summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorTimothy Pearson <kb9vqf@pearsoncomputing.net>2012-06-07 18:45:11 -0500
committerTimothy Pearson <kb9vqf@pearsoncomputing.net>2012-06-07 18:45:11 -0500
commit02cfa8d8afb2c84b0683e4071f4482a54d2e459e (patch)
treee57a79c4114b32da685550437553d1930616f455 /src
parent023a331a3c85d7fae541cc1c3c721af2cc3415fe (diff)
downloadkcmldapcontroller-02cfa8d8afb2c84b0683e4071f4482a54d2e459e.tar.gz
kcmldapcontroller-02cfa8d8afb2c84b0683e4071f4482a54d2e459e.zip
Provide a range of user and certificate management options
Diffstat (limited to 'src')
-rw-r--r--src/ldapcontroller.cpp422
-rw-r--r--src/ldapcontroller.h18
-rw-r--r--src/ldapcontrollerconfigbase.ui173
-rw-r--r--src/realmwizard.cpp3
4 files changed, 569 insertions, 47 deletions
diff --git a/src/ldapcontroller.cpp b/src/ldapcontroller.cpp
index 3a79467..4f7ff1b 100644
--- a/src/ldapcontroller.cpp
+++ b/src/ldapcontroller.cpp
@@ -46,6 +46,7 @@
#include <tdesu/process.h>
#include <libtdeldap.h>
#include <kfiledialog.h>
+#include <kpassdlg.h>
#include "sha1.h"
@@ -69,17 +70,12 @@
#define HEIMDAL_ACL_FILE "/etc/heimdal-kdc/kadmind.acl"
-#define OPENSSL_EXTENSIONS_FILE TDE_CERTIFICATE_DIR "pki_extensions"
-
#define ROLE_WORKSTATION 0
-#define ROLE_REALM_CONTROLLER 1
+#define ROLE_SECONDARY_REALM_CONTROLLER 1
+#define ROLE_PRIMARY_REALM_CONTROLLER 2
#define KEY_STRENGTH 2048
-// RAJA FIXME
-// Provide a way to change the LDAP root password
-// in the olcDatabase (field olcRootPW) after installation!
-
typedef KGenericFactory<LDAPController, TQWidget> ldapFactory;
K_EXPORT_COMPONENT_FACTORY( kcm_ldapcontroller, ldapFactory("kcmldapcontroller"))
@@ -104,7 +100,8 @@ LDAPController::LDAPController(TQWidget *parent, const char *name, const TQStrin
m_base->systemRole->clear();
m_base->systemRole->insertItem("Workstation", ROLE_WORKSTATION);
- m_base->systemRole->insertItem("Realm Controller", ROLE_REALM_CONTROLLER);
+ m_base->systemRole->insertItem("Secondary Realm Controller", ROLE_SECONDARY_REALM_CONTROLLER);
+ m_base->systemRole->insertItem("Primary Realm Controller", ROLE_PRIMARY_REALM_CONTROLLER);
setRootOnlyMsg(i18n("<b>LDAP controller settings take effect system wide, and require administrator access to modify</b><br>To alter the system's realm controller settings, click on the \"Administrator Mode\" button below."));
setUseRootOnlyMsg(true);
@@ -114,7 +111,21 @@ LDAPController::LDAPController(TQWidget *parent, const char *name, const TQStrin
connect(m_base->systemRole, TQT_SIGNAL(activated(const TQString&)), this, TQT_SLOT(systemRoleChanged()));
connect(m_base->caRegenerate, TQT_SIGNAL(clicked()), this, TQT_SLOT(btncaRegenerate()));
- connect(m_base->caExport, TQT_SIGNAL(clicked()), this, TQT_SLOT(btncaExport()));
+ connect(m_base->caExportKey, TQT_SIGNAL(clicked()), this, TQT_SLOT(btncaExportKey()));
+ connect(m_base->caExportCert, TQT_SIGNAL(clicked()), this, TQT_SLOT(btncaExportCert()));
+
+ connect(m_base->krbRegenerate, TQT_SIGNAL(clicked()), this, TQT_SLOT(btnkrbRegenerate()));
+ connect(m_base->krbExportKey, TQT_SIGNAL(clicked()), this, TQT_SLOT(btnkrbExportKey()));
+ connect(m_base->krbExportCert, TQT_SIGNAL(clicked()), this, TQT_SLOT(btnkrbExportCert()));
+
+ connect(m_base->ldapRegenerate, TQT_SIGNAL(clicked()), this, TQT_SLOT(btnldapRegenerate()));
+ connect(m_base->ldapExportKey, TQT_SIGNAL(clicked()), this, TQT_SLOT(btnldapExportKey()));
+ connect(m_base->ldapExportCert, TQT_SIGNAL(clicked()), this, TQT_SLOT(btnldapExportCert()));
+
+ connect(m_base->btnChangeLDAPRootPassword, TQT_SIGNAL(clicked()), this, TQT_SLOT(btnChangeLDAPRootPassword()));
+ connect(m_base->btnChangeRealmAdminPassword, TQT_SIGNAL(clicked()), this, TQT_SLOT(btnChangeRealmAdminPassword()));
+
+ connect(&m_certRefreshTimer, TQT_SIGNAL(timeout()), this, TQT_SLOT(updateCertDisplay()));
m_fqdn = LDAPManager::getMachineFQDN();
@@ -125,10 +136,6 @@ LDAPController::LDAPController(TQWidget *parent, const char *name, const TQStrin
load();
- if (getuid() != 0 || !m_systemconfig->checkConfigFilesWritable( true )) {
- m_base->systemEnableSupport->setEnabled(false);
- }
-
processLockouts();
};
@@ -137,7 +144,7 @@ LDAPController::~LDAPController() {
void LDAPController::systemRoleChanged() {
if (m_base->systemRole->currentItem() != m_prevRole) {
- if (m_base->systemRole->currentItem() == ROLE_REALM_CONTROLLER) {
+ if (m_base->systemRole->currentItem() == ROLE_PRIMARY_REALM_CONTROLLER) {
// Verify that this workstation was not already bonded to an LDAP realm!
bool bonded = false;
TQStringList cfgRealms = m_systemconfig->groupList();
@@ -174,15 +181,77 @@ void LDAPController::systemRoleChanged() {
load();
}
}
- if (m_base->systemRole->currentItem() == ROLE_WORKSTATION) {
+ else if (m_base->systemRole->currentItem() == ROLE_SECONDARY_REALM_CONTROLLER) {
// RAJA FIXME
+ KMessageBox::error(0, i18n("<qt>Secondary realm controller support is not yet available<p>If you want to see it implemented, contact the Trinity Desktop developers</qt>"), i18n("Feature Not Yet Available"));
+ m_base->systemRole->setCurrentItem(m_prevRole);
+ }
+ else if (m_base->systemRole->currentItem() == ROLE_WORKSTATION) {
+ if (KMessageBox::warningYesNo(this, i18n("<qt><b>WARNING</b><br>You are attempting to demote a realm controller<p>This action will <b>PERMANENTLY DESTROY</b> the realm directory stored on this machine<p>If you do not want to do this, select <b>Cancel</b> below</qt>"), i18n("Are you absolutely sure?"), TQString("Continue"), TQString("Cancel")) == KMessageBox::Yes) {
+ ProcessingDialog pdialog(this);
+ pdialog.setStatusMessage(i18n("Preparing to demote primary realm controller..."));
+ pdialog.raise();
+ pdialog.setActiveWindow();
+ tqApp->processEvents();
+
+ save();
+
+ pdialog.setStatusMessage(i18n("Stopping servers..."));
+
+ // Stop SASL
+ if (controlSASLServer(SC_STOP) != 0) {
+ //
+ }
+ // Stop Heimdal
+ if (controlHeimdalServer(SC_STOP) != 0) {
+ //
+ }
+ // Stop slapd
+ if (controlLDAPServer(SC_STOP) != 0) {
+ //
+ }
+
+ pdialog.setStatusMessage(i18n("Purging LDAP database..."));
+ tqApp->processEvents();
+ controlHeimdalServer(SC_PURGE);
+ controlLDAPServer(SC_PURGE);
+
+ pdialog.setStatusMessage(i18n("Purging local configuration..."));
+ tqApp->processEvents();
+
+ system(TQString("rm -rf %1").arg(TDE_CERTIFICATE_DIR));
+
+ // Write the TDE realm configuration file
+ LDAPRealmConfigList realms;
+ LDAPManager::writeTDERealmList(realms, m_systemconfig);
+ m_systemconfig->deleteEntry("DefaultRealm");
+ m_systemconfig->sync();
+
+ pdialog.closeDialog();
+
+ load();
+ }
+ else {
+ m_base->systemRole->setCurrentItem(m_prevRole);
+ }
}
}
}
void LDAPController::processLockouts() {
- bool enabled = (m_base->systemEnableSupport->isEnabled() && m_base->systemEnableSupport->isChecked());
+ bool enabled = true;
+ bool canChangeLDAPEnabled = true;
+
+ if (getuid() != 0 || !m_systemconfig->checkConfigFilesWritable( true )) {
+ canChangeLDAPEnabled = false;
+ enabled = false;
+ }
+
+ if (m_base->systemRole->currentItem() != ROLE_WORKSTATION) {
+ canChangeLDAPEnabled = false;
+ }
+ m_base->systemEnableSupport->setEnabled(canChangeLDAPEnabled);
m_base->systemRole->setEnabled(enabled);
}
@@ -201,8 +270,8 @@ void LDAPController::load() {
if (!thisIsMyMachine) {
ldapRole = "Workstation";
}
- if (ldapRole == "Realm Controller") {
- m_base->systemRole->setCurrentItem(ROLE_REALM_CONTROLLER);
+ if (ldapRole == "Primary Realm Controller") {
+ m_base->systemRole->setCurrentItem(ROLE_PRIMARY_REALM_CONTROLLER);
}
else {
m_base->systemRole->setCurrentItem(ROLE_WORKSTATION);
@@ -219,28 +288,141 @@ void LDAPController::load() {
m_certconfig.commonName = m_systemconfig->readEntry("commonName");
m_certconfig.emailAddress = m_systemconfig->readEntry("emailAddress");
+ m_realmconfig = LDAPManager::readTDERealmList(m_systemconfig, !thisIsMyMachine);
+ if (!thisIsMyMachine) {
+ LDAPManager::writeTDERealmList(m_realmconfig, m_systemconfig);
+ }
+
m_systemconfig->setGroup(NULL);
+ m_defaultRealm = m_systemconfig->readEntry("DefaultRealm");
- if (m_base->systemRole->currentItem() == ROLE_REALM_CONTROLLER) {
+ if (m_base->systemRole->currentItem() == ROLE_PRIMARY_REALM_CONTROLLER) {
m_base->groupRealmController->show();
m_base->groupRealmCertificates->show();
- m_base->realmName->setText(m_systemconfig->readEntry("DefaultRealm"));
- m_base->caExpiryString->setText("Expires " + LDAPManager::getCertificateExpiration(KERBEROS_PKI_PEM_FILE).toString());
- // RAJA FIXME
+ m_base->realmName->setText(m_defaultRealm);
+
+ // Display builtin account and group names, and provide a password reset button for each builtin user (yes, this includes the LDAP admin account!)
+ // FIXME
+ // root account should not be locked to "admin"!
+ // when fixing, please fix the other instance of locked "admin" in realmwizard.cpp ::accept()
+ m_base->ldapRootUser->setText(TQString("cn=%1,").arg("admin") + LDAPManager::ldapdnForRealm(m_defaultRealm));
+
+ TQString realmname = m_defaultRealm.upper();
+ LDAPCredentials* credentials = new LDAPCredentials;
+ credentials->username = "";
+ credentials->password = "";
+ credentials->realm = realmname;
+ LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials);
+ TQString errorstring;
+ LDAPTDEBuiltinsInfo builtins = ldap_mgr->getTDEBuiltinMappings(&errorstring);
+ delete ldap_mgr;
+ delete credentials;
+
+ m_base->realmAdminUser->setText(LDAPManager::cnFromDn(builtins.builtinRealmAdminAccount));
+ m_base->realmAdminGroup->setText(LDAPManager::cnFromDn(builtins.builtinRealmAdminGroup));
+ m_base->realmMachineAdminGroup->setText(LDAPManager::cnFromDn(builtins.builtinMachineAdminGroup));
+ m_base->realmStandardUserGroup->setText(LDAPManager::cnFromDn(builtins.builtinStandardUserGroup));
+
+ updateCertDisplay();
+ m_certRefreshTimer.start(60*1000);
}
else {
m_base->groupRealmController->hide();
m_base->groupRealmCertificates->hide();
+
+ m_certRefreshTimer.stop();
}
processLockouts();
}
+#define CERT_STATUS_COLOR_ACTIVE TQColor(0, 128, 0)
+#define CERT_STATUS_COLOR_STALE TQColor(128, 64, 0)
+#define CERT_STATUS_COLOR_EXPIRED TQColor(128, 0, 0)
+#define CERT_STATUS_COLOR_NOTFOUND CERT_STATUS_COLOR_EXPIRED
+
+void LDAPController::updateCertDisplay() {
+ TQDateTime certExpiry;
+ TQDateTime now = TQDateTime::currentDateTime();
+ TQDateTime soon = now.addDays(7);
+
+ TQString kdc_certfile = KERBEROS_PKI_KDC_FILE;
+ kdc_certfile.replace("@@@KDCSERVER@@@", m_realmconfig[m_defaultRealm].kdc);
+ TQString ldap_certfile = LDAP_CERT_FILE;
+ ldap_certfile.replace("@@@ADMINSERVER@@@", m_realmconfig[m_defaultRealm].admin_server);
+
+ // Certificate Authority
+ if (TQFile::exists(KERBEROS_PKI_PEM_FILE)) {
+ certExpiry = LDAPManager::getCertificateExpiration(KERBEROS_PKI_PEM_FILE);
+ if (certExpiry >= now) {
+ m_base->caExpiryString->setText("Expires " + certExpiry.toString());
+ if (certExpiry >= soon) {
+ m_base->caExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_ACTIVE);
+ }
+ else {
+ m_base->caExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_STALE);
+ }
+ }
+ else {
+ m_base->caExpiryString->setText("Expired " + certExpiry.toString());
+ m_base->caExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_EXPIRED);
+ }
+ }
+ else {
+ m_base->caExpiryString->setText("File not found");
+ m_base->caExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_NOTFOUND);
+ }
+
+ // Kerberos
+ if (TQFile::exists(kdc_certfile)) {
+ certExpiry = LDAPManager::getCertificateExpiration(kdc_certfile);
+ if (certExpiry >= now) {
+ m_base->krbExpiryString->setText("Expires " + certExpiry.toString());
+ if (certExpiry >= soon) {
+ m_base->krbExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_ACTIVE);
+ }
+ else {
+ m_base->krbExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_STALE);
+ }
+ }
+ else {
+ m_base->krbExpiryString->setText("Expired " + certExpiry.toString());
+ m_base->krbExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_EXPIRED);
+ }
+ }
+ else {
+ m_base->krbExpiryString->setText("File not found");
+ m_base->krbExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_NOTFOUND);
+ }
+
+ // LDAP
+ if (TQFile::exists(kdc_certfile)) {
+ certExpiry = LDAPManager::getCertificateExpiration(ldap_certfile);
+ if (certExpiry >= now) {
+ m_base->ldapExpiryString->setText("Expires " + certExpiry.toString());
+ if (certExpiry >= soon) {
+ m_base->ldapExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_ACTIVE);
+ }
+ else {
+ m_base->ldapExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_STALE);
+ }
+ }
+ else {
+ m_base->ldapExpiryString->setText("Expired " + certExpiry.toString());
+ m_base->ldapExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_EXPIRED);
+ }
+ }
+ else {
+ m_base->ldapExpiryString->setText("File not found");
+ m_base->ldapExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_NOTFOUND);
+ }
+}
+
void LDAPController::btncaRegenerate() {
LDAPManager::generatePublicKerberosCACertificate(m_certconfig);
- TQString realmname = m_systemconfig->readEntry("DefaultRealm").upper();
+ TQString realmname = m_defaultRealm.upper();
LDAPCredentials* credentials = new LDAPCredentials;
credentials->username = "";
credentials->password = "";
@@ -256,7 +438,16 @@ void LDAPController::btncaRegenerate() {
load();
}
-void LDAPController::btncaExport() {
+void LDAPController::btncaExportKey() {
+ KURL src = KERBEROS_PKI_PEMKEY_FILE;
+ KURL dest = KFileDialog::getSaveURL(TQString::null, "*.key|Private Key (*.key)", this, i18n("Select a location to save a copy of the private key..."));
+ if (!dest.isEmpty()) {
+ KIO::CopyJob* job = KIO::copy(src, dest, true);
+ connect(job, TQT_SIGNAL(result(KIO::Job*)), this, TQT_SLOT(slotCertCopyResult(KIO::Job*)));
+ }
+}
+
+void LDAPController::btncaExportCert() {
KURL src = KERBEROS_PKI_PEM_FILE;
KURL dest = KFileDialog::getSaveURL(TQString::null, "*.pem|PKI Certificate Files (*.pem)", this, i18n("Select a location to save a copy of the certificate..."));
if (!dest.isEmpty()) {
@@ -265,12 +456,165 @@ void LDAPController::btncaExport() {
}
}
+void LDAPController::btnkrbRegenerate() {
+ LDAPManager::generatePublicKerberosCertificate(m_certconfig, m_realmconfig[m_defaultRealm]);
+
+ load();
+}
+
+void LDAPController::btnkrbExportKey() {
+ TQString kdc_keyfile = KERBEROS_PKI_KDCKEY_FILE;
+ kdc_keyfile.replace("@@@KDCSERVER@@@", m_realmconfig[m_defaultRealm].kdc);
+
+ KURL src = kdc_keyfile;
+ KURL dest = KFileDialog::getSaveURL(TQString::null, "*.key|Private Key (*.key)", this, i18n("Select a location to save a copy of the private key..."));
+ if (!dest.isEmpty()) {
+ KIO::CopyJob* job = KIO::copy(src, dest, true);
+ connect(job, TQT_SIGNAL(result(KIO::Job*)), this, TQT_SLOT(slotCertCopyResult(KIO::Job*)));
+ }
+}
+
+void LDAPController::btnkrbExportCert() {
+ TQString kdc_certfile = KERBEROS_PKI_KDC_FILE;
+ kdc_certfile.replace("@@@KDCSERVER@@@", m_realmconfig[m_defaultRealm].kdc);
+
+ KURL src = kdc_certfile;
+ KURL dest = KFileDialog::getSaveURL(TQString::null, "*.pem|PKI Certificate Files (*.pem)", this, i18n("Select a location to save a copy of the certificate..."));
+ if (!dest.isEmpty()) {
+ KIO::CopyJob* job = KIO::copy(src, dest, true);
+ connect(job, TQT_SIGNAL(result(KIO::Job*)), this, TQT_SLOT(slotCertCopyResult(KIO::Job*)));
+ }
+}
+
+void LDAPController::btnldapRegenerate() {
+ struct stat sb;
+ uid_t slapd_uid = 0;
+ gid_t slapd_gid = 0;
+
+ // Get LDAP user uid/gid
+ struct passwd *pwd;
+ pwd = getpwnam(m_ldapUserName);
+ slapd_uid = pwd->pw_uid;
+ slapd_gid = pwd->pw_gid;
+
+ LDAPManager::generatePublicLDAPCertificate(m_certconfig, m_realmconfig[m_defaultRealm], slapd_uid, slapd_gid);
+
+ load();
+}
+
+void LDAPController::btnldapExportKey() {
+ TQString ldap_keyfile = LDAP_CERTKEY_FILE;
+ ldap_keyfile.replace("@@@ADMINSERVER@@@", m_realmconfig[m_defaultRealm].admin_server);
+
+ KURL src = ldap_keyfile;
+ KURL dest = KFileDialog::getSaveURL(TQString::null, "*.key|Private Key (*.key)", this, i18n("Select a location to save a copy of the private key..."));
+ if (!dest.isEmpty()) {
+ KIO::CopyJob* job = KIO::copy(src, dest, true);
+ connect(job, TQT_SIGNAL(result(KIO::Job*)), this, TQT_SLOT(slotCertCopyResult(KIO::Job*)));
+ }
+}
+
+void LDAPController::btnldapExportCert() {
+ TQString ldap_certfile = LDAP_CERT_FILE;
+ ldap_certfile.replace("@@@ADMINSERVER@@@", m_realmconfig[m_defaultRealm].admin_server);
+
+ KURL src = ldap_certfile;
+ KURL dest = KFileDialog::getSaveURL(TQString::null, "*.pem|PKI Certificate Files (*.pem)", this, i18n("Select a location to save a copy of the certificate..."));
+ if (!dest.isEmpty()) {
+ KIO::CopyJob* job = KIO::copy(src, dest, true);
+ connect(job, TQT_SIGNAL(result(KIO::Job*)), this, TQT_SLOT(slotCertCopyResult(KIO::Job*)));
+ }
+}
+
void LDAPController::slotCertCopyResult(KIO::Job* job) {
if (job->error()) {
job->showErrorDialog(this);
}
}
+void LDAPController::btnChangeLDAPRootPassword() {
+ // NOTE
+ // There is (currently) no good way to replace the root password
+ // This convoluted procedure is (currently) the best I can do...
+
+ bool ret = false;
+
+ TQCString rootPassword;
+ int result = KPasswordDialog::getNewPassword(rootPassword, i18n("Please enter the new LDAP root password:"));
+ if (result == KPasswordDialog::Accepted) {
+ SHA1 sha;
+ sha.process(rootPassword, strlen(rootPassword));
+ TQString rootpw_hash = sha.base64Hash();
+
+ TQString oldconfigfilename = "/etc/ldap/slapd.d/cn=config/" + TQString("olcDatabase={%1}hdb.ldif.bkp").arg(1);
+ TQString newconfigfilename = "/etc/ldap/slapd.d/cn=config/" + TQString("olcDatabase={%1}hdb.ldif").arg(1);
+
+ if (controlLDAPServer(SC_STOP) == 0) {
+ rename(newconfigfilename.ascii(), oldconfigfilename.ascii());
+ TQFile ifile(oldconfigfilename);
+ TQFile ofile(newconfigfilename);
+
+ if (ifile.open(IO_ReadOnly)) {
+ if (ofile.open(IO_WriteOnly)) {
+ TQString line;
+ TQTextStream istream(&ifile);
+ TQTextStream ostream(&ofile);
+ while (!istream.atEnd()) {
+ line = istream.readLine();
+ if (line.startsWith("olcRootPW:")) {
+ ostream << "olcRootPW: {SHA}" << rootpw_hash << "\n";
+ }
+ else {
+ ostream << line << "\n";
+ }
+ }
+ ifile.close();
+ unlink(oldconfigfilename);
+ ofile.close();
+ if (controlLDAPServer(SC_START) == 0) {
+ ret = true;
+ }
+ }
+ else {
+ ifile.close();
+ rename(oldconfigfilename.ascii(), newconfigfilename.ascii());
+ }
+ }
+ else {
+ rename(oldconfigfilename.ascii(), newconfigfilename.ascii());
+ }
+ }
+
+ if (!ret) {
+ KMessageBox::error(0, i18n("<qt>Unable to modify LDAP root password<p>Your LDAP server may now be in an inconsistent or disabled state</qt>"), i18n("Internal Failure"));
+ }
+ }
+}
+
+void LDAPController::btnChangeRealmAdminPassword() {
+ TQCString adminPassword;
+ int result = KPasswordDialog::getNewPassword(adminPassword, i18n("Please enter the new realm administrator password:"));
+ if (result == KPasswordDialog::Accepted) {
+ TQString realmname = m_defaultRealm.upper();
+ LDAPCredentials* credentials = new LDAPCredentials;
+ credentials->username = "";
+ credentials->password = "";
+ credentials->realm = realmname;
+ LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials);
+ TQString errorstring;
+ LDAPTDEBuiltinsInfo builtins = ldap_mgr->getTDEBuiltinMappings(&errorstring);
+
+ LDAPUserInfo adminuserinfo = ldap_mgr->getUserByDistinguishedName(builtins.builtinRealmAdminAccount);
+ if (adminuserinfo.informationValid) {
+ adminuserinfo.new_password = adminPassword;
+ ldap_mgr->setPasswordForUser(adminuserinfo, &errorstring);
+ }
+
+ delete ldap_mgr;
+ delete credentials;
+ }
+}
+
void LDAPController::defaults() {
//
}
@@ -278,6 +622,7 @@ void LDAPController::defaults() {
void LDAPController::save() {
m_systemconfig->setGroup(NULL);
m_systemconfig->writeEntry("EnableLDAP", m_base->systemEnableSupport->isChecked());
+ m_systemconfig->writeEntry("HostFQDN", m_fqdn);
m_systemconfig->writeEntry("LDAPRole", m_base->systemRole->currentText());
// Write cert config
@@ -371,7 +716,6 @@ void replacePlaceholdersInFile(TQString infile, TQString outfile, LDAPRealmConfi
}
ostream << line << "\n";
}
- ifile.close();
ofile.close();
// Set permissions
@@ -383,6 +727,7 @@ void replacePlaceholdersInFile(TQString infile, TQString outfile, LDAPRealmConfi
//KMessageBox::error(0, i18n("<qt>Unable to open output schema file %1 for writing</qt>").arg(outfile), i18n("Internal Failure"));
printf("[INTERNAL FAILURE] Unable to open output schema file %s for writing\n\r", outfile.ascii()); fflush(stdout);
}
+ ifile.close();
}
else {
//KMessageBox::error(0, i18n("<qt>Unable to open template schema file %1</qt>").arg(infile), i18n("Internal Failure"));
@@ -796,14 +1141,7 @@ int LDAPController::createRealmCertificates(LDAPCertConfig certinfo, LDAPRealmCo
chmod(kdc_keyfile.ascii(), S_IRUSR|S_IWUSR);
chown(kdc_keyfile.ascii(), 0, 0);
- command = TQString("openssl req -new -out %1 -key %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(kdc_reqfile).arg(kdc_keyfile).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(certinfo.commonName).arg(certinfo.emailAddress);
- system(command);
- command = TQString("openssl x509 -req -in %1 -CAkey %2 -CA %3 -out %4 -extfile %5 -extensions kdc_cert -CAcreateserial").arg(kdc_reqfile).arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(kdc_certfile).arg(OPENSSL_EXTENSIONS_FILE);
- system(command);
- chmod(kdc_certfile.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
- chown(kdc_certfile.ascii(), 0, 0);
- unlink(kdc_reqfile.ascii());
- unlink(OPENSSL_EXTENSIONS_FILE);
+ LDAPManager::generatePublicKerberosCertificate(certinfo, realmconfig);
// LDAP certificate
TQString ldap_certfile = LDAP_CERT_FILE;
@@ -817,13 +1155,7 @@ int LDAPController::createRealmCertificates(LDAPCertConfig certinfo, LDAPRealmCo
chmod(ldap_keyfile.ascii(), S_IRUSR|S_IWUSR);
chown(ldap_keyfile.ascii(), ldap_uid, ldap_gid);
- command = TQString("openssl req -new -out %1 -key %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(ldap_reqfile).arg(ldap_keyfile).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(realmconfig.admin_server).arg(certinfo.emailAddress);
- system(command);
- command = TQString("openssl x509 -req -in %1 -CAkey %2 -CA %3 -out %4 -CAcreateserial").arg(ldap_reqfile).arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(ldap_certfile);
- system(command);
- chmod(ldap_certfile.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
- chown(ldap_certfile.ascii(), ldap_uid, ldap_gid);
- unlink(ldap_reqfile.ascii());
+ LDAPManager::generatePublicLDAPCertificate(certinfo, realmconfig, ldap_uid, ldap_gid);
return 0;
}
@@ -841,6 +1173,8 @@ int LDAPController::uploadKerberosCAFileToLDAP(LDAPManager* ldap_mgr, TQString*
return -1;
}
+// #define STRICT_SETUP 1
+
int LDAPController::createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig realmconfig, TQString adminUserName, TQString adminGroupName, TQString machineAdminGroupName, TQString standardUserGroupName, const char * adminPassword, TQString rootUserName, const char * rootPassword, TQString adminRealm, LDAPCertConfig certinfo, TQString *errstr) {
int ldifSchemaNumber;
@@ -874,21 +1208,27 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME
// Stop SASL
if (controlSASLServer(SC_STOP) != 0) {
+#ifdef STRICT_SETUP
if (errstr) *errstr = i18n("Unable to stop SASL server");
pdialog.closeDialog();
return -1;
+#endif // STRICT_SETUP
}
// Stop Heimdal
if (controlHeimdalServer(SC_STOP) != 0) {
+#ifdef STRICT_SETUP
if (errstr) *errstr = i18n("Unable to stop Kerberos server");
pdialog.closeDialog();
return -1;
+#endif // STRICT_SETUP
}
// Stop slapd
if (controlLDAPServer(SC_STOP) != 0) {
+#ifdef STRICT_SETUP
if (errstr) *errstr = i18n("Unable to stop LDAP server");
pdialog.closeDialog();
return -1;
+#endif // STRICT_SETUP
}
pdialog.setStatusMessage(i18n("Purging existing LDAP database..."));
@@ -1000,6 +1340,8 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME
chmod(TQString(SASL_DEFAULT_FILE).ascii(), S_IRUSR|S_IWUSR|S_IRGRP);
chmod(TQString(SASL_CONTROL_FILE).ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
+ chmod(TQString(OPENSSL_EXTENSIONS_FILE).ascii(), S_IRUSR|S_IWUSR);
+
pdialog.setStatusMessage(i18n("Installing realm certificates..."));
tqApp->processEvents();
diff --git a/src/ldapcontroller.h b/src/ldapcontroller.h
index d48f00f..da41004 100644
--- a/src/ldapcontroller.h
+++ b/src/ldapcontroller.h
@@ -29,6 +29,7 @@
#include <kglobalsettings.h>
#include <tqpushbutton.h>
#include <tqcombobox.h>
+#include <tqtimer.h>
#include <kio/jobclasses.h>
#include <libtdeldap.h>
@@ -64,11 +65,22 @@ class LDAPController: public KCModule
private slots:
void systemRoleChanged();
void processLockouts();
+ void updateCertDisplay();
void btncaRegenerate();
- void btncaExport();
+ void btncaExportKey();
+ void btncaExportCert();
+ void btnkrbRegenerate();
+ void btnkrbExportKey();
+ void btnkrbExportCert();
+ void btnldapRegenerate();
+ void btnldapExportKey();
+ void btnldapExportCert();
void slotCertCopyResult(KIO::Job*);
+ void btnChangeLDAPRootPassword();
+ void btnChangeRealmAdminPassword();
+
private:
int controlKAdminDaemon(sc_command command);
int controlSASLServer(sc_command command);
@@ -93,6 +105,10 @@ class LDAPController: public KCModule
TQString m_ldapGroupName;
LDAPCertConfig m_certconfig;
+ TQString m_defaultRealm;
+ LDAPRealmConfigList m_realmconfig;
+
+ TQTimer m_certRefreshTimer;
};
#endif // _LDAPCONTROLLER_H_
diff --git a/src/ldapcontrollerconfigbase.ui b/src/ldapcontrollerconfigbase.ui
index 64d4623..6e3bb47 100644
--- a/src/ldapcontrollerconfigbase.ui
+++ b/src/ldapcontrollerconfigbase.ui
@@ -92,6 +92,87 @@
<cstring>realmName</cstring>
</property>
</widget>
+ <widget class="TQLabel" row="1" column="0" colspan="1">
+ <property name="name">
+ <cstring>unnamed</cstring>
+ </property>
+ <property name="text">
+ <cstring>LDAP Root User:</cstring>
+ </property>
+ </widget>
+ <widget class="TQLabel" row="1" column="1" colspan="1">
+ <property name="name">
+ <cstring>ldapRootUser</cstring>
+ </property>
+ </widget>
+ <widget class="TQPushButton" row="1" column="2" colspan="1">
+ <property name="name">
+ <cstring>btnChangeLDAPRootPassword</cstring>
+ </property>
+ <property name="text">
+ <cstring>Change Password</cstring>
+ </property>
+ </widget>
+ <widget class="TQLabel" row="2" column="0" colspan="1">
+ <property name="name">
+ <cstring>unnamed</cstring>
+ </property>
+ <property name="text">
+ <cstring>Realm Administrative User:</cstring>
+ </property>
+ </widget>
+ <widget class="TQLabel" row="2" column="1" colspan="1">
+ <property name="name">
+ <cstring>realmAdminUser</cstring>
+ </property>
+ </widget>
+ <widget class="TQPushButton" row="2" column="2" colspan="1">
+ <property name="name">
+ <cstring>btnChangeRealmAdminPassword</cstring>
+ </property>
+ <property name="text">
+ <cstring>Change Password</cstring>
+ </property>
+ </widget>
+ <widget class="TQLabel" row="3" column="0" colspan="1">
+ <property name="name">
+ <cstring>unnamed</cstring>
+ </property>
+ <property name="text">
+ <cstring>Realm Administrative Group:</cstring>
+ </property>
+ </widget>
+ <widget class="TQLabel" row="3" column="1" colspan="1">
+ <property name="name">
+ <cstring>realmAdminGroup</cstring>
+ </property>
+ </widget>
+ <widget class="TQLabel" row="4" column="0" colspan="1">
+ <property name="name">
+ <cstring>unnamed</cstring>
+ </property>
+ <property name="text">
+ <cstring>Machine Administrative Group:</cstring>
+ </property>
+ </widget>
+ <widget class="TQLabel" row="4" column="1" colspan="1">
+ <property name="name">
+ <cstring>realmMachineAdminGroup</cstring>
+ </property>
+ </widget>
+ <widget class="TQLabel" row="5" column="0" colspan="1">
+ <property name="name">
+ <cstring>unnamed</cstring>
+ </property>
+ <property name="text">
+ <cstring>Standard User Group:</cstring>
+ </property>
+ </widget>
+ <widget class="TQLabel" row="5" column="1" colspan="1">
+ <property name="name">
+ <cstring>realmStandardUserGroup</cstring>
+ </property>
+ </widget>
</grid>
</widget>
<widget class="TQGroupBox" row="2" column="0">
@@ -113,12 +194,12 @@
<cstring>Certificate Authority:</cstring>
</property>
</widget>
- <widget class="TQLabel" row="0" column="1" colspan="1">
+ <widget class="TQLabel" row="1" column="0" colspan="1">
<property name="name">
<cstring>caExpiryString</cstring>
</property>
</widget>
- <widget class="TQPushButton" row="0" column="2" colspan="1">
+ <widget class="TQPushButton" row="0" column="2" colspan="1" rowspan="2">
<property name="name">
<cstring>caRegenerate</cstring>
</property>
@@ -126,12 +207,94 @@
<cstring>Regenerate Certificate</cstring>
</property>
</widget>
- <widget class="TQPushButton" row="0" column="3" colspan="1">
+ <widget class="TQPushButton" row="0" column="3" colspan="1" rowspan="2">
+ <property name="name">
+ <cstring>caExportKey</cstring>
+ </property>
+ <property name="text">
+ <cstring>Export Private Key</cstring>
+ </property>
+ </widget>
+ <widget class="TQPushButton" row="0" column="4" colspan="1" rowspan="2">
+ <property name="name">
+ <cstring>caExportCert</cstring>
+ </property>
+ <property name="text">
+ <cstring>Export Public Certificate</cstring>
+ </property>
+ </widget>
+ <widget class="TQLabel" row="2" column="0" colspan="1">
+ <property name="name">
+ <cstring>unnamed</cstring>
+ </property>
+ <property name="text">
+ <cstring>Kerberos:</cstring>
+ </property>
+ </widget>
+ <widget class="TQLabel" row="3" column="0" colspan="1">
+ <property name="name">
+ <cstring>krbExpiryString</cstring>
+ </property>
+ </widget>
+ <widget class="TQPushButton" row="2" column="2" colspan="1" rowspan="2">
+ <property name="name">
+ <cstring>krbRegenerate</cstring>
+ </property>
+ <property name="text">
+ <cstring>Regenerate Certificate</cstring>
+ </property>
+ </widget>
+ <widget class="TQPushButton" row="2" column="3" colspan="1" rowspan="2">
+ <property name="name">
+ <cstring>krbExportKey</cstring>
+ </property>
+ <property name="text">
+ <cstring>Export Private Key</cstring>
+ </property>
+ </widget>
+ <widget class="TQPushButton" row="2" column="4" colspan="1" rowspan="2">
+ <property name="name">
+ <cstring>krbExportCert</cstring>
+ </property>
+ <property name="text">
+ <cstring>Export Public Certificate</cstring>
+ </property>
+ </widget>
+ <widget class="TQLabel" row="4" column="0" colspan="1">
+ <property name="name">
+ <cstring>unnamed</cstring>
+ </property>
+ <property name="text">
+ <cstring>LDAP TLS:</cstring>
+ </property>
+ </widget>
+ <widget class="TQLabel" row="5" column="0" colspan="1">
+ <property name="name">
+ <cstring>ldapExpiryString</cstring>
+ </property>
+ </widget>
+ <widget class="TQPushButton" row="4" column="2" colspan="1" rowspan="2">
+ <property name="name">
+ <cstring>ldapRegenerate</cstring>
+ </property>
+ <property name="text">
+ <cstring>Regenerate Certificate</cstring>
+ </property>
+ </widget>
+ <widget class="TQPushButton" row="4" column="3" colspan="1" rowspan="2">
+ <property name="name">
+ <cstring>ldapExportKey</cstring>
+ </property>
+ <property name="text">
+ <cstring>Export Private Key</cstring>
+ </property>
+ </widget>
+ <widget class="TQPushButton" row="4" column="4" colspan="1" rowspan="2">
<property name="name">
- <cstring>caExport</cstring>
+ <cstring>ldapExportCert</cstring>
</property>
<property name="text">
- <cstring>Export Certificate</cstring>
+ <cstring>Export Public Certificate</cstring>
</property>
</widget>
</grid>
diff --git a/src/realmwizard.cpp b/src/realmwizard.cpp
index 95bd931..f2a7760 100644
--- a/src/realmwizard.cpp
+++ b/src/realmwizard.cpp
@@ -239,8 +239,9 @@ void RealmWizard::accept() {
// Try to create realm
TQString errorString;
- // RAJA FIXME
+ // FIXME
// root account should not be locked to "admin"!
+ // when fixing, please fix the other instance of locked "admin" in ldapcontroller.cpp ::load()
backButton()->setEnabled(false);
nextButton()->setEnabled(false);
finishButton()->setEnabled(false);