Browse Source

Add new certificate updater daemon

Move core code to libtdeldap
tags/r14.0.0
Timothy Pearson 6 years ago
parent
commit
f6459b7985
5 changed files with 299 additions and 204 deletions
  1. 10
    0
      cert-updater/Makefile.am
  2. 211
    0
      cert-updater/main.cpp
  3. 74
    190
      src/ldapbonding.cpp
  4. 3
    14
      src/ldapbonding.h
  5. 1
    0
      subdirs

+ 10
- 0
cert-updater/Makefile.am View File

@@ -0,0 +1,10 @@
INCLUDES= $(all_includes) $(KDE_INCLUDES)/tde

bin_PROGRAMS = tdeldapcertupdater

tdeldapcertupdater_SOURCES = main.cpp

tdeldapcertupdater_METASOURCES = AUTO
tdeldapcertupdater_LDFLAGS = $(all_libraries) $(KDE_RPATH) $(LIB_QT) -lDCOP $(LIB_TDECORE) $(LIB_TDEUI) -ltdefx $(LIB_KIO) -ltdetexteditor -ltdeldap

KDE_OPTIONS = nofinal

+ 211
- 0
cert-updater/main.cpp View File

@@ -0,0 +1,211 @@
/***************************************************************************
* Copyright (C) 2013 by Timothy Pearson *
* kb9vqf@pearsoncomputing.net *
* *
* This program is free software; you can redistribute it and/or modify *
* it under the terms of the GNU General Public License as published by *
* the Free Software Foundation; either version 2 of the License, or *
* (at your option) any later version. *
* *
* This program is distributed in the hope that it will be useful, *
* but WITHOUT ANY WARRANTY; without even the implied warranty of *
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
* GNU General Public License for more details. *
* *
* You should have received a copy of the GNU General Public License *
* along with this program; if not, write to the *
* Free Software Foundation, Inc., *
* 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. *
***************************************************************************/

#include <stdlib.h>
#include <csignal>

#include <sys/types.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/time.h>
#include <netdb.h>
#include <pwd.h>

#include <tdeapplication.h>
#include <tdestartupinfo.h>
#include <tdecmdlineargs.h>
#include <tdeaboutdata.h>

#include <ksimpleconfig.h>

#include <tqdatetime.h>
#include <tqfile.h>
#include <tqdir.h>

#include <libtdeldap.h>

// FIXME
// Connect this to CMake/Automake
#define KDE_CONFDIR "/etc/trinity"

static const char description[] =
I18N_NOOP("TDE utility for updating realm certificates");

static const char version[] = "v0.0.1";

bool received_sighup = false;

void signalHandler(int signum)
{
printf("[INFO] Got signal %d\n\r", signum);
if (signum == SIGHUP) {
received_sighup = true;
}
else if (signum == SIGTERM) {
unlink(TDE_LDAP_CERT_UPDATER_PID_FILE);
exit(0);
}
else if (signum == SIGINT) {
unlink(TDE_LDAP_CERT_UPDATER_PID_FILE);
exit(0);
}
}

int get_certificate_from_server(TQString certificateName, LDAPRealmConfig realmcfg)
{
int retcode = 0;
TQString errorstring;

// Bind anonymously to LDAP
LDAPCredentials* credentials = new LDAPCredentials;
credentials->username = "";
credentials->password = "";
credentials->realm = realmcfg.name.upper();
credentials->use_tls = false;
LDAPManager* ldap_mgr = new LDAPManager(realmcfg.name.upper(), TQString("ldap://%1").arg(realmcfg.admin_server).ascii(), credentials);

// Add the domain-wide computer local admin group to local sudoers
ldap_mgr->writeSudoersConfFile(&errorstring);

// Get and install the CA root certificate from LDAP
printf("[INFO] Updating certificate %s from LDAP\n\r", certificateName.ascii());
if (ldap_mgr->getTDECertificate("publicRootCertificate", certificateName, &errorstring) != 0) {
printf("[ERROR] Unable to obtain root certificate for realm %s: %s", realmcfg.name.upper().ascii(), errorstring.ascii());
retcode = 1;
}

delete ldap_mgr;
delete credentials;

return retcode;
}

int main(int argc, char *argv[])
{
// Register signal handler for SIGHUP
signal(SIGHUP, signalHandler);
// Register signal handler for SIGINT
signal(SIGINT, signalHandler);
// Register signal handler for SIGTERM
signal(SIGTERM, signalHandler);

TQDir pidDir(TDE_LDAP_PID_DIR);
if (!pidDir.exists()) {
mkdir(TDE_LDAP_PID_DIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
}
TQFile pidFile(TDE_LDAP_CERT_UPDATER_PID_FILE);
if (pidFile.open(IO_WriteOnly)) {
TQTextStream stream(&pidFile);
stream << getpid();
pidFile.close();
}

// Seed random number generator
struct timeval time;
gettimeofday(&time,NULL);
srand((time.tv_sec * 1000) + (time.tv_usec / 1000));

// Initialize TDE application libraries
TDEAboutData aboutData( "tdeldapcertupdater", I18N_NOOP("Realm Certificate Updater"),
version, description, TDEAboutData::License_GPL,
"(c) 2013, Timothy Pearson");
aboutData.addAuthor("Timothy Pearson",0, "kb9vqf@pearsoncomputing.net");
TDECmdLineArgs::init( argc, argv, &aboutData );
TDEApplication::disableAutoDcopRegistration();

TDEApplication app(false, false);

TDEStartupInfo::appStarted();

//======================================================================================================================================================
//
// Updater code follows
//
//======================================================================================================================================================

KSimpleConfig* systemconfig = new KSimpleConfig( TQString::fromLatin1( KDE_CONFDIR "/ldap/ldapconfigrc" ));
LDAPRealmConfigList realms = LDAPManager::readTDERealmList(systemconfig, false);
TQString m_defaultRealm = systemconfig->readEntry("DefaultRealm");

int prevSecondsToExpiry = (7*24*60*60);

while (1) {
bool allDownloadsOK = true;
TQDateTime now = TQDateTime::currentDateTime();
TQDateTime earliestCertExpiry = now.addDays(14); // Recheck every 7 days regardless of last expiry check results

LDAPRealmConfigList::Iterator it;
for (it = realms.begin(); it != realms.end(); ++it) {
LDAPRealmConfig realmcfg = it.data();
TQString certificateName = KERBEROS_PKI_PUBLICDIR + realmcfg.admin_server + ".ldap.crt";

TQDateTime certExpiry;
TQDateTime soon = now.addDays(7); // Keep in sync with src/ldapcontroller.cpp

if (TQFile::exists(certificateName)) {
certExpiry = LDAPManager::getCertificateExpiration(certificateName);
if (certExpiry >= now) {
printf("[INFO] Certificate %s expires %s\n\r", certificateName.ascii(), certExpiry.toString().ascii()); fflush(stdout);
}
if ((certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
if (get_certificate_from_server(certificateName, realmcfg) != 0) {
allDownloadsOK = false;
}
}
if (certExpiry < earliestCertExpiry) {
earliestCertExpiry = certExpiry;
}
}
else {
mkdir(TDE_CERTIFICATE_DIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
mkdir(KERBEROS_PKI_PUBLICDIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
if (get_certificate_from_server(certificateName, realmcfg) != 0) {
allDownloadsOK = false;
}
}
}

earliestCertExpiry = earliestCertExpiry.addDays(-7); // Keep in sync with now.addDays above (use negative of value given above)
int secondsToExpiry = now.secsTo(earliestCertExpiry);
secondsToExpiry = secondsToExpiry + (rand()%(5*60)); // Nothing worse than thousands of clients hammering the LDAP server all at once...
if (secondsToExpiry < 1) {
secondsToExpiry = 1;
}
if ((prevSecondsToExpiry == 1) && (allDownloadsOK)) {
// The server has not yet updated its certificate, even though our copy is close to expiration
// Therefore, do not hammer the server with useless requests!
prevSecondsToExpiry = (15*60) + (rand()%(5*60));
}
prevSecondsToExpiry = secondsToExpiry;
printf("[INFO] Will recheck certificates in %d seconds (%d days)\n\r", secondsToExpiry, secondsToExpiry/60/60/24); fflush(stdout);
if (sleep(secondsToExpiry) != 0) {
// Signal caught
if (!received_sighup) {
break;
}
}
}

unlink(TDE_LDAP_CERT_UPDATER_PID_FILE);

//======================================================================================================================================================

return 0;
}

+ 74
- 190
src/ldapbonding.cpp View File

@@ -1,5 +1,5 @@
/***************************************************************************
* Copyright (C) 2012 by Timothy Pearson *
* Copyright (C) 2012-2013 by Timothy Pearson *
* kb9vqf@pearsoncomputing.net *
* *
* This program is free software; you can redistribute it and/or modify *
@@ -18,6 +18,9 @@
* 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. *
***************************************************************************/

#include <sys/types.h>
#include <signal.h>

#include <tqlayout.h>

#include <tdelocale.h>
@@ -49,11 +52,6 @@
// FIXME
// Connect this to CMake/Automake
#define KDE_CONFDIR "/etc/trinity"
#define KRB5_FILE "/etc/krb5.conf"
#define NSSWITCH_FILE "/etc/nsswitch.conf"
#define PAMD_DIRECTORY "/etc/pam.d/"
#define PAMD_COMMON_ACCOUNT "common-account"
#define PAMD_COMMON_AUTH "common-auth"

typedef KGenericFactory<LDAPConfig, TQWidget> ldapFactory;

@@ -71,7 +69,7 @@ LDAPConfig::LDAPConfig(TQWidget *parent, const char *name, const TQStringList&)
TDEAboutData* about = new TDEAboutData("ldap", I18N_NOOP("TDE LDAP Manager"), "0.1",
I18N_NOOP("TDE LDAP Manager Control Panel Module"),
TDEAboutData::License_GPL,
I18N_NOOP("(c) 2012 Timothy Pearson"), 0, 0);
I18N_NOOP("(c) 2012-2013 Timothy Pearson"), 0, 0);
about->addAuthor("Timothy Pearson", 0, "kb9vqf@pearsoncomputing.net");
setAboutData( about );
@@ -103,17 +101,16 @@ LDAPConfig::LDAPConfig(TQWidget *parent, const char *name, const TQStringList&)
connect(base->passwordHash, TQT_SIGNAL(activated(int)), this, TQT_SLOT(changed()));
connect(base->ignoredUsers, TQT_SIGNAL(textChanged(const TQString&)), this, TQT_SLOT(changed()));

m_fqdn = LDAPManager::getMachineFQDN();
hostFQDN = LDAPManager::getMachineFQDN();
base->hostFQDN->setEnabled(false);
base->hostFQDN->clear();
base->hostFQDN->insertItem(m_fqdn);
base->hostFQDN->insertItem(hostFQDN);

load();

systemconfig->setGroup(NULL);
TQString ldapRole = systemconfig->readEntry("LDAPRole", "Workstation");

if ((getuid() != 0) || (!systemconfig->checkConfigFilesWritable( true )) || (ldapRole != "Workstation")) {
if ((getuid() != 0) || (!systemconfig->checkConfigFilesWritable( true )) || (m_clientRealmConfig.ldapRole != "Workstation")) {
base->systemEnableSupport->setEnabled(false);
}

@@ -133,51 +130,33 @@ void LDAPConfig::load() {
void LDAPConfig::load(bool useDefaults )
{
int i;
bool thisIsMyMachine;

//Update the toggle buttons with the current configuration
systemconfig->setReadDefaults( useDefaults );
systemconfig->setGroup(NULL);
base->systemEnableSupport->setChecked(systemconfig->readBoolEntry("EnableLDAP", false));
m_defaultRealm = systemconfig->readEntry("DefaultRealm", TQString::null);
m_ticketLifetime = systemconfig->readNumEntry("TicketLifetime", 86400);
if (m_fqdn == systemconfig->readEntry("HostFQDN", "")) {
thisIsMyMachine = true;
}
else {
thisIsMyMachine = false;
}
m_clientRealmConfig = LDAPManager::loadClientRealmConfig(systemconfig, useDefaults);

m_ldapVersion = systemconfig->readNumEntry("ConnectionLDAPVersion", 3);
m_ldapTimeout = systemconfig->readNumEntry("ConnectionLDAPTimeout", 2);
m_bindPolicy = systemconfig->readEntry("ConnectionBindPolicy", "soft");
m_ldapBindTimeout = systemconfig->readNumEntry("ConnectionBindTimeout", 2);
m_passwordHash = systemconfig->readEntry("ConnectionPasswordHash", "exop");
m_ignoredUsers = systemconfig->readEntry("ConnectionIgnoredUsers", DEFAULT_IGNORED_USERS_LIST);
base->systemEnableSupport->setChecked(m_clientRealmConfig.enable_bonding);
// Load realms
m_realms.clear();
m_realms = LDAPManager::readTDERealmList(systemconfig, !thisIsMyMachine);
m_realms = LDAPManager::readTDERealmList(systemconfig, !m_clientRealmConfig.configurationVerifiedForLocalMachine);

base->ticketLifetime->setValue(m_ticketLifetime);
base->ticketLifetime->setValue(m_clientRealmConfig.ticketLifetime);

base->ldapVersion->setValue(m_ldapVersion);
base->ldapTimeout->setValue(m_ldapTimeout);
base->ldapVersion->setValue(m_clientRealmConfig.ldapVersion);
base->ldapTimeout->setValue(m_clientRealmConfig.ldapTimeout);
for (i=0; i<base->bindPolicy->count(); i++) {
if (base->bindPolicy->text(i).lower() == m_defaultRealm.lower()) {
if (base->bindPolicy->text(i).lower() == m_clientRealmConfig.defaultRealm.lower()) {
base->bindPolicy->setCurrentItem(i);
break;
}
}
base->ldapBindTimeout->setValue(m_ldapBindTimeout);
base->ldapBindTimeout->setValue(m_clientRealmConfig.ldapBindTimeout);
for (i=0; i<base->passwordHash->count(); i++) {
if (base->passwordHash->text(i).lower() == m_passwordHash.lower()) {
if (base->passwordHash->text(i).lower() == m_clientRealmConfig.passwordHash.lower()) {
base->passwordHash->setCurrentItem(i);
break;
}
}
base->ignoredUsers->setText(m_ignoredUsers);
base->ignoredUsers->setText(m_clientRealmConfig.ignoredUsers);

updateRealmList();

@@ -195,9 +174,9 @@ void LDAPConfig::updateRealmList() {
(void)new TQListViewItem(base->ldapRealmList, ((realmcfg.bonded)?i18n("Bonded"):i18n("Deactivated")), realmcfg.name);
base->defaultRealm->insertItem(realmcfg.name);
}
if (m_defaultRealm != "") {
if (m_clientRealmConfig.defaultRealm != "") {
for (int i=0; i<base->defaultRealm->count(); i++) {
if (base->defaultRealm->text(i) == m_defaultRealm) {
if (base->defaultRealm->text(i) == m_clientRealmConfig.defaultRealm) {
base->defaultRealm->setCurrentItem(i);
break;
}
@@ -213,71 +192,87 @@ void LDAPConfig::defaults() {
void LDAPConfig::save() {
TQString errorstring;

m_clientRealmConfig.hostFQDN = hostFQDN;

m_clientRealmConfig.enable_bonding = base->systemEnableSupport->isChecked();
m_clientRealmConfig.defaultRealm = base->defaultRealm->currentText();
m_clientRealmConfig.ticketLifetime = base->ticketLifetime->value();

m_clientRealmConfig.ldapVersion = base->ldapVersion->value();
m_clientRealmConfig.ldapTimeout = base->ldapTimeout->value();
m_clientRealmConfig.bindPolicy = base->bindPolicy->currentText();
m_clientRealmConfig.ldapBindTimeout = base->ldapBindTimeout->value();
m_clientRealmConfig.passwordHash = base->passwordHash->currentText();
m_clientRealmConfig.ignoredUsers = base->ignoredUsers->text();

// Write system configuration
systemconfig->setGroup(NULL);
systemconfig->writeEntry("EnableLDAP", base->systemEnableSupport->isChecked());
systemconfig->writeEntry("HostFQDN", m_fqdn);
m_defaultRealm = base->defaultRealm->currentText();
m_ticketLifetime = base->ticketLifetime->value();

m_ldapVersion = base->ldapVersion->value();
m_ldapTimeout = base->ldapTimeout->value();
m_bindPolicy = base->bindPolicy->currentText();
m_ldapBindTimeout = base->ldapBindTimeout->value();
m_passwordHash = base->passwordHash->currentText();
m_ignoredUsers = base->ignoredUsers->text();

if (m_defaultRealm != "") {
systemconfig->writeEntry("DefaultRealm", m_defaultRealm);
}
else {
systemconfig->deleteEntry("DefaultRealm");
if (LDAPManager::saveClientRealmConfig(m_clientRealmConfig, systemconfig, &errorstring) != 0) {
KMessageBox::error(this, i18n("<qt><b>Unable to save configuration!</b><p>Details: %2</qt>").arg(errorstring), i18n("Unable to Save Configuration"));
return;
}
systemconfig->writeEntry("TicketLifetime", m_ticketLifetime);

systemconfig->writeEntry("ConnectionLDAPVersion", m_ldapVersion);
systemconfig->writeEntry("ConnectionLDAPTimeout", m_ldapTimeout);
systemconfig->writeEntry("ConnectionBindPolicy", m_bindPolicy);
systemconfig->writeEntry("ConnectionBindTimeout", m_ldapBindTimeout);
systemconfig->writeEntry("ConnectionPasswordHash", m_passwordHash);
systemconfig->writeEntry("ConnectionIgnoredUsers", m_ignoredUsers);

LDAPManager::writeTDERealmList(m_realms, systemconfig);
systemconfig->sync();

if (base->systemEnableSupport->isChecked()) {
if (m_clientRealmConfig.enable_bonding) {
// Write the Kerberos5 configuration file
writeKrb5ConfFile();
if (LDAPManager::writeClientKrb5ConfFile(m_clientRealmConfig, m_realms, &errorstring) != 0) {
KMessageBox::error(this, i18n("<qt><b>Unable to save configuration!</b><p>Details: %2</qt>").arg(errorstring), i18n("Unable to Save Configuration"));
return;
}
// Write the LDAP configuration file
writeLDAPConfFile();
if (LDAPManager::writeLDAPConfFile(m_realms[m_clientRealmConfig.defaultRealm], &errorstring) != 0) {
KMessageBox::error(this, i18n("<qt><b>Unable to save configuration!</b><p>Details: %2</qt>").arg(errorstring), i18n("Unable to Save Configuration"));
return;
}
// Write the NSSwitch configuration file
writeNSSwitchFile();
if (LDAPManager::writeNSSwitchFile(&errorstring) != 0) {
KMessageBox::error(this, i18n("<qt><b>Unable to save configuration!</b><p>Details: %2</qt>").arg(errorstring), i18n("Unable to Save Configuration"));
return;
}
// Write the PAM configuration files
writePAMFiles();
if (LDAPManager::writePAMFiles(&errorstring) != 0) {
KMessageBox::error(this, i18n("<qt><b>Unable to save configuration!</b><p>Details: %2</qt>").arg(errorstring), i18n("Unable to Save Configuration"));
return;
}
// Write the cron files
LDAPManager::writeCronFiles();
if (LDAPManager::writeClientCronFiles() != 0) {
KMessageBox::error(this, i18n("<qt><b>Unable to save configuration!</b><p>Details: %2</qt>").arg(errorstring), i18n("Unable to Save Configuration"));
return;
}

if (m_defaultRealm != "") {
if (m_clientRealmConfig.defaultRealm != "") {
// Bind anonymously to LDAP
LDAPCredentials* credentials = new LDAPCredentials;
credentials->username = "";
credentials->password = "";
credentials->realm = m_defaultRealm.upper();
credentials->realm = m_clientRealmConfig.defaultRealm.upper();
credentials->use_tls = false;
LDAPManager* ldap_mgr = new LDAPManager(m_defaultRealm.upper(), TQString("ldap://%1").arg(m_realms[m_defaultRealm].admin_server).ascii(), credentials);
LDAPManager* ldap_mgr = new LDAPManager(m_clientRealmConfig.defaultRealm.upper(), TQString("ldap://%1").arg(m_realms[m_clientRealmConfig.defaultRealm].admin_server).ascii(), credentials);
// Add the domain-wide computer local admin group to local sudoers
ldap_mgr->writeSudoersConfFile(&errorstring);

// Get and install the CA root certificate from LDAP
mkdir(TDE_CERTIFICATE_DIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
mkdir(KERBEROS_PKI_PUBLICDIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
if (ldap_mgr->getTDECertificate("publicRootCertificate", KERBEROS_PKI_PUBLICDIR + m_realms[m_defaultRealm].admin_server + ".ldap.crt", &errorstring) != 0) {
KMessageBox::sorry(this, i18n("<qt><b>Unable to obtain root certificate for realm %1!</b><p>Details: %2</qt>").arg(m_defaultRealm.upper()).arg(errorstring), i18n("Unable to Obtain Certificate"));
if (ldap_mgr->getTDECertificate("publicRootCertificate", KERBEROS_PKI_PUBLICDIR + m_realms[m_clientRealmConfig.defaultRealm].admin_server + ".ldap.crt", &errorstring) != 0) {
KMessageBox::sorry(this, i18n("<qt><b>Unable to obtain root certificate for realm %1!</b><p>Details: %2</qt>").arg(m_clientRealmConfig.defaultRealm.upper()).arg(errorstring), i18n("Unable to Obtain Certificate"));
}
delete ldap_mgr;
delete credentials;
}

// Certificates may have changed; force the certificate update daemon to reload its configuration
pid_t certUpdaterPID;
TQFile pidFile(TDE_LDAP_CERT_UPDATER_PID_FILE);
if (pidFile.open(IO_ReadOnly)) {
TQTextStream stream(&pidFile);
stream >> certUpdaterPID;
pidFile.close();
kill(certUpdaterPID, SIGHUP);
}
}

load();
@@ -339,7 +334,7 @@ void LDAPConfig::reBondToRealm() {
passdlg.m_base->ldapAdminRealm->setText(realmName);
if (passdlg.exec() == TQDialog::Accepted) {
setEnabled(false);
if (LDAPManager::bondRealm(m_realms[realmName], passdlg.m_base->ldapAdminUsername->text(), passdlg.m_base->ldapAdminPassword->password(), passdlg.m_base->ldapAdminRealm->text(), &errorString) == 0) {
if (LDAPManager::bondRealm(passdlg.m_base->ldapAdminUsername->text(), passdlg.m_base->ldapAdminPassword->password(), passdlg.m_base->ldapAdminRealm->text(), &errorString) == 0) {
// Success!
realmcfg.bonded = true;
m_realms.remove(realmName);
@@ -406,117 +401,6 @@ void LDAPConfig::realmProperties() {
}
}

void LDAPConfig::writeKrb5ConfFile() {
TQFile file(KRB5_FILE);
if (file.open(IO_WriteOnly)) {
TQTextStream stream( &file );

stream << "# This file was automatically generated by TDE\n";
stream << "# All changes will be lost!\n";
stream << "\n";

// Defaults
stream << "[libdefaults]\n";
stream << " ticket_lifetime = " << m_ticketLifetime << "\n";
if (m_defaultRealm != "") {
stream << " default_realm = " << m_defaultRealm << "\n";
}
stream << "\n";

// Realms
stream << "[realms]\n";
LDAPRealmConfigList::Iterator it;
for (it = m_realms.begin(); it != m_realms.end(); ++it) {
LDAPRealmConfig realmcfg = it.data();
stream << " " << realmcfg.name << " = {\n";
stream << " kdc = " << realmcfg.kdc << ":" << realmcfg.kdc_port << "\n";
stream << " admin_server = " << realmcfg.admin_server << ":" << realmcfg.admin_server_port << "\n";
stream << " pkinit_require_eku = " << (realmcfg.pkinit_require_eku?"true":"false") << "\n";
stream << " pkinit_require_krbtgt_otherName = " << (realmcfg.pkinit_require_krbtgt_otherName?"true":"false") << "\n";
stream << " win2k_pkinit = " << (realmcfg.win2k_pkinit?"yes":"no") << "\n";
stream << " win2k_pkinit_require_binding = " << (realmcfg.win2k_pkinit_require_binding?"yes":"no") << "\n";
stream << " }\n";
}
stream << "\n";

// Domain aliases
stream << "[domain_realm]\n";
LDAPRealmConfigList::Iterator it2;
for (it2 = m_realms.begin(); it2 != m_realms.end(); ++it2) {
LDAPRealmConfig realmcfg = it2.data();
TQStringList domains = realmcfg.domain_mappings;
for (TQStringList::Iterator it3 = domains.begin(); it3 != domains.end(); ++it3 ) {
stream << " " << *it3 << " = " << realmcfg.name << "\n";
}
}

file.close();
}
}

void LDAPConfig::writeLDAPConfFile() {
LDAPManager::writeLDAPConfFile(m_realms[m_defaultRealm]);
}

void LDAPConfig::writeNSSwitchFile() {
TQFile file(NSSWITCH_FILE);
if (file.open(IO_WriteOnly)) {
TQTextStream stream( &file );

stream << "# This file was automatically generated by TDE\n";
stream << "# All changes will be lost!\n";
stream << "\n";
stream << "passwd: files ldap [NOTFOUND=return] db" << "\n";
stream << "group: files ldap [NOTFOUND=return] db" << "\n";
stream << "shadow: files ldap [NOTFOUND=return] db" << "\n";
stream << "\n";
stream << "hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4" << "\n";
stream << "networks: files" << "\n";
stream << "\n";
stream << "protocols: db files" << "\n";
stream << "services: db files" << "\n";
stream << "ethers: db files" << "\n";
stream << "rpc: db files" << "\n";
stream << "\n";
stream << "netgroup: nis" << "\n";

file.close();
}
}

void LDAPConfig::writePAMFiles() {
TQFile file(PAMD_DIRECTORY PAMD_COMMON_ACCOUNT);
if (file.open(IO_WriteOnly)) {
TQTextStream stream( &file );

stream << "# This file was automatically generated by TDE\n";
stream << "# All changes will be lost!\n";
stream << "\n";
stream << "account sufficient pam_unix.so nullok_secure" << "\n";
stream << "account sufficient pam_ldap.so" << "\n";
stream << "account required pam_permit.so" << "\n";

file.close();
}

TQFile file2(PAMD_DIRECTORY PAMD_COMMON_AUTH);
if (file2.open(IO_WriteOnly)) {
TQTextStream stream( &file2 );

stream << "# This file was automatically generated by TDE\n";
stream << "# All changes will be lost!\n";
stream << "\n";
stream << "auth [default=ignore success=ignore] pam_mount.so" << "\n";
stream << "auth sufficient pam_unix.so nullok try_first_pass" << "\n";
stream << "auth [default=ignore success=1 service_err=reset] pam_krb5.so ccache=/tmp/krb5cc_%u use_first_pass" << "\n";
stream << "auth [default=die success=done] pam_ccreds.so action=validate use_first_pass" << "\n";
stream << "auth sufficient pam_ccreds.so action=store use_first_pass" << "\n";
stream << "auth required pam_deny.so" << "\n";

file2.close();
}
}

int LDAPConfig::buttons() {
return TDECModule::Apply|TDECModule::Help;
}

+ 3
- 14
src/ldapbonding.h View File

@@ -1,5 +1,5 @@
/***************************************************************************
* Copyright (C) 2012 by Timothy Pearson *
* Copyright (C) 2012-2013 by Timothy Pearson *
* kb9vqf@pearsoncomputing.net *
* *
* This program is free software; you can redistribute it and/or modify *
@@ -65,26 +65,15 @@ class LDAPConfig: public TDECModule

private:
void updateRealmList();
void writeKrb5ConfFile();
void writeLDAPConfFile();
void writeNSSwitchFile();
void writePAMFiles();

private:
TDEAboutData *myAboutData;
TDEGlobalSettings *kgs;
LDAPConfigBase *base;
LDAPRealmConfigList m_realms;
TQString m_fqdn;
TQString m_defaultRealm;
int m_ticketLifetime;
LDAPClientRealmConfig m_clientRealmConfig;

int m_ldapVersion;
int m_ldapTimeout;
TQString m_bindPolicy;
int m_ldapBindTimeout;
TQString m_passwordHash;
TQString m_ignoredUsers;
TQString hostFQDN;
};

#endif // _KCMLDAP_H_

+ 1
- 0
subdirs View File

@@ -1,3 +1,4 @@
cert-updater
cmdline
doc
pics

Loading…
Cancel
Save