcs11_login_card_slot = base->pamPKCS11LoginCardSlot->value(); m_clientRealmConfig.pamConfig.enable_cached_credentials = base->pamEnableCachedLogons->isChecked(); m_clientRealmConfig.pamConfig.autocreate_user_directories_enable = base->pamCreateHomeDirectory->isChecked(); m_clientRealmConfig.pamConfig.autocreate_user_directories_umask = base->pamCreateHomeDirectoryUmask->value(); @@ -343,6 +350,13 @@ void LDAPConfig::processLockouts() { base->pamCreateHomeDirectoryUmask->setEnabled(false); base->pamCreateHomeDirectorySkelDir->setEnabled(false); } + + if (base->pamEnablePKCS11Logons->isChecked()) { + base->pamPKCS11LoginCardSlot->setEnabled(true); + } + else { + base->pamPKCS11LoginCardSlot->setEnabled(false); + } } void LDAPConfig::bondToNewRealm() { diff --git a/src/ldapconfigbase.ui b/src/ldapconfigbase.ui index a889ac9..8c9b2db 100644 --- a/src/ldapconfigbase.ui +++ b/src/ldapconfigbase.ui @@ -454,6 +454,14 @@ <string>&Enable logon credentials cache</string> </property> </widget> + <widget class="TQCheckBox" row="2" column="0" colspan="2"> + <property name="name"> + <cstring>pamEnablePKCS11Logons</cstring> + </property> + <property name="text"> + <string>&Enable PKCS#11 card login</string> + </property> + </widget> <widget class="TQLabel" row="0" column="2"> <property name="name"> <cstring>unnamed</cstring> @@ -500,6 +508,33 @@ </sizepolicy> </property> </widget> + <widget class="TQLabel" row="2" column="2"> + <property name="name"> + <cstring>unnamed</cstring> + </property> + <property name="text"> + <string>PKCS#11 certificate slot</string> + </property> + <property name="sizePolicy"> + <sizepolicy> + <hsizetype>0</hsizetype> + <vsizetype>0</vsizetype> + <horstretch>0</horstretch> + <verstretch>0</verstretch> + </sizepolicy> + </property> + </widget> + <widget class="KIntNumInput" row="2" column="3" > + <property name="name"> + <cstring>pamPKCS11LoginCardSlot</cstring> + </property> + <property name="minValue"> + <number>0</number> + </property> + <property name="maxValue"> + <number>999</number> + </property> + </widget> <widget class="KURLRequester" row="1" column="3" > <property name="name"> <cstring>pamCreateHomeDirectorySkelDir</cstring> |