Allow certificate expiry to be set

author: Timothy Pearson <kb9vqf@pearsoncomputing.net> 2015-08-25 11:13:14 -0500
committer: Timothy Pearson <kb9vqf@pearsoncomputing.net> 2015-08-25 11:13:14 -0500
commit: d6f004658dac16c19a6e4a6109b93b5b52adddc0 (patch)
tree: a37dc7f4df2a2460ddc93863a763eb91ad295a13
parent: f4afc1290d29af023cef891b361cb34e11d229d8 (diff)
download: libtdeldap-d6f00465.tar.gz
libtdeldap-d6f00465.zip
2 files changed, 45 insertions, 4 deletions
diff --git a/src/libtdeldap.cpp b/src/libtdeldap.cpp
index 0e551b4..f009297 100644
--- a/src/libtdeldap.cpp
+++ b/src/libtdeldap.cpp
@@ -2658,7 +2658,6 @@ int LDAPManager::writeCertificateFileIntoDirectory(TQByteArray cert, TQString at
 
 TQString LDAPManager::getRealmCAMaster(TQString* errstr) {
 	int retcode;
-	int i;
 	TQString realmCAMaster;
 
 	TQString dn = TQString("cn=certificate store,o=tde,cn=tde realm data,ou=master services,ou=core,ou=realm,%1").arg(m_basedc);
@@ -3743,6 +3742,8 @@ LDAPRealmConfigList LDAPManager::readTDERealmList(KSimpleConfig* config, bool di
 }
 
 int LDAPManager::writeTDERealmList(LDAPRealmConfigList realms, KSimpleConfig* config, TQString *errstr) {
+	Q_UNUSED(errstr)
+
 	LDAPRealmConfigList::Iterator it;
 	for (it = realms.begin(); it != realms.end(); ++it) {
 		LDAPRealmConfig realmcfg = it.data();
@@ -3805,8 +3806,9 @@ TQDateTime LDAPManager::getCertificateExpiration(TQString certfile) {
 int LDAPManager::generatePublicKerberosCACertificate(LDAPCertConfig certinfo) {
 	TQString command;
 	TQString subject;
+
 	subject = TQString("\"/C=%1/ST=%2/L=%3/O=%4/OU=%5/CN=%6/emailAddress=%7\"").arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(certinfo.commonName).arg(certinfo.emailAddress);
-	command = TQString("openssl req -days %1 -key %2 -new -x509 -out %3 -subj %4").arg(KERBEROS_PKI_PEMKEY_EXPIRY_DAYS).arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(subject);
+	command = TQString("openssl req -days %1 -key %2 -new -x509 -out %3 -subj %4").arg(certinfo.caExpiryDays).arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(subject);
 	if (system(command) < 0) {
 		printf("ERROR: Execution of \"%s\" failed!\n", command.ascii());
 		return -1;
@@ -3825,6 +3827,7 @@ int LDAPManager::generatePublicKerberosCACertificate(LDAPCertConfig certinfo) {
 
 int LDAPManager::generatePublicKerberosCertificate(LDAPCertConfig certinfo, LDAPRealmConfig realmcfg) {
 	TQString command;
+	TQString subject;
 
 	TQString kdc_certfile = KERBEROS_PKI_KDC_FILE;
 	TQString kdc_keyfile = KERBEROS_PKI_KDCKEY_FILE;
@@ -3833,7 +3836,8 @@ int LDAPManager::generatePublicKerberosCertificate(LDAPCertConfig certinfo, LDAP
 	kdc_keyfile.replace("@@@KDCSERVER@@@", realmcfg.name.lower());
 	kdc_reqfile.replace("@@@KDCSERVER@@@", realmcfg.name.lower());
 
-	command = TQString("openssl req -new -out %1 -key %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(kdc_reqfile).arg(kdc_keyfile).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(certinfo.commonName).arg(certinfo.emailAddress);
+	subject = TQString("\"/C=%1/ST=%2/L=%3/O=%4/OU=%5/CN=%6/emailAddress=%7\"").arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(certinfo.commonName).arg(certinfo.emailAddress);
+	command = TQString("openssl req -days %1 -new -out %2 -key %3 -subj %4").arg(certinfo.kerberosExpiryDays).arg(kdc_reqfile).arg(kdc_keyfile).arg(subject);
 	if (system(command) < 0) {
 		printf("ERROR: Execution of \"%s\" failed!\n", command.ascii());
 		return -1;
@@ -3863,6 +3867,7 @@ int LDAPManager::generatePublicKerberosCertificate(LDAPCertConfig certinfo, LDAP
 
 int LDAPManager::generatePublicLDAPCertificate(LDAPCertConfig certinfo, LDAPRealmConfig realmcfg, uid_t ldap_uid, gid_t ldap_gid) {
 	TQString command;
+	TQString subject;
 
 	TQString ldap_certfile = LDAP_CERT_FILE;
 	TQString ldap_keyfile = LDAP_CERTKEY_FILE;
@@ -3871,7 +3876,8 @@ int LDAPManager::generatePublicLDAPCertificate(LDAPCertConfig certinfo, LDAPReal
 	ldap_keyfile.replace("@@@ADMINSERVER@@@", realmcfg.name.lower());
 	ldap_reqfile.replace("@@@ADMINSERVER@@@", realmcfg.name.lower());
 
-	command = TQString("openssl req -new -out %1 -key %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(ldap_reqfile).arg(ldap_keyfile).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(realmcfg.admin_server).arg(certinfo.emailAddress);
+	subject = TQString("\"/C=%1/ST=%2/L=%3/O=%4/OU=%5/CN=%6/emailAddress=%7\"").arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(certinfo.commonName).arg(certinfo.emailAddress);
+	command = TQString("openssl req -days %1 -new -out %2 -key %3 -subj %4").arg(certinfo.ldapExpiryDays).arg(ldap_reqfile).arg(ldap_keyfile).arg(subject);
 	if (system(command) < 0) {
 		printf("ERROR: Execution of \"%s\" failed!\n", command.ascii());
 		return -1;
@@ -3957,6 +3963,8 @@ LDAPClientRealmConfig LDAPManager::loadClientRealmConfig(KSimpleConfig* config,
 }
 
 int LDAPManager::saveClientRealmConfig(LDAPClientRealmConfig clientRealmConfig, KSimpleConfig* config, TQString *errstr) {
+	Q_UNUSED(errstr)
+
 	config->setGroup(NULL);
 	config->writeEntry("EnableLDAP", clientRealmConfig.enable_bonding);
 	config->writeEntry("HostFQDN", clientRealmConfig.hostFQDN);
@@ -4030,6 +4038,11 @@ int LDAPManager::writeClientKrb5ConfFile(LDAPClientRealmConfig clientRealmConfig
 
 		file.close();
 	}
+	else {
+		if (errstr) {
+			*errstr = i18n("Could not open file '%1' for writing").arg(file.name());
+		}
+	}
 
 	return 0;
 }
@@ -4058,6 +4071,11 @@ int LDAPManager::writeNSSwitchFile(TQString *errstr) {
 
 		file.close();
 	}
+	else {
+		if (errstr) {
+			*errstr = i18n("Could not open file '%1' for writing").arg(file.name());
+		}
+	}
 
 	return 0;
 }
@@ -4076,6 +4094,11 @@ int LDAPManager::writePAMFiles(LDAPPamConfig pamConfig, TQString *errstr) {
 
 		file.close();
 	}
+	else {
+		if (errstr) {
+			*errstr = i18n("Could not open file '%1' for writing").arg(file.name());
+		}
+	}
 
 	TQFile file2(PAMD_DIRECTORY PAMD_COMMON_AUTH);
 	if (file2.open(IO_WriteOnly)) {
@@ -4095,6 +4118,11 @@ int LDAPManager::writePAMFiles(LDAPPamConfig pamConfig, TQString *errstr) {
 
 		file2.close();
 	}
+	else {
+		if (errstr) {
+			*errstr = i18n("Could not open file '%1' for writing").arg(file2.name());
+		}
+	}
 
 	TQFile file3(PAMD_DIRECTORY PAMD_COMMON_SESSION);
 	if (file3.open(IO_WriteOnly)) {
@@ -4126,6 +4154,11 @@ int LDAPManager::writePAMFiles(LDAPPamConfig pamConfig, TQString *errstr) {
 
 		file3.close();
 	}
+	else {
+		if (errstr) {
+			*errstr = i18n("Could not open file '%1' for writing").arg(file3.name());
+		}
+	}
 
 	return 0;
 }
diff --git a/src/libtdeldap.h b/src/libtdeldap.h
index a1573c7..09db75d 100644
--- a/src/libtdeldap.h
+++ b/src/libtdeldap.h
@@ -65,6 +65,10 @@
 // 1 year
 #define KERBEROS_PKI_PEMKEY_EXPIRY_DAYS 365
 
+// 1 month
+#define KERBEROS_PKI_KRB_EXPIRY_DAYS 30
+#define KERBEROS_PKI_LDAP_EXPIRY_DAYS 30
+
 // Values from hdb.asn1
 enum LDAPKRB5Flags {
 	KRB5_INITIAL			= 0x00000001,
@@ -190,6 +194,10 @@ class LDAPCertConfig
 		TQString provided_ldap_crt;
 		TQString provided_ldap_key;
 
+		int caExpiryDays;
+		int kerberosExpiryDays;
+		int ldapExpiryDays;
+
 		TQString countryName;
 		TQString stateOrProvinceName;
 		TQString localityName;
author	Timothy Pearson <kb9vqf@pearsoncomputing.net>	2015-08-25 11:13:14 -0500
committer	Timothy Pearson <kb9vqf@pearsoncomputing.net>	2015-08-25 11:13:14 -0500
commit	d6f004658dac16c19a6e4a6109b93b5b52adddc0 (patch)
tree	a37dc7f4df2a2460ddc93863a763eb91ad295a13
parent	f4afc1290d29af023cef891b361cb34e11d229d8 (diff)
download	libtdeldap-d6f00465.tar.gz libtdeldap-d6f00465.zip