diff options
| author | Timothy Pearson <kb9vqf@pearsoncomputing.net> | 2012-06-07 18:45:11 -0500 |
|---|---|---|
| committer | Timothy Pearson <kb9vqf@pearsoncomputing.net> | 2012-06-07 18:45:11 -0500 |
| commit | 02cfa8d8afb2c84b0683e4071f4482a54d2e459e (patch) | |
| tree | e57a79c4114b32da685550437553d1930616f455 | |
| parent | 023a331a3c85d7fae541cc1c3c721af2cc3415fe (diff) | |
| download | kcmldapcontroller-02cfa8d8.tar.gz kcmldapcontroller-02cfa8d8.zip | |
Provide a range of user and certificate management options
| -rw-r--r-- | confskel/openldap/skel.ldif | 2 | ||||
| -rw-r--r-- | src/ldapcontroller.cpp | 422 | ||||
| -rw-r--r-- | src/ldapcontroller.h | 18 | ||||
| -rw-r--r-- | src/ldapcontrollerconfigbase.ui | 173 | ||||
| -rw-r--r-- | src/realmwizard.cpp | 3 |
5 files changed, 570 insertions, 48 deletions
diff --git a/confskel/openldap/skel.ldif b/confskel/openldap/skel.ldif index aec1f55..7d3f2fa 100644 --- a/confskel/openldap/skel.ldif +++ b/confskel/openldap/skel.ldif @@ -300,7 +300,7 @@ objectClass: tdeBuiltinStore objectClass: applicationProcess tdeBuiltinAccount: TRUE structuralObjectClass: applicationProcess -builtinRealmAdminAccount: cn=@@@ADMINUSER@@@,ou=users,ou=core,ou=realm,@@@REALM_DCNAME@@@ +builtinRealmAdminAccount: uid=@@@ADMINUSER@@@,ou=users,ou=core,ou=realm,@@@REALM_DCNAME@@@ builtinRealmAdminGroup: cn=@@@ADMINGROUP@@@,ou=groups,ou=core,ou=realm,@@@REALM_DCNAME@@@ builtinMachineAdminGroup: cn=@@@LOCALADMINGROUP@@@,ou=groups,ou=core,ou=realm,@@@REALM_DCNAME@@@ builtinStandardUserGroup: cn=@@@STANDARDUSERGROUP@@@,ou=groups,ou=core,ou=realm,@@@REALM_DCNAME@@@ diff --git a/src/ldapcontroller.cpp b/src/ldapcontroller.cpp index 3a79467..4f7ff1b 100644 --- a/src/ldapcontroller.cpp +++ b/src/ldapcontroller.cpp @@ -46,6 +46,7 @@ #include <tdesu/process.h> #include <libtdeldap.h> #include <kfiledialog.h> +#include <kpassdlg.h> #include "sha1.h" @@ -69,17 +70,12 @@ #define HEIMDAL_ACL_FILE "/etc/heimdal-kdc/kadmind.acl" -#define OPENSSL_EXTENSIONS_FILE TDE_CERTIFICATE_DIR "pki_extensions" - #define ROLE_WORKSTATION 0 -#define ROLE_REALM_CONTROLLER 1 +#define ROLE_SECONDARY_REALM_CONTROLLER 1 +#define ROLE_PRIMARY_REALM_CONTROLLER 2 #define KEY_STRENGTH 2048 -// RAJA FIXME -// Provide a way to change the LDAP root password -// in the olcDatabase (field olcRootPW) after installation! - typedef KGenericFactory<LDAPController, TQWidget> ldapFactory; K_EXPORT_COMPONENT_FACTORY( kcm_ldapcontroller, ldapFactory("kcmldapcontroller")) @@ -104,7 +100,8 @@ LDAPController::LDAPController(TQWidget *parent, const char *name, const TQStrin m_base->systemRole->clear(); m_base->systemRole->insertItem("Workstation", ROLE_WORKSTATION); - m_base->systemRole->insertItem("Realm Controller", ROLE_REALM_CONTROLLER); + m_base->systemRole->insertItem("Secondary Realm Controller", ROLE_SECONDARY_REALM_CONTROLLER); + m_base->systemRole->insertItem("Primary Realm Controller", ROLE_PRIMARY_REALM_CONTROLLER); setRootOnlyMsg(i18n("<b>LDAP controller settings take effect system wide, and require administrator access to modify</b><br>To alter the system's realm controller settings, click on the \"Administrator Mode\" button below.")); setUseRootOnlyMsg(true); @@ -114,7 +111,21 @@ LDAPController::LDAPController(TQWidget *parent, const char *name, const TQStrin connect(m_base->systemRole, TQT_SIGNAL(activated(const TQString&)), this, TQT_SLOT(systemRoleChanged())); connect(m_base->caRegenerate, TQT_SIGNAL(clicked()), this, TQT_SLOT(btncaRegenerate())); - connect(m_base->caExport, TQT_SIGNAL(clicked()), this, TQT_SLOT(btncaExport())); + connect(m_base->caExportKey, TQT_SIGNAL(clicked()), this, TQT_SLOT(btncaExportKey())); + connect(m_base->caExportCert, TQT_SIGNAL(clicked()), this, TQT_SLOT(btncaExportCert())); + + connect(m_base->krbRegenerate, TQT_SIGNAL(clicked()), this, TQT_SLOT(btnkrbRegenerate())); + connect(m_base->krbExportKey, TQT_SIGNAL(clicked()), this, TQT_SLOT(btnkrbExportKey())); + connect(m_base->krbExportCert, TQT_SIGNAL(clicked()), this, TQT_SLOT(btnkrbExportCert())); + + connect(m_base->ldapRegenerate, TQT_SIGNAL(clicked()), this, TQT_SLOT(btnldapRegenerate())); + connect(m_base->ldapExportKey, TQT_SIGNAL(clicked()), this, TQT_SLOT(btnldapExportKey())); + connect(m_base->ldapExportCert, TQT_SIGNAL(clicked()), this, TQT_SLOT(btnldapExportCert())); + + connect(m_base->btnChangeLDAPRootPassword, TQT_SIGNAL(clicked()), this, TQT_SLOT(btnChangeLDAPRootPassword())); + connect(m_base->btnChangeRealmAdminPassword, TQT_SIGNAL(clicked()), this, TQT_SLOT(btnChangeRealmAdminPassword())); + + connect(&m_certRefreshTimer, TQT_SIGNAL(timeout()), this, TQT_SLOT(updateCertDisplay())); m_fqdn = LDAPManager::getMachineFQDN(); @@ -125,10 +136,6 @@ LDAPController::LDAPController(TQWidget *parent, const char *name, const TQStrin load(); - if (getuid() != 0 || !m_systemconfig->checkConfigFilesWritable( true )) { - m_base->systemEnableSupport->setEnabled(false); - } - processLockouts(); }; @@ -137,7 +144,7 @@ LDAPController::~LDAPController() { void LDAPController::systemRoleChanged() { if (m_base->systemRole->currentItem() != m_prevRole) { - if (m_base->systemRole->currentItem() == ROLE_REALM_CONTROLLER) { + if (m_base->systemRole->currentItem() == ROLE_PRIMARY_REALM_CONTROLLER) { // Verify that this workstation was not already bonded to an LDAP realm! bool bonded = false; TQStringList cfgRealms = m_systemconfig->groupList(); @@ -174,15 +181,77 @@ void LDAPController::systemRoleChanged() { load(); } } - if (m_base->systemRole->currentItem() == ROLE_WORKSTATION) { + else if (m_base->systemRole->currentItem() == ROLE_SECONDARY_REALM_CONTROLLER) { // RAJA FIXME + KMessageBox::error(0, i18n("<qt>Secondary realm controller support is not yet available<p>If you want to see it implemented, contact the Trinity Desktop developers</qt>"), i18n("Feature Not Yet Available")); + m_base->systemRole->setCurrentItem(m_prevRole); + } + else if (m_base->systemRole->currentItem() == ROLE_WORKSTATION) { + if (KMessageBox::warningYesNo(this, i18n("<qt><b>WARNING</b><br>You are attempting to demote a realm controller<p>This action will <b>PERMANENTLY DESTROY</b> the realm directory stored on this machine<p>If you do not want to do this, select <b>Cancel</b> below</qt>"), i18n("Are you absolutely sure?"), TQString("Continue"), TQString("Cancel")) == KMessageBox::Yes) { + ProcessingDialog pdialog(this); + pdialog.setStatusMessage(i18n("Preparing to demote primary realm controller...")); + pdialog.raise(); + pdialog.setActiveWindow(); + tqApp->processEvents(); + + save(); + + pdialog.setStatusMessage(i18n("Stopping servers...")); + + // Stop SASL + if (controlSASLServer(SC_STOP) != 0) { + // + } + // Stop Heimdal + if (controlHeimdalServer(SC_STOP) != 0) { + // + } + // Stop slapd + if (controlLDAPServer(SC_STOP) != 0) { + // + } + + pdialog.setStatusMessage(i18n("Purging LDAP database...")); + tqApp->processEvents(); + controlHeimdalServer(SC_PURGE); + controlLDAPServer(SC_PURGE); + + pdialog.setStatusMessage(i18n("Purging local configuration...")); + tqApp->processEvents(); + + system(TQString("rm -rf %1").arg(TDE_CERTIFICATE_DIR)); + + // Write the TDE realm configuration file + LDAPRealmConfigList realms; + LDAPManager::writeTDERealmList(realms, m_systemconfig); + m_systemconfig->deleteEntry("DefaultRealm"); + m_systemconfig->sync(); + + pdialog.closeDialog(); + + load(); + } + else { + m_base->systemRole->setCurrentItem(m_prevRole); + } } } } void LDAPController::processLockouts() { - bool enabled = (m_base->systemEnableSupport->isEnabled() && m_base->systemEnableSupport->isChecked()); + bool enabled = true; + bool canChangeLDAPEnabled = true; + + if (getuid() != 0 || !m_systemconfig->checkConfigFilesWritable( true )) { + canChangeLDAPEnabled = false; + enabled = false; + } + + if (m_base->systemRole->currentItem() != ROLE_WORKSTATION) { + canChangeLDAPEnabled = false; + } + m_base->systemEnableSupport->setEnabled(canChangeLDAPEnabled); m_base->systemRole->setEnabled(enabled); } @@ -201,8 +270,8 @@ void LDAPController::load() { if (!thisIsMyMachine) { ldapRole = "Workstation"; } - if (ldapRole == "Realm Controller") { - m_base->systemRole->setCurrentItem(ROLE_REALM_CONTROLLER); + if (ldapRole == "Primary Realm Controller") { + m_base->systemRole->setCurrentItem(ROLE_PRIMARY_REALM_CONTROLLER); } else { m_base->systemRole->setCurrentItem(ROLE_WORKSTATION); @@ -219,28 +288,141 @@ void LDAPController::load() { m_certconfig.commonName = m_systemconfig->readEntry("commonName"); m_certconfig.emailAddress = m_systemconfig->readEntry("emailAddress"); + m_realmconfig = LDAPManager::readTDERealmList(m_systemconfig, !thisIsMyMachine); + if (!thisIsMyMachine) { + LDAPManager::writeTDERealmList(m_realmconfig, m_systemconfig); + } + m_systemconfig->setGroup(NULL); + m_defaultRealm = m_systemconfig->readEntry("DefaultRealm"); - if (m_base->systemRole->currentItem() == ROLE_REALM_CONTROLLER) { + if (m_base->systemRole->currentItem() == ROLE_PRIMARY_REALM_CONTROLLER) { m_base->groupRealmController->show(); m_base->groupRealmCertificates->show(); - m_base->realmName->setText(m_systemconfig->readEntry("DefaultRealm")); - m_base->caExpiryString->setText("Expires " + LDAPManager::getCertificateExpiration(KERBEROS_PKI_PEM_FILE).toString()); - // RAJA FIXME + m_base->realmName->setText(m_defaultRealm); + + // Display builtin account and group names, and provide a password reset button for each builtin user (yes, this includes the LDAP admin account!) + // FIXME + // root account should not be locked to "admin"! + // when fixing, please fix the other instance of locked "admin" in realmwizard.cpp ::accept() + m_base->ldapRootUser->setText(TQString("cn=%1,").arg("admin") + LDAPManager::ldapdnForRealm(m_defaultRealm)); + + TQString realmname = m_defaultRealm.upper(); + LDAPCredentials* credentials = new LDAPCredentials; + credentials->username = ""; + credentials->password = ""; + credentials->realm = realmname; + LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials); + TQString errorstring; + LDAPTDEBuiltinsInfo builtins = ldap_mgr->getTDEBuiltinMappings(&errorstring); + delete ldap_mgr; + delete credentials; + + m_base->realmAdminUser->setText(LDAPManager::cnFromDn(builtins.builtinRealmAdminAccount)); + m_base->realmAdminGroup->setText(LDAPManager::cnFromDn(builtins.builtinRealmAdminGroup)); + m_base->realmMachineAdminGroup->setText(LDAPManager::cnFromDn(builtins.builtinMachineAdminGroup)); + m_base->realmStandardUserGroup->setText(LDAPManager::cnFromDn(builtins.builtinStandardUserGroup)); + + updateCertDisplay(); + m_certRefreshTimer.start(60*1000); } else { m_base->groupRealmController->hide(); m_base->groupRealmCertificates->hide(); + + m_certRefreshTimer.stop(); } processLockouts(); } +#define CERT_STATUS_COLOR_ACTIVE TQColor(0, 128, 0) +#define CERT_STATUS_COLOR_STALE TQColor(128, 64, 0) +#define CERT_STATUS_COLOR_EXPIRED TQColor(128, 0, 0) +#define CERT_STATUS_COLOR_NOTFOUND CERT_STATUS_COLOR_EXPIRED + +void LDAPController::updateCertDisplay() { + TQDateTime certExpiry; + TQDateTime now = TQDateTime::currentDateTime(); + TQDateTime soon = now.addDays(7); + + TQString kdc_certfile = KERBEROS_PKI_KDC_FILE; + kdc_certfile.replace("@@@KDCSERVER@@@", m_realmconfig[m_defaultRealm].kdc); + TQString ldap_certfile = LDAP_CERT_FILE; + ldap_certfile.replace("@@@ADMINSERVER@@@", m_realmconfig[m_defaultRealm].admin_server); + + // Certificate Authority + if (TQFile::exists(KERBEROS_PKI_PEM_FILE)) { + certExpiry = LDAPManager::getCertificateExpiration(KERBEROS_PKI_PEM_FILE); + if (certExpiry >= now) { + m_base->caExpiryString->setText("Expires " + certExpiry.toString()); + if (certExpiry >= soon) { + m_base->caExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_ACTIVE); + } + else { + m_base->caExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_STALE); + } + } + else { + m_base->caExpiryString->setText("Expired " + certExpiry.toString()); + m_base->caExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_EXPIRED); + } + } + else { + m_base->caExpiryString->setText("File not found"); + m_base->caExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_NOTFOUND); + } + + // Kerberos + if (TQFile::exists(kdc_certfile)) { + certExpiry = LDAPManager::getCertificateExpiration(kdc_certfile); + if (certExpiry >= now) { + m_base->krbExpiryString->setText("Expires " + certExpiry.toString()); + if (certExpiry >= soon) { + m_base->krbExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_ACTIVE); + } + else { + m_base->krbExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_STALE); + } + } + else { + m_base->krbExpiryString->setText("Expired " + certExpiry.toString()); + m_base->krbExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_EXPIRED); + } + } + else { + m_base->krbExpiryString->setText("File not found"); + m_base->krbExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_NOTFOUND); + } + + // LDAP + if (TQFile::exists(kdc_certfile)) { + certExpiry = LDAPManager::getCertificateExpiration(ldap_certfile); + if (certExpiry >= now) { + m_base->ldapExpiryString->setText("Expires " + certExpiry.toString()); + if (certExpiry >= soon) { + m_base->ldapExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_ACTIVE); + } + else { + m_base->ldapExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_STALE); + } + } + else { + m_base->ldapExpiryString->setText("Expired " + certExpiry.toString()); + m_base->ldapExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_EXPIRED); + } + } + else { + m_base->ldapExpiryString->setText("File not found"); + m_base->ldapExpiryString->setPaletteForegroundColor(CERT_STATUS_COLOR_NOTFOUND); + } +} + void LDAPController::btncaRegenerate() { LDAPManager::generatePublicKerberosCACertificate(m_certconfig); - TQString realmname = m_systemconfig->readEntry("DefaultRealm").upper(); + TQString realmname = m_defaultRealm.upper(); LDAPCredentials* credentials = new LDAPCredentials; credentials->username = ""; credentials->password = ""; @@ -256,7 +438,16 @@ void LDAPController::btncaRegenerate() { load(); } -void LDAPController::btncaExport() { +void LDAPController::btncaExportKey() { + KURL src = KERBEROS_PKI_PEMKEY_FILE; + KURL dest = KFileDialog::getSaveURL(TQString::null, "*.key|Private Key (*.key)", this, i18n("Select a location to save a copy of the private key...")); + if (!dest.isEmpty()) { + KIO::CopyJob* job = KIO::copy(src, dest, true); + connect(job, TQT_SIGNAL(result(KIO::Job*)), this, TQT_SLOT(slotCertCopyResult(KIO::Job*))); + } +} + +void LDAPController::btncaExportCert() { KURL src = KERBEROS_PKI_PEM_FILE; KURL dest = KFileDialog::getSaveURL(TQString::null, "*.pem|PKI Certificate Files (*.pem)", this, i18n("Select a location to save a copy of the certificate...")); if (!dest.isEmpty()) { @@ -265,12 +456,165 @@ void LDAPController::btncaExport() { } } +void LDAPController::btnkrbRegenerate() { + LDAPManager::generatePublicKerberosCertificate(m_certconfig, m_realmconfig[m_defaultRealm]); + + load(); +} + +void LDAPController::btnkrbExportKey() { + TQString kdc_keyfile = KERBEROS_PKI_KDCKEY_FILE; + kdc_keyfile.replace("@@@KDCSERVER@@@", m_realmconfig[m_defaultRealm].kdc); + + KURL src = kdc_keyfile; + KURL dest = KFileDialog::getSaveURL(TQString::null, "*.key|Private Key (*.key)", this, i18n("Select a location to save a copy of the private key...")); + if (!dest.isEmpty()) { + KIO::CopyJob* job = KIO::copy(src, dest, true); + connect(job, TQT_SIGNAL(result(KIO::Job*)), this, TQT_SLOT(slotCertCopyResult(KIO::Job*))); + } +} + +void LDAPController::btnkrbExportCert() { + TQString kdc_certfile = KERBEROS_PKI_KDC_FILE; + kdc_certfile.replace("@@@KDCSERVER@@@", m_realmconfig[m_defaultRealm].kdc); + + KURL src = kdc_certfile; + KURL dest = KFileDialog::getSaveURL(TQString::null, "*.pem|PKI Certificate Files (*.pem)", this, i18n("Select a location to save a copy of the certificate...")); + if (!dest.isEmpty()) { + KIO::CopyJob* job = KIO::copy(src, dest, true); + connect(job, TQT_SIGNAL(result(KIO::Job*)), this, TQT_SLOT(slotCertCopyResult(KIO::Job*))); + } +} + +void LDAPController::btnldapRegenerate() { + struct stat sb; + uid_t slapd_uid = 0; + gid_t slapd_gid = 0; + + // Get LDAP user uid/gid + struct passwd *pwd; + pwd = getpwnam(m_ldapUserName); + slapd_uid = pwd->pw_uid; + slapd_gid = pwd->pw_gid; + + LDAPManager::generatePublicLDAPCertificate(m_certconfig, m_realmconfig[m_defaultRealm], slapd_uid, slapd_gid); + + load(); +} + +void LDAPController::btnldapExportKey() { + TQString ldap_keyfile = LDAP_CERTKEY_FILE; + ldap_keyfile.replace("@@@ADMINSERVER@@@", m_realmconfig[m_defaultRealm].admin_server); + + KURL src = ldap_keyfile; + KURL dest = KFileDialog::getSaveURL(TQString::null, "*.key|Private Key (*.key)", this, i18n("Select a location to save a copy of the private key...")); + if (!dest.isEmpty()) { + KIO::CopyJob* job = KIO::copy(src, dest, true); + connect(job, TQT_SIGNAL(result(KIO::Job*)), this, TQT_SLOT(slotCertCopyResult(KIO::Job*))); + } +} + +void LDAPController::btnldapExportCert() { + TQString ldap_certfile = LDAP_CERT_FILE; + ldap_certfile.replace("@@@ADMINSERVER@@@", m_realmconfig[m_defaultRealm].admin_server); + + KURL src = ldap_certfile; + KURL dest = KFileDialog::getSaveURL(TQString::null, "*.pem|PKI Certificate Files (*.pem)", this, i18n("Select a location to save a copy of the certificate...")); + if (!dest.isEmpty()) { + KIO::CopyJob* job = KIO::copy(src, dest, true); + connect(job, TQT_SIGNAL(result(KIO::Job*)), this, TQT_SLOT(slotCertCopyResult(KIO::Job*))); + } +} + void LDAPController::slotCertCopyResult(KIO::Job* job) { if (job->error()) { job->showErrorDialog(this); } } +void LDAPController::btnChangeLDAPRootPassword() { + // NOTE + // There is (currently) no good way to replace the root password + // This convoluted procedure is (currently) the best I can do... + + bool ret = false; + + TQCString rootPassword; + int result = KPasswordDialog::getNewPassword(rootPassword, i18n("Please enter the new LDAP root password:")); + if (result == KPasswordDialog::Accepted) { + SHA1 sha; + sha.process(rootPassword, strlen(rootPassword)); + TQString rootpw_hash = sha.base64Hash(); + + TQString oldconfigfilename = "/etc/ldap/slapd.d/cn=config/" + TQString("olcDatabase={%1}hdb.ldif.bkp").arg(1); + TQString newconfigfilename = "/etc/ldap/slapd.d/cn=config/" + TQString("olcDatabase={%1}hdb.ldif").arg(1); + + if (controlLDAPServer(SC_STOP) == 0) { + rename(newconfigfilename.ascii(), oldconfigfilename.ascii()); + TQFile ifile(oldconfigfilename); + TQFile ofile(newconfigfilename); + + if (ifile.open(IO_ReadOnly)) { + if (ofile.open(IO_WriteOnly)) { + TQString line; + TQTextStream istream(&ifile); + TQTextStream ostream(&ofile); + while (!istream.atEnd()) { + line = istream.readLine(); + if (line.startsWith("olcRootPW:")) { + ostream << "olcRootPW: {SHA}" << rootpw_hash << "\n"; + } + else { + ostream << line << "\n"; + } + } + ifile.close(); + unlink(oldconfigfilename); + ofile.close(); + if (controlLDAPServer(SC_START) == 0) { + ret = true; + } + } + else { + ifile.close(); + rename(oldconfigfilename.ascii(), newconfigfilename.ascii()); + } + } + else { + rename(oldconfigfilename.ascii(), newconfigfilename.ascii()); + } + } + + if (!ret) { + KMessageBox::error(0, i18n("<qt>Unable to modify LDAP root password<p>Your LDAP server may now be in an inconsistent or disabled state</qt>"), i18n("Internal Failure")); + } + } +} + +void LDAPController::btnChangeRealmAdminPassword() { + TQCString adminPassword; + int result = KPasswordDialog::getNewPassword(adminPassword, i18n("Please enter the new realm administrator password:")); + if (result == KPasswordDialog::Accepted) { + TQString realmname = m_defaultRealm.upper(); + LDAPCredentials* credentials = new LDAPCredentials; + credentials->username = ""; + credentials->password = ""; + credentials->realm = realmname; + LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials); + TQString errorstring; + LDAPTDEBuiltinsInfo builtins = ldap_mgr->getTDEBuiltinMappings(&errorstring); + + LDAPUserInfo adminuserinfo = ldap_mgr->getUserByDistinguishedName(builtins.builtinRealmAdminAccount); + if (adminuserinfo.informationValid) { + adminuserinfo.new_password = adminPassword; + ldap_mgr->setPasswordForUser(adminuserinfo, &errorstring); + } + + delete ldap_mgr; + delete credentials; + } +} + void LDAPController::defaults() { // } @@ -278,6 +622,7 @@ void LDAPController::defaults() { void LDAPController::save() { m_systemconfig->setGroup(NULL); m_systemconfig->writeEntry("EnableLDAP", m_base->systemEnableSupport->isChecked()); + m_systemconfig->writeEntry("HostFQDN", m_fqdn); m_systemconfig->writeEntry("LDAPRole", m_base->systemRole->currentText()); // Write cert config @@ -371,7 +716,6 @@ void replacePlaceholdersInFile(TQString infile, TQString outfile, LDAPRealmConfi } ostream << line << "\n"; } - ifile.close(); ofile.close(); // Set permissions @@ -383,6 +727,7 @@ void replacePlaceholdersInFile(TQString infile, TQString outfile, LDAPRealmConfi //KMessageBox::error(0, i18n("<qt>Unable to open output schema file %1 for writing</qt>").arg(outfile), i18n("Internal Failure")); printf("[INTERNAL FAILURE] Unable to open output schema file %s for writing\n\r", outfile.ascii()); fflush(stdout); } + ifile.close(); } else { //KMessageBox::error(0, i18n("<qt>Unable to open template schema file %1</qt>").arg(infile), i18n("Internal Failure")); @@ -796,14 +1141,7 @@ int LDAPController::createRealmCertificates(LDAPCertConfig certinfo, LDAPRealmCo chmod(kdc_keyfile.ascii(), S_IRUSR|S_IWUSR); chown(kdc_keyfile.ascii(), 0, 0); - command = TQString("openssl req -new -out %1 -key %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(kdc_reqfile).arg(kdc_keyfile).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(certinfo.commonName).arg(certinfo.emailAddress); - system(command); - command = TQString("openssl x509 -req -in %1 -CAkey %2 -CA %3 -out %4 -extfile %5 -extensions kdc_cert -CAcreateserial").arg(kdc_reqfile).arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(kdc_certfile).arg(OPENSSL_EXTENSIONS_FILE); - system(command); - chmod(kdc_certfile.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); - chown(kdc_certfile.ascii(), 0, 0); - unlink(kdc_reqfile.ascii()); - unlink(OPENSSL_EXTENSIONS_FILE); + LDAPManager::generatePublicKerberosCertificate(certinfo, realmconfig); // LDAP certificate TQString ldap_certfile = LDAP_CERT_FILE; @@ -817,13 +1155,7 @@ int LDAPController::createRealmCertificates(LDAPCertConfig certinfo, LDAPRealmCo chmod(ldap_keyfile.ascii(), S_IRUSR|S_IWUSR); chown(ldap_keyfile.ascii(), ldap_uid, ldap_gid); - command = TQString("openssl req -new -out %1 -key %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(ldap_reqfile).arg(ldap_keyfile).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(realmconfig.admin_server).arg(certinfo.emailAddress); - system(command); - command = TQString("openssl x509 -req -in %1 -CAkey %2 -CA %3 -out %4 -CAcreateserial").arg(ldap_reqfile).arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(ldap_certfile); - system(command); - chmod(ldap_certfile.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); - chown(ldap_certfile.ascii(), ldap_uid, ldap_gid); - unlink(ldap_reqfile.ascii()); + LDAPManager::generatePublicLDAPCertificate(certinfo, realmconfig, ldap_uid, ldap_gid); return 0; } @@ -841,6 +1173,8 @@ int LDAPController::uploadKerberosCAFileToLDAP(LDAPManager* ldap_mgr, TQString* return -1; } +// #define STRICT_SETUP 1 + int LDAPController::createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig realmconfig, TQString adminUserName, TQString adminGroupName, TQString machineAdminGroupName, TQString standardUserGroupName, const char * adminPassword, TQString rootUserName, const char * rootPassword, TQString adminRealm, LDAPCertConfig certinfo, TQString *errstr) { int ldifSchemaNumber; @@ -874,21 +1208,27 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME // Stop SASL if (controlSASLServer(SC_STOP) != 0) { +#ifdef STRICT_SETUP if (errstr) *errstr = i18n("Unable to stop SASL server"); pdialog.closeDialog(); return -1; +#endif // STRICT_SETUP } // Stop Heimdal if (controlHeimdalServer(SC_STOP) != 0) { +#ifdef STRICT_SETUP if (errstr) *errstr = i18n("Unable to stop Kerberos server"); pdialog.closeDialog(); return -1; +#endif // STRICT_SETUP } // Stop slapd if (controlLDAPServer(SC_STOP) != 0) { +#ifdef STRICT_SETUP if (errstr) *errstr = i18n("Unable to stop LDAP server"); pdialog.closeDialog(); return -1; +#endif // STRICT_SETUP } pdialog.setStatusMessage(i18n("Purging existing LDAP database...")); @@ -1000,6 +1340,8 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME chmod(TQString(SASL_DEFAULT_FILE).ascii(), S_IRUSR|S_IWUSR|S_IRGRP); chmod(TQString(SASL_CONTROL_FILE).ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); + chmod(TQString(OPENSSL_EXTENSIONS_FILE).ascii(), S_IRUSR|S_IWUSR); + pdialog.setStatusMessage(i18n("Installing realm certificates...")); tqApp->processEvents(); diff --git a/src/ldapcontroller.h b/src/ldapcontroller.h index d48f00f..da41004 100644 --- a/src/ldapcontroller.h +++ b/src/ldapcontroller.h @@ -29,6 +29,7 @@ #include <kglobalsettings.h> #include <tqpushbutton.h> #include <tqcombobox.h> +#include <tqtimer.h> #include <kio/jobclasses.h> #include <libtdeldap.h> @@ -64,11 +65,22 @@ class LDAPController: public KCModule private slots: void systemRoleChanged(); void processLockouts(); + void updateCertDisplay(); void btncaRegenerate(); - void btncaExport(); + void btncaExportKey(); + void btncaExportCert(); + void btnkrbRegenerate(); + void btnkrbExportKey(); + void btnkrbExportCert(); + void btnldapRegenerate(); + void btnldapExportKey(); + void btnldapExportCert(); void slotCertCopyResult(KIO::Job*); + void btnChangeLDAPRootPassword(); + void btnChangeRealmAdminPassword(); + private: int controlKAdminDaemon(sc_command command); int controlSASLServer(sc_command command); @@ -93,6 +105,10 @@ class LDAPController: public KCModule TQString m_ldapGroupName; LDAPCertConfig m_certconfig; + TQString m_defaultRealm; + LDAPRealmConfigList m_realmconfig; + + TQTimer m_certRefreshTimer; }; #endif // _LDAPCONTROLLER_H_ diff --git a/src/ldapcontrollerconfigbase.ui b/src/ldapcontrollerconfigbase.ui index 64d4623..6e3bb47 100644 --- a/src/ldapcontrollerconfigbase.ui +++ b/src/ldapcontrollerconfigbase.ui @@ -92,6 +92,87 @@ <cstring>realmName</cstring> </property> </widget> + <widget class="TQLabel" row="1" column="0" colspan="1"> + <property name="name"> + <cstring>unnamed</cstring> + </property> + <property name="text"> + <cstring>LDAP Root User:</cstring> + </property> + </widget> + <widget class="TQLabel" row="1" column="1" colspan="1"> + <property name="name"> + <cstring>ldapRootUser</cstring> + </property> + </widget> + <widget class="TQPushButton" row="1" column="2" colspan="1"> + <property name="name"> + <cstring>btnChangeLDAPRootPassword</cstring> + </property> + <property name="text"> + <cstring>Change Password</cstring> + </property> + </widget> + <widget class="TQLabel" row="2" column="0" colspan="1"> + <property name="name"> + <cstring>unnamed</cstring> + </property> + <property name="text"> + <cstring>Realm Administrative User:</cstring> + </property> + </widget> + <widget class="TQLabel" row="2" column="1" colspan="1"> + <property name="name"> + <cstring>realmAdminUser</cstring> + </property> + </widget> + <widget class="TQPushButton" row="2" column="2" colspan="1"> + <property name="name"> + <cstring>btnChangeRealmAdminPassword</cstring> + </property> + <property name="text"> + <cstring>Change Password</cstring> + </property> + </widget> + <widget class="TQLabel" row="3" column="0" colspan="1"> + <property name="name"> + <cstring>unnamed</cstring> + </property> + <property name="text"> + <cstring>Realm Administrative Group:</cstring> + </property> + </widget> + <widget class="TQLabel" row="3" column="1" colspan="1"> + <property name="name"> + <cstring>realmAdminGroup</cstring> + </property> + </widget> + <widget class="TQLabel" row="4" column="0" colspan="1"> + <property name="name"> + <cstring>unnamed</cstring> + </property> + <property name="text"> + <cstring>Machine Administrative Group:</cstring> + </property> + </widget> + <widget class="TQLabel" row="4" column="1" colspan="1"> + <property name="name"> + <cstring>realmMachineAdminGroup</cstring> + </property> + </widget> + <widget class="TQLabel" row="5" column="0" colspan="1"> + <property name="name"> + <cstring>unnamed</cstring> + </property> + <property name="text"> + <cstring>Standard User Group:</cstring> + </property> + </widget> + <widget class="TQLabel" row="5" column="1" colspan="1"> + <property name="name"> + <cstring>realmStandardUserGroup</cstring> + </property> + </widget> </grid> </widget> <widget class="TQGroupBox" row="2" column="0"> @@ -113,12 +194,12 @@ <cstring>Certificate Authority:</cstring> </property> </widget> - <widget class="TQLabel" row="0" column="1" colspan="1"> + <widget class="TQLabel" row="1" column="0" colspan="1"> <property name="name"> <cstring>caExpiryString</cstring> </property> </widget> - <widget class="TQPushButton" row="0" column="2" colspan="1"> + <widget class="TQPushButton" row="0" column="2" colspan="1" rowspan="2"> <property name="name"> <cstring>caRegenerate</cstring> </property> @@ -126,12 +207,94 @@ <cstring>Regenerate Certificate</cstring> </property> </widget> - <widget class="TQPushButton" row="0" column="3" colspan="1"> + <widget class="TQPushButton" row="0" column="3" colspan="1" rowspan="2"> + <property name="name"> + <cstring>caExportKey</cstring> + </property> + <property name="text"> + <cstring>Export Private Key</cstring> + </property> + </widget> + <widget class="TQPushButton" row="0" column="4" colspan="1" rowspan="2"> + <property name="name"> + <cstring>caExportCert</cstring> + </property> + <property name="text"> + <cstring>Export Public Certificate</cstring> + </property> + </widget> + <widget class="TQLabel" row="2" column="0" colspan="1"> + <property name="name"> + <cstring>unnamed</cstring> + </property> + <property name="text"> + <cstring>Kerberos:</cstring> + </property> + </widget> + <widget class="TQLabel" row="3" column="0" colspan="1"> + <property name="name"> + <cstring>krbExpiryString</cstring> + </property> + </widget> + <widget class="TQPushButton" row="2" column="2" colspan="1" rowspan="2"> + <property name="name"> + <cstring>krbRegenerate</cstring> + </property> + <property name="text"> + <cstring>Regenerate Certificate</cstring> + </property> + </widget> + <widget class="TQPushButton" row="2" column="3" colspan="1" rowspan="2"> + <property name="name"> + <cstring>krbExportKey</cstring> + </property> + <property name="text"> + <cstring>Export Private Key</cstring> + </property> + </widget> + <widget class="TQPushButton" row="2" column="4" colspan="1" rowspan="2"> + <property name="name"> + <cstring>krbExportCert</cstring> + </property> + <property name="text"> + <cstring>Export Public Certificate</cstring> + </property> + </widget> + <widget class="TQLabel" row="4" column="0" colspan="1"> + <property name="name"> + <cstring>unnamed</cstring> + </property> + <property name="text"> + <cstring>LDAP TLS:</cstring> + </property> + </widget> + <widget class="TQLabel" row="5" column="0" colspan="1"> + <property name="name"> + <cstring>ldapExpiryString</cstring> + </property> + </widget> + <widget class="TQPushButton" row="4" column="2" colspan="1" rowspan="2"> + <property name="name"> + <cstring>ldapRegenerate</cstring> + </property> + <property name="text"> + <cstring>Regenerate Certificate</cstring> + </property> + </widget> + <widget class="TQPushButton" row="4" column="3" colspan="1" rowspan="2"> + <property name="name"> + <cstring>ldapExportKey</cstring> + </property> + <property name="text"> + <cstring>Export Private Key</cstring> + </property> + </widget> + <widget class="TQPushButton" row="4" column="4" colspan="1" rowspan="2"> <property name="name"> - <cstring>caExport</cstring> + <cstring>ldapExportCert</cstring> </property> <property name="text"> - <cstring>Export Certificate</cstring> + <cstring>Export Public Certificate</cstring> </property> </widget> </grid> diff --git a/src/realmwizard.cpp b/src/realmwizard.cpp index 95bd931..f2a7760 100644 --- a/src/realmwizard.cpp +++ b/src/realmwizard.cpp @@ -239,8 +239,9 @@ void RealmWizard::accept() { // Try to create realm TQString errorString; - // RAJA FIXME + // FIXME // root account should not be locked to "admin"! + // when fixing, please fix the other instance of locked "admin" in ldapcontroller.cpp ::load() backButton()->setEnabled(false); nextButton()->setEnabled(false); finishButton()->setEnabled(false); |