summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTimothy Pearson <kb9vqf@pearsoncomputing.net>2015-09-03 15:09:38 -0500
committerTimothy Pearson <kb9vqf@pearsoncomputing.net>2015-09-03 15:09:38 -0500
commitc14f2f4613cc75a6dd5ec0d1eebff9c855e40c46 (patch)
tree08a1f605eaf8f6ce1a88d39f003e42bcba055691
parent3ca881c5997d3df0b8ad347e514f9cec65962bbe (diff)
downloadkcmldap-c14f2f4613cc75a6dd5ec0d1eebff9c855e40c46.tar.gz
kcmldap-c14f2f4613cc75a6dd5ec0d1eebff9c855e40c46.zip
Add CRL support
-rw-r--r--cert-updater/main.cpp45
-rw-r--r--src/ldapbonding.cpp8
2 files changed, 47 insertions, 6 deletions
diff --git a/cert-updater/main.cpp b/cert-updater/main.cpp
index 8c96f2e..78ad0dc 100644
--- a/cert-updater/main.cpp
+++ b/cert-updater/main.cpp
@@ -1,5 +1,5 @@
/***************************************************************************
- * Copyright (C) 2013 by Timothy Pearson *
+ * Copyright (C) 2013 - 2015 by Timothy Pearson *
* kb9vqf@pearsoncomputing.net *
* *
* This program is free software; you can redistribute it and/or modify *
@@ -48,7 +48,12 @@
static const char description[] =
I18N_NOOP("TDE utility for updating realm certificates");
-static const char version[] = "v0.0.1";
+static const char version[] = "v0.0.2";
+
+static TDECmdLineOptions options[] = {
+ { "immediate", I18N_NOOP("Force immediate update"), 0 },
+ TDECmdLineLastOption
+};
bool received_sighup = false;
@@ -78,8 +83,8 @@ int get_certificate_from_server(TQString certificateName, TQString certificateFi
credentials->username = "";
credentials->password = "";
credentials->realm = realmcfg.name.upper();
- credentials->use_tls = false;
- LDAPManager* ldap_mgr = new LDAPManager(realmcfg.name.upper(), TQString("ldap://%1").arg(realmcfg.admin_server).ascii(), credentials);
+ credentials->use_tls = true;
+ LDAPManager* ldap_mgr = new LDAPManager(realmcfg.name.upper(), TQString("ldaps://%1").arg(realmcfg.admin_server).ascii(), credentials);
// Add the domain-wide computer local admin group to local sudoers
ldap_mgr->writeSudoersConfFile(&errorstring);
@@ -125,15 +130,18 @@ int main(int argc, char *argv[])
// Initialize TDE application libraries
TDEAboutData aboutData( "tdeldapcertupdater", I18N_NOOP("Realm Certificate Updater"),
version, description, TDEAboutData::License_GPL,
- "(c) 2013, Timothy Pearson");
+ "(c) 2013 - 2015, Timothy Pearson");
aboutData.addAuthor("Timothy Pearson",0, "kb9vqf@pearsoncomputing.net");
TDECmdLineArgs::init( argc, argv, &aboutData );
+ TDECmdLineArgs::addCmdLineOptions(options);
TDEApplication::disableAutoDcopRegistration();
TDEApplication app(false, false);
TDEStartupInfo::appStarted();
+ bool immediate = TDECmdLineArgs::parsedArgs()->isSet("immediate");
+
//======================================================================================================================================================
//
// Updater code follows
@@ -155,6 +163,7 @@ int main(int argc, char *argv[])
for (it = realms.begin(); it != realms.end(); ++it) {
LDAPRealmConfig realmcfg = it.data();
TQString certificateFileName = KERBEROS_PKI_PUBLICDIR + realmcfg.admin_server + ".ldap.crt";
+ TQString crlFileName = KERBEROS_PKI_PUBLICDIR + realmcfg.admin_server + ".ldap.crl";
TQDateTime certExpiry;
TQDateTime soon = now.addDays(7); // Keep in sync with src/ldapcontroller.cpp
@@ -164,7 +173,7 @@ int main(int argc, char *argv[])
if (certExpiry >= now) {
printf("[INFO] Certificate %s expires %s\n", certificateFileName.ascii(), certExpiry.toString().ascii()); fflush(stdout);
}
- if ((certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
+ if (immediate || (certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
if (get_certificate_from_server("publicRootCertificate", certificateFileName, realmcfg) != 0) {
allDownloadsOK = false;
}
@@ -180,7 +189,30 @@ int main(int argc, char *argv[])
allDownloadsOK = false;
}
}
+
+ if (TQFile::exists(crlFileName)) {
+ certExpiry = LDAPManager::getCertificateExpiration(crlFileName);
+ if (certExpiry >= now) {
+ printf("[INFO] CRL %s expires %s\n", crlFileName.ascii(), certExpiry.toString().ascii()); fflush(stdout);
+ }
+ if (immediate || (certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
+ if (get_certificate_from_server("publicRootCertificateRevocationList", crlFileName, realmcfg) != 0) {
+ allDownloadsOK = false;
+ }
+ }
+ if (certExpiry < earliestCertExpiry) {
+ earliestCertExpiry = certExpiry;
+ }
+ }
+ else {
+ mkdir(TDE_CERTIFICATE_DIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
+ mkdir(KERBEROS_PKI_PUBLICDIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
+ if (get_certificate_from_server("publicRootCertificateRevocationList", crlFileName, realmcfg) != 0) {
+ allDownloadsOK = false;
+ }
+ }
}
+ immediate = false;
earliestCertExpiry = earliestCertExpiry.addDays(-7); // Keep in sync with now.addDays above (use negative of value given above)
int secondsToExpiry = now.secsTo(earliestCertExpiry);
@@ -204,6 +236,7 @@ int main(int argc, char *argv[])
}
unlink(TDE_LDAP_CERT_UPDATER_PID_FILE);
+ delete systemconfig;
//======================================================================================================================================================
diff --git a/src/ldapbonding.cpp b/src/ldapbonding.cpp
index 85e1061..bf20050 100644
--- a/src/ldapbonding.cpp
+++ b/src/ldapbonding.cpp
@@ -276,6 +276,14 @@ void LDAPConfig::save() {
if (ldap_mgr->getTDECertificate("publicRootCertificate", KERBEROS_PKI_PUBLICDIR + m_realms[m_clientRealmConfig.defaultRealm].admin_server + ".ldap.crt", &errorstring) != 0) {
KMessageBox::sorry(this, i18n("<qt><b>Unable to obtain root certificate for realm %1!</b><p>Details: %2</qt>").arg(m_clientRealmConfig.defaultRealm.upper()).arg(errorstring), i18n("Unable to Obtain Certificate"));
}
+ if (ldap_mgr->installCACertificateInHostCAStore(&errorstring) != 0) {
+ KMessageBox::sorry(this, i18n("<qt><b>Unable to install root CA certificate for realm %1!</b><p>Details: %2</qt>").arg(m_clientRealmConfig.defaultRealm.upper()).arg(errorstring), i18n("Unable to Install Root CA"));
+ }
+
+ // Get and install the CA root CRL from LDAP
+ if (ldap_mgr->retrieveAndInstallCaCrl(ldap_mgr, &errorstring) != 0) {
+ KMessageBox::sorry(this, i18n("<qt><b>Unable to obtain root CRL for realm %1!</b><p>Details: %2</qt>").arg(m_clientRealmConfig.defaultRealm.upper()).arg(errorstring), i18n("Unable to Obtain CRL"));
+ }
delete ldap_mgr;
delete credentials;