Browse Source

Add new certificate updater daemon

Move core code to libtdeldap
tags/r14.0.0
Timothy Pearson 6 years ago
parent
commit
f6459b7985
5 changed files with 299 additions and 204 deletions
  1. 10
    0
      cert-updater/Makefile.am
  2. 211
    0
      cert-updater/main.cpp
  3. 74
    190
      src/ldapbonding.cpp
  4. 3
    14
      src/ldapbonding.h
  5. 1
    0
      subdirs

+ 10
- 0
cert-updater/Makefile.am View File

@@ -0,0 +1,10 @@
1
+INCLUDES= $(all_includes) $(KDE_INCLUDES)/tde
2
+
3
+bin_PROGRAMS = tdeldapcertupdater
4
+
5
+tdeldapcertupdater_SOURCES = main.cpp
6
+
7
+tdeldapcertupdater_METASOURCES = AUTO
8
+tdeldapcertupdater_LDFLAGS = $(all_libraries) $(KDE_RPATH) $(LIB_QT) -lDCOP $(LIB_TDECORE) $(LIB_TDEUI) -ltdefx $(LIB_KIO) -ltdetexteditor -ltdeldap
9
+
10
+KDE_OPTIONS = nofinal

+ 211
- 0
cert-updater/main.cpp View File

@@ -0,0 +1,211 @@
1
+/***************************************************************************
2
+ *   Copyright (C) 2013 by Timothy Pearson                                 *
3
+ *   kb9vqf@pearsoncomputing.net                                           *
4
+ *                                                                         *
5
+ *   This program is free software; you can redistribute it and/or modify  *
6
+ *   it under the terms of the GNU General Public License as published by  *
7
+ *   the Free Software Foundation; either version 2 of the License, or     *
8
+ *   (at your option) any later version.                                   *
9
+ *                                                                         *
10
+ *   This program is distributed in the hope that it will be useful,       *
11
+ *   but WITHOUT ANY WARRANTY; without even the implied warranty of        *
12
+ *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         *
13
+ *   GNU General Public License for more details.                          *
14
+ *                                                                         *
15
+ *   You should have received a copy of the GNU General Public License     *
16
+ *   along with this program; if not, write to the                         *
17
+ *   Free Software Foundation, Inc.,                                       *
18
+ *   59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.             *
19
+ ***************************************************************************/
20
+
21
+#include <stdlib.h>
22
+#include <csignal>
23
+
24
+#include <sys/types.h>
25
+#include <sys/socket.h>
26
+#include <sys/stat.h>
27
+#include <sys/time.h>
28
+#include <netdb.h>
29
+#include <pwd.h>
30
+
31
+#include <tdeapplication.h>
32
+#include <tdestartupinfo.h>
33
+#include <tdecmdlineargs.h>
34
+#include <tdeaboutdata.h>
35
+
36
+#include <ksimpleconfig.h>
37
+
38
+#include <tqdatetime.h>
39
+#include <tqfile.h>
40
+#include <tqdir.h>
41
+
42
+#include <libtdeldap.h>
43
+
44
+// FIXME
45
+// Connect this to CMake/Automake
46
+#define KDE_CONFDIR "/etc/trinity"
47
+
48
+static const char description[] =
49
+	I18N_NOOP("TDE utility for updating realm certificates");
50
+
51
+static const char version[] = "v0.0.1";
52
+
53
+bool received_sighup = false;
54
+
55
+void signalHandler(int signum)
56
+{
57
+	printf("[INFO] Got signal %d\n\r", signum);
58
+	if (signum == SIGHUP) {
59
+		received_sighup = true;
60
+	}
61
+	else if (signum == SIGTERM) {
62
+		unlink(TDE_LDAP_CERT_UPDATER_PID_FILE);
63
+		exit(0);
64
+	}
65
+	else if (signum == SIGINT) {
66
+		unlink(TDE_LDAP_CERT_UPDATER_PID_FILE);
67
+		exit(0);
68
+	}
69
+}
70
+
71
+int get_certificate_from_server(TQString certificateName, LDAPRealmConfig realmcfg)
72
+{
73
+	int retcode = 0;
74
+	TQString errorstring;
75
+
76
+	// Bind anonymously to LDAP
77
+	LDAPCredentials* credentials = new LDAPCredentials;
78
+	credentials->username = "";
79
+	credentials->password = "";
80
+	credentials->realm = realmcfg.name.upper();
81
+	credentials->use_tls = false;
82
+	LDAPManager* ldap_mgr = new LDAPManager(realmcfg.name.upper(), TQString("ldap://%1").arg(realmcfg.admin_server).ascii(), credentials);
83
+
84
+	// Add the domain-wide computer local admin group to local sudoers
85
+	ldap_mgr->writeSudoersConfFile(&errorstring);
86
+
87
+	// Get and install the CA root certificate from LDAP
88
+	printf("[INFO] Updating certificate %s from LDAP\n\r", certificateName.ascii());
89
+	if (ldap_mgr->getTDECertificate("publicRootCertificate", certificateName, &errorstring) != 0) {
90
+		printf("[ERROR] Unable to obtain root certificate for realm %s: %s", realmcfg.name.upper().ascii(), errorstring.ascii());
91
+		retcode = 1;
92
+	}
93
+
94
+	delete ldap_mgr;
95
+	delete credentials;
96
+
97
+	return retcode;
98
+}
99
+
100
+int main(int argc, char *argv[])
101
+{
102
+	// Register signal handler for SIGHUP
103
+	signal(SIGHUP, signalHandler);
104
+	// Register signal handler for SIGINT
105
+	signal(SIGINT, signalHandler);
106
+	// Register signal handler for SIGTERM
107
+	signal(SIGTERM, signalHandler);
108
+
109
+	TQDir pidDir(TDE_LDAP_PID_DIR);
110
+	if (!pidDir.exists()) {
111
+		mkdir(TDE_LDAP_PID_DIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
112
+	}
113
+	TQFile pidFile(TDE_LDAP_CERT_UPDATER_PID_FILE);
114
+	if (pidFile.open(IO_WriteOnly)) {
115
+		TQTextStream stream(&pidFile);
116
+		stream << getpid();
117
+		pidFile.close();
118
+	}
119
+
120
+	// Seed random number generator
121
+	struct timeval time;
122
+	gettimeofday(&time,NULL);
123
+	srand((time.tv_sec * 1000) + (time.tv_usec / 1000));
124
+
125
+	// Initialize TDE application libraries
126
+	TDEAboutData aboutData( "tdeldapcertupdater", I18N_NOOP("Realm Certificate Updater"),
127
+		version, description, TDEAboutData::License_GPL,
128
+		"(c) 2013, Timothy Pearson");
129
+		aboutData.addAuthor("Timothy Pearson",0, "kb9vqf@pearsoncomputing.net");
130
+	TDECmdLineArgs::init( argc, argv, &aboutData );
131
+	TDEApplication::disableAutoDcopRegistration();
132
+
133
+	TDEApplication app(false, false);
134
+
135
+	TDEStartupInfo::appStarted();
136
+
137
+	//======================================================================================================================================================
138
+	//
139
+	// Updater code follows
140
+	//
141
+	//======================================================================================================================================================
142
+
143
+	KSimpleConfig* systemconfig = new KSimpleConfig( TQString::fromLatin1( KDE_CONFDIR "/ldap/ldapconfigrc" ));
144
+	LDAPRealmConfigList realms = LDAPManager::readTDERealmList(systemconfig, false);
145
+	TQString m_defaultRealm = systemconfig->readEntry("DefaultRealm");
146
+
147
+	int prevSecondsToExpiry = (7*24*60*60);
148
+
149
+	while (1) {
150
+		bool allDownloadsOK = true;
151
+		TQDateTime now = TQDateTime::currentDateTime();
152
+		TQDateTime earliestCertExpiry = now.addDays(14);	// Recheck every 7 days regardless of last expiry check results
153
+
154
+		LDAPRealmConfigList::Iterator it;
155
+		for (it = realms.begin(); it != realms.end(); ++it) {
156
+			LDAPRealmConfig realmcfg = it.data();
157
+			TQString certificateName = KERBEROS_PKI_PUBLICDIR + realmcfg.admin_server + ".ldap.crt";
158
+
159
+			TQDateTime certExpiry;
160
+			TQDateTime soon = now.addDays(7);		// Keep in sync with src/ldapcontroller.cpp
161
+
162
+			if (TQFile::exists(certificateName)) {
163
+				certExpiry = LDAPManager::getCertificateExpiration(certificateName);
164
+				if (certExpiry >= now) {
165
+					printf("[INFO] Certificate %s expires %s\n\r", certificateName.ascii(), certExpiry.toString().ascii()); fflush(stdout);
166
+				}
167
+				if ((certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
168
+					if (get_certificate_from_server(certificateName, realmcfg) != 0) {
169
+						allDownloadsOK = false;
170
+					}
171
+				}
172
+				if (certExpiry < earliestCertExpiry) {
173
+					earliestCertExpiry = certExpiry;
174
+				}
175
+			}
176
+			else {
177
+				mkdir(TDE_CERTIFICATE_DIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
178
+				mkdir(KERBEROS_PKI_PUBLICDIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
179
+				if (get_certificate_from_server(certificateName, realmcfg) != 0) {
180
+					allDownloadsOK = false;
181
+				}
182
+			}
183
+		}
184
+
185
+		earliestCertExpiry = earliestCertExpiry.addDays(-7);	// Keep in sync with now.addDays above (use negative of value given above)
186
+		int secondsToExpiry = now.secsTo(earliestCertExpiry);
187
+		secondsToExpiry = secondsToExpiry + (rand()%(5*60));	// Nothing worse than thousands of clients hammering the LDAP server all at once...
188
+		if (secondsToExpiry < 1) {
189
+			secondsToExpiry = 1;
190
+		}
191
+		if ((prevSecondsToExpiry == 1) && (allDownloadsOK)) {
192
+			// The server has not yet updated its certificate, even though our copy is close to expiration
193
+			// Therefore, do not hammer the server with useless requests!
194
+			prevSecondsToExpiry = (15*60) + (rand()%(5*60));
195
+		}
196
+		prevSecondsToExpiry = secondsToExpiry;
197
+		printf("[INFO] Will recheck certificates in %d seconds (%d days)\n\r", secondsToExpiry, secondsToExpiry/60/60/24); fflush(stdout);
198
+		if (sleep(secondsToExpiry) != 0) {
199
+			// Signal caught
200
+			if (!received_sighup) {
201
+				break;
202
+			}
203
+		}
204
+	}
205
+
206
+	unlink(TDE_LDAP_CERT_UPDATER_PID_FILE);
207
+
208
+	//======================================================================================================================================================
209
+
210
+	return 0;
211
+}

+ 74
- 190
src/ldapbonding.cpp View File

@@ -1,5 +1,5 @@
1 1
 /***************************************************************************
2
- *   Copyright (C) 2012 by Timothy Pearson                                 *
2
+ *   Copyright (C) 2012-2013 by Timothy Pearson                            *
3 3
  *   kb9vqf@pearsoncomputing.net                                           *
4 4
  *                                                                         *
5 5
  *   This program is free software; you can redistribute it and/or modify  *
@@ -18,6 +18,9 @@
18 18
  *   59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.             *
19 19
  ***************************************************************************/
20 20
 
21
+#include <sys/types.h>
22
+#include <signal.h>
23
+
21 24
 #include <tqlayout.h>
22 25
 
23 26
 #include <tdelocale.h>
@@ -49,11 +52,6 @@
49 52
 // FIXME
50 53
 // Connect this to CMake/Automake
51 54
 #define KDE_CONFDIR "/etc/trinity"
52
-#define KRB5_FILE "/etc/krb5.conf"
53
-#define NSSWITCH_FILE "/etc/nsswitch.conf"
54
-#define PAMD_DIRECTORY "/etc/pam.d/"
55
-#define PAMD_COMMON_ACCOUNT "common-account"
56
-#define PAMD_COMMON_AUTH "common-auth"
57 55
 
58 56
 typedef KGenericFactory<LDAPConfig, TQWidget> ldapFactory;
59 57
 
@@ -71,7 +69,7 @@ LDAPConfig::LDAPConfig(TQWidget *parent, const char *name, const TQStringList&)
71 69
 	TDEAboutData* about = new TDEAboutData("ldap", I18N_NOOP("TDE LDAP Manager"), "0.1",
72 70
 		I18N_NOOP("TDE LDAP Manager Control Panel Module"),
73 71
 		TDEAboutData::License_GPL,
74
-		I18N_NOOP("(c) 2012 Timothy Pearson"), 0, 0);
72
+		I18N_NOOP("(c) 2012-2013 Timothy Pearson"), 0, 0);
75 73
 	
76 74
 	about->addAuthor("Timothy Pearson", 0, "kb9vqf@pearsoncomputing.net");
77 75
 	setAboutData( about );
@@ -103,17 +101,16 @@ LDAPConfig::LDAPConfig(TQWidget *parent, const char *name, const TQStringList&)
103 101
 	connect(base->passwordHash, TQT_SIGNAL(activated(int)), this, TQT_SLOT(changed()));
104 102
 	connect(base->ignoredUsers, TQT_SIGNAL(textChanged(const TQString&)), this, TQT_SLOT(changed()));
105 103
 
106
-	m_fqdn = LDAPManager::getMachineFQDN();
104
+	hostFQDN = LDAPManager::getMachineFQDN();
107 105
 	base->hostFQDN->setEnabled(false);
108 106
 	base->hostFQDN->clear();
109
-	base->hostFQDN->insertItem(m_fqdn);
107
+	base->hostFQDN->insertItem(hostFQDN);
110 108
 
111 109
 	load();
112 110
 
113 111
 	systemconfig->setGroup(NULL);
114
-	TQString ldapRole = systemconfig->readEntry("LDAPRole", "Workstation");
115 112
 
116
-	if ((getuid() != 0) || (!systemconfig->checkConfigFilesWritable( true )) || (ldapRole != "Workstation")) {
113
+	if ((getuid() != 0) || (!systemconfig->checkConfigFilesWritable( true )) || (m_clientRealmConfig.ldapRole != "Workstation")) {
117 114
 		base->systemEnableSupport->setEnabled(false);
118 115
 	}
119 116
 
@@ -133,51 +130,33 @@ void LDAPConfig::load() {
133 130
 void LDAPConfig::load(bool useDefaults )
134 131
 {
135 132
 	int i;
136
-	bool thisIsMyMachine;
137 133
 
138
-	//Update the toggle buttons with the current configuration
139
-	systemconfig->setReadDefaults( useDefaults );
140
-	
141
-	systemconfig->setGroup(NULL);
142
-	base->systemEnableSupport->setChecked(systemconfig->readBoolEntry("EnableLDAP", false));
143
-	m_defaultRealm = systemconfig->readEntry("DefaultRealm", TQString::null);
144
-	m_ticketLifetime = systemconfig->readNumEntry("TicketLifetime", 86400);
145
-	if (m_fqdn == systemconfig->readEntry("HostFQDN", "")) {
146
-		thisIsMyMachine = true;
147
-	}
148
-	else {
149
-		thisIsMyMachine = false;
150
-	}
134
+	m_clientRealmConfig = LDAPManager::loadClientRealmConfig(systemconfig, useDefaults);
151 135
 
152
-	m_ldapVersion = systemconfig->readNumEntry("ConnectionLDAPVersion", 3);
153
-	m_ldapTimeout = systemconfig->readNumEntry("ConnectionLDAPTimeout", 2);
154
-	m_bindPolicy = systemconfig->readEntry("ConnectionBindPolicy", "soft");
155
-	m_ldapBindTimeout = systemconfig->readNumEntry("ConnectionBindTimeout", 2);
156
-	m_passwordHash = systemconfig->readEntry("ConnectionPasswordHash", "exop");
157
-	m_ignoredUsers = systemconfig->readEntry("ConnectionIgnoredUsers", DEFAULT_IGNORED_USERS_LIST);
136
+	base->systemEnableSupport->setChecked(m_clientRealmConfig.enable_bonding);
158 137
 	
159 138
 	// Load realms
160 139
 	m_realms.clear();
161
-	m_realms = LDAPManager::readTDERealmList(systemconfig, !thisIsMyMachine);
140
+	m_realms = LDAPManager::readTDERealmList(systemconfig, !m_clientRealmConfig.configurationVerifiedForLocalMachine);
162 141
 
163
-	base->ticketLifetime->setValue(m_ticketLifetime);
142
+	base->ticketLifetime->setValue(m_clientRealmConfig.ticketLifetime);
164 143
 
165
-	base->ldapVersion->setValue(m_ldapVersion);
166
-	base->ldapTimeout->setValue(m_ldapTimeout);
144
+	base->ldapVersion->setValue(m_clientRealmConfig.ldapVersion);
145
+	base->ldapTimeout->setValue(m_clientRealmConfig.ldapTimeout);
167 146
 	for (i=0; i<base->bindPolicy->count(); i++) {
168
-		if (base->bindPolicy->text(i).lower() == m_defaultRealm.lower()) {
147
+		if (base->bindPolicy->text(i).lower() == m_clientRealmConfig.defaultRealm.lower()) {
169 148
 			base->bindPolicy->setCurrentItem(i);
170 149
 			break;
171 150
 		}
172 151
 	}
173
-	base->ldapBindTimeout->setValue(m_ldapBindTimeout);
152
+	base->ldapBindTimeout->setValue(m_clientRealmConfig.ldapBindTimeout);
174 153
 	for (i=0; i<base->passwordHash->count(); i++) {
175
-		if (base->passwordHash->text(i).lower() == m_passwordHash.lower()) {
154
+		if (base->passwordHash->text(i).lower() == m_clientRealmConfig.passwordHash.lower()) {
176 155
 			base->passwordHash->setCurrentItem(i);
177 156
 			break;
178 157
 		}
179 158
 	}
180
-	base->ignoredUsers->setText(m_ignoredUsers);
159
+	base->ignoredUsers->setText(m_clientRealmConfig.ignoredUsers);
181 160
 
182 161
 	updateRealmList();
183 162
 
@@ -195,9 +174,9 @@ void LDAPConfig::updateRealmList() {
195 174
 		(void)new TQListViewItem(base->ldapRealmList, ((realmcfg.bonded)?i18n("Bonded"):i18n("Deactivated")), realmcfg.name);
196 175
 		base->defaultRealm->insertItem(realmcfg.name);
197 176
 	}
198
-	if (m_defaultRealm != "") {
177
+	if (m_clientRealmConfig.defaultRealm != "") {
199 178
 		for (int i=0; i<base->defaultRealm->count(); i++) {
200
-			if (base->defaultRealm->text(i) == m_defaultRealm) {
179
+			if (base->defaultRealm->text(i) == m_clientRealmConfig.defaultRealm) {
201 180
 				base->defaultRealm->setCurrentItem(i);
202 181
 				break;
203 182
 			}
@@ -213,71 +192,87 @@ void LDAPConfig::defaults() {
213 192
 void LDAPConfig::save() {
214 193
 	TQString errorstring;
215 194
 
195
+	m_clientRealmConfig.hostFQDN = hostFQDN;
196
+
197
+	m_clientRealmConfig.enable_bonding = base->systemEnableSupport->isChecked();
198
+	m_clientRealmConfig.defaultRealm = base->defaultRealm->currentText();
199
+	m_clientRealmConfig.ticketLifetime = base->ticketLifetime->value();
200
+
201
+	m_clientRealmConfig.ldapVersion = base->ldapVersion->value();
202
+	m_clientRealmConfig.ldapTimeout = base->ldapTimeout->value();
203
+	m_clientRealmConfig.bindPolicy = base->bindPolicy->currentText();
204
+	m_clientRealmConfig.ldapBindTimeout = base->ldapBindTimeout->value();
205
+	m_clientRealmConfig.passwordHash = base->passwordHash->currentText();
206
+	m_clientRealmConfig.ignoredUsers = base->ignoredUsers->text();
207
+
216 208
 	// Write system configuration
217
-	systemconfig->setGroup(NULL);
218
-	systemconfig->writeEntry("EnableLDAP", base->systemEnableSupport->isChecked());
219
-	systemconfig->writeEntry("HostFQDN", m_fqdn);
220
-	m_defaultRealm = base->defaultRealm->currentText();
221
-	m_ticketLifetime = base->ticketLifetime->value();
222
-
223
-	m_ldapVersion = base->ldapVersion->value();
224
-	m_ldapTimeout = base->ldapTimeout->value();
225
-	m_bindPolicy = base->bindPolicy->currentText();
226
-	m_ldapBindTimeout = base->ldapBindTimeout->value();
227
-	m_passwordHash = base->passwordHash->currentText();
228
-	m_ignoredUsers = base->ignoredUsers->text();
229
-
230
-	if (m_defaultRealm != "") {
231
-		systemconfig->writeEntry("DefaultRealm", m_defaultRealm);
232
-	}
233
-	else {
234
-		systemconfig->deleteEntry("DefaultRealm");
209
+	if (LDAPManager::saveClientRealmConfig(m_clientRealmConfig, systemconfig, &errorstring) != 0) {
210
+		KMessageBox::error(this, i18n("<qt><b>Unable to save configuration!</b><p>Details: %2</qt>").arg(errorstring), i18n("Unable to Save Configuration"));
211
+		return;
235 212
 	}
236
-	systemconfig->writeEntry("TicketLifetime", m_ticketLifetime);
237
-
238
-	systemconfig->writeEntry("ConnectionLDAPVersion", m_ldapVersion);
239
-	systemconfig->writeEntry("ConnectionLDAPTimeout", m_ldapTimeout);
240
-	systemconfig->writeEntry("ConnectionBindPolicy", m_bindPolicy);
241
-	systemconfig->writeEntry("ConnectionBindTimeout", m_ldapBindTimeout);
242
-	systemconfig->writeEntry("ConnectionPasswordHash", m_passwordHash);
243
-	systemconfig->writeEntry("ConnectionIgnoredUsers", m_ignoredUsers);
244 213
 
245 214
 	LDAPManager::writeTDERealmList(m_realms, systemconfig);
246 215
 	systemconfig->sync();
247 216
 
248
-	if (base->systemEnableSupport->isChecked()) {
217
+	if (m_clientRealmConfig.enable_bonding) {
249 218
 		// Write the Kerberos5 configuration file
250
-		writeKrb5ConfFile();
219
+		if (LDAPManager::writeClientKrb5ConfFile(m_clientRealmConfig, m_realms, &errorstring) != 0) {
220
+			KMessageBox::error(this, i18n("<qt><b>Unable to save configuration!</b><p>Details: %2</qt>").arg(errorstring), i18n("Unable to Save Configuration"));
221
+			return;
222
+		}
251 223
 		// Write the LDAP configuration file
252
-		writeLDAPConfFile();
224
+		if (LDAPManager::writeLDAPConfFile(m_realms[m_clientRealmConfig.defaultRealm], &errorstring) != 0) {
225
+			KMessageBox::error(this, i18n("<qt><b>Unable to save configuration!</b><p>Details: %2</qt>").arg(errorstring), i18n("Unable to Save Configuration"));
226
+			return;
227
+		}
253 228
 		// Write the NSSwitch configuration file
254
-		writeNSSwitchFile();
229
+		if (LDAPManager::writeNSSwitchFile(&errorstring) != 0) {
230
+			KMessageBox::error(this, i18n("<qt><b>Unable to save configuration!</b><p>Details: %2</qt>").arg(errorstring), i18n("Unable to Save Configuration"));
231
+			return;
232
+		}
255 233
 		// Write the PAM configuration files
256
-		writePAMFiles();
234
+		if (LDAPManager::writePAMFiles(&errorstring) != 0) {
235
+			KMessageBox::error(this, i18n("<qt><b>Unable to save configuration!</b><p>Details: %2</qt>").arg(errorstring), i18n("Unable to Save Configuration"));
236
+			return;
237
+		}
257 238
 		// Write the cron files
258
-		LDAPManager::writeCronFiles();
239
+		if (LDAPManager::writeClientCronFiles() != 0) {
240
+			KMessageBox::error(this, i18n("<qt><b>Unable to save configuration!</b><p>Details: %2</qt>").arg(errorstring), i18n("Unable to Save Configuration"));
241
+			return;
242
+		}
259 243
 
260
-		if (m_defaultRealm != "") {
244
+		if (m_clientRealmConfig.defaultRealm != "") {
261 245
 			// Bind anonymously to LDAP
262 246
 			LDAPCredentials* credentials = new LDAPCredentials;
263 247
 			credentials->username = "";
264 248
 			credentials->password = "";
265
-			credentials->realm = m_defaultRealm.upper();
249
+			credentials->realm = m_clientRealmConfig.defaultRealm.upper();
266 250
 			credentials->use_tls = false;
267
-			LDAPManager* ldap_mgr = new LDAPManager(m_defaultRealm.upper(), TQString("ldap://%1").arg(m_realms[m_defaultRealm].admin_server).ascii(), credentials);
251
+			LDAPManager* ldap_mgr = new LDAPManager(m_clientRealmConfig.defaultRealm.upper(), TQString("ldap://%1").arg(m_realms[m_clientRealmConfig.defaultRealm].admin_server).ascii(), credentials);
268 252
 	
269 253
 			// Add the domain-wide computer local admin group to local sudoers
270 254
 			ldap_mgr->writeSudoersConfFile(&errorstring);
255
+
271 256
 			// Get and install the CA root certificate from LDAP
272 257
 			mkdir(TDE_CERTIFICATE_DIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
273 258
 			mkdir(KERBEROS_PKI_PUBLICDIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
274
-			if (ldap_mgr->getTDECertificate("publicRootCertificate", KERBEROS_PKI_PUBLICDIR + m_realms[m_defaultRealm].admin_server + ".ldap.crt", &errorstring) != 0) {
275
-				KMessageBox::sorry(this, i18n("<qt><b>Unable to obtain root certificate for realm %1!</b><p>Details: %2</qt>").arg(m_defaultRealm.upper()).arg(errorstring), i18n("Unable to Obtain Certificate"));
259
+			if (ldap_mgr->getTDECertificate("publicRootCertificate", KERBEROS_PKI_PUBLICDIR + m_realms[m_clientRealmConfig.defaultRealm].admin_server + ".ldap.crt", &errorstring) != 0) {
260
+				KMessageBox::sorry(this, i18n("<qt><b>Unable to obtain root certificate for realm %1!</b><p>Details: %2</qt>").arg(m_clientRealmConfig.defaultRealm.upper()).arg(errorstring), i18n("Unable to Obtain Certificate"));
276 261
 			}
277 262
 	
278 263
 			delete ldap_mgr;
279 264
 			delete credentials;
280 265
 		}
266
+
267
+		// Certificates may have changed; force the certificate update daemon to reload its configuration
268
+		pid_t certUpdaterPID;
269
+		TQFile pidFile(TDE_LDAP_CERT_UPDATER_PID_FILE);
270
+		if (pidFile.open(IO_ReadOnly)) {
271
+			TQTextStream stream(&pidFile);
272
+			stream >> certUpdaterPID;
273
+			pidFile.close();
274
+			kill(certUpdaterPID, SIGHUP);
275
+		}
281 276
 	}
282 277
 
283 278
 	load();
@@ -339,7 +334,7 @@ void LDAPConfig::reBondToRealm() {
339 334
 		passdlg.m_base->ldapAdminRealm->setText(realmName);
340 335
 		if (passdlg.exec() == TQDialog::Accepted) {
341 336
 			setEnabled(false);
342
-			if (LDAPManager::bondRealm(m_realms[realmName], passdlg.m_base->ldapAdminUsername->text(), passdlg.m_base->ldapAdminPassword->password(), passdlg.m_base->ldapAdminRealm->text(), &errorString) == 0) {
337
+			if (LDAPManager::bondRealm(passdlg.m_base->ldapAdminUsername->text(), passdlg.m_base->ldapAdminPassword->password(), passdlg.m_base->ldapAdminRealm->text(), &errorString) == 0) {
343 338
 				// Success!
344 339
 				realmcfg.bonded = true;
345 340
 				m_realms.remove(realmName);
@@ -406,117 +401,6 @@ void LDAPConfig::realmProperties() {
406 401
 	}
407 402
 }
408 403
 
409
-void LDAPConfig::writeKrb5ConfFile() {
410
-	TQFile file(KRB5_FILE);
411
-	if (file.open(IO_WriteOnly)) {
412
-		TQTextStream stream( &file );
413
-
414
-		stream << "# This file was automatically generated by TDE\n";
415
-		stream << "# All changes will be lost!\n";
416
-		stream << "\n";
417
-
418
-		// Defaults
419
-		stream << "[libdefaults]\n";
420
-		stream << "    ticket_lifetime = " << m_ticketLifetime << "\n";
421
-		if (m_defaultRealm != "") {
422
-			stream << "    default_realm = " << m_defaultRealm << "\n";
423
-		}
424
-		stream << "\n";
425
-
426
-		// Realms
427
-		stream << "[realms]\n";
428
-		LDAPRealmConfigList::Iterator it;
429
-		for (it = m_realms.begin(); it != m_realms.end(); ++it) {
430
-			LDAPRealmConfig realmcfg = it.data();
431
-			stream << "   " << realmcfg.name << " = {\n";
432
-			stream << "        kdc = " << realmcfg.kdc << ":" << realmcfg.kdc_port << "\n";
433
-			stream << "        admin_server = " << realmcfg.admin_server << ":" << realmcfg.admin_server_port << "\n";
434
-			stream << "        pkinit_require_eku = " << (realmcfg.pkinit_require_eku?"true":"false") << "\n";
435
-			stream << "        pkinit_require_krbtgt_otherName = " << (realmcfg.pkinit_require_krbtgt_otherName?"true":"false") << "\n";
436
-			stream << "        win2k_pkinit = " << (realmcfg.win2k_pkinit?"yes":"no") << "\n";
437
-			stream << "        win2k_pkinit_require_binding = " << (realmcfg.win2k_pkinit_require_binding?"yes":"no") << "\n";
438
-			stream << "   }\n";
439
-		}
440
-		stream << "\n";
441
-
442
-		// Domain aliases
443
-		stream << "[domain_realm]\n";
444
-		LDAPRealmConfigList::Iterator it2;
445
-		for (it2 = m_realms.begin(); it2 != m_realms.end(); ++it2) {
446
-			LDAPRealmConfig realmcfg = it2.data();
447
-			TQStringList domains = realmcfg.domain_mappings;
448
-			for (TQStringList::Iterator it3 = domains.begin(); it3 != domains.end(); ++it3 ) {
449
-				stream << "    " << *it3 << " = " << realmcfg.name << "\n";
450
-			}
451
-		}
452
-
453
-		file.close();
454
-	}
455
-}
456
-
457
-void LDAPConfig::writeLDAPConfFile() {
458
-	LDAPManager::writeLDAPConfFile(m_realms[m_defaultRealm]);
459
-}
460
-
461
-void LDAPConfig::writeNSSwitchFile() {
462
-	TQFile file(NSSWITCH_FILE);
463
-	if (file.open(IO_WriteOnly)) {
464
-		TQTextStream stream( &file );
465
-
466
-		stream << "# This file was automatically generated by TDE\n";
467
-		stream << "# All changes will be lost!\n";
468
-		stream << "\n";
469
-		stream << "passwd:         files ldap [NOTFOUND=return] db" << "\n";
470
-		stream << "group:          files ldap [NOTFOUND=return] db" << "\n";
471
-		stream << "shadow:         files ldap [NOTFOUND=return] db" << "\n";
472
-		stream << "\n";
473
-		stream << "hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4" << "\n";
474
-		stream << "networks:       files" << "\n";
475
-		stream << "\n";
476
-		stream << "protocols:      db files" << "\n";
477
-		stream << "services:       db files" << "\n";
478
-		stream << "ethers:         db files" << "\n";
479
-		stream << "rpc:            db files" << "\n";
480
-		stream << "\n";
481
-		stream << "netgroup:       nis" << "\n";
482
-
483
-		file.close();
484
-	}
485
-}
486
-
487
-void LDAPConfig::writePAMFiles() {
488
-	TQFile file(PAMD_DIRECTORY PAMD_COMMON_ACCOUNT);
489
-	if (file.open(IO_WriteOnly)) {
490
-		TQTextStream stream( &file );
491
-
492
-		stream << "# This file was automatically generated by TDE\n";
493
-		stream << "# All changes will be lost!\n";
494
-		stream << "\n";
495
-		stream << "account sufficient pam_unix.so nullok_secure" << "\n";
496
-		stream << "account sufficient pam_ldap.so" << "\n";
497
-		stream << "account required pam_permit.so" << "\n";
498
-
499
-		file.close();
500
-	}
501
-
502
-	TQFile file2(PAMD_DIRECTORY PAMD_COMMON_AUTH);
503
-	if (file2.open(IO_WriteOnly)) {
504
-		TQTextStream stream( &file2 );
505
-
506
-		stream << "# This file was automatically generated by TDE\n";
507
-		stream << "# All changes will be lost!\n";
508
-		stream << "\n";
509
-		stream << "auth [default=ignore success=ignore] pam_mount.so" << "\n";
510
-		stream << "auth sufficient pam_unix.so nullok try_first_pass" << "\n";
511
-		stream << "auth [default=ignore success=1 service_err=reset] pam_krb5.so ccache=/tmp/krb5cc_%u use_first_pass" << "\n";
512
-		stream << "auth [default=die success=done] pam_ccreds.so action=validate use_first_pass" << "\n";
513
-		stream << "auth sufficient pam_ccreds.so action=store use_first_pass" << "\n";
514
-		stream << "auth required pam_deny.so" << "\n";
515
-
516
-		file2.close();
517
-	}
518
-}
519
-
520 404
 int LDAPConfig::buttons() {
521 405
 	return TDECModule::Apply|TDECModule::Help;
522 406
 }

+ 3
- 14
src/ldapbonding.h View File

@@ -1,5 +1,5 @@
1 1
 /***************************************************************************
2
- *   Copyright (C) 2012 by Timothy Pearson                                 *
2
+ *   Copyright (C) 2012-2013 by Timothy Pearson                            *
3 3
  *   kb9vqf@pearsoncomputing.net                                           *
4 4
  *                                                                         *
5 5
  *   This program is free software; you can redistribute it and/or modify  *
@@ -65,26 +65,15 @@ class LDAPConfig: public TDECModule
65 65
 
66 66
 	private:
67 67
 		void updateRealmList();
68
-		void writeKrb5ConfFile();
69
-		void writeLDAPConfFile();
70
-		void writeNSSwitchFile();
71
-		void writePAMFiles();
72 68
 
73 69
 	private:
74 70
 		TDEAboutData *myAboutData;
75 71
 		TDEGlobalSettings *kgs;
76 72
 		LDAPConfigBase *base;
77 73
 		LDAPRealmConfigList m_realms;
78
-		TQString m_fqdn;
79
-		TQString m_defaultRealm;
80
-		int m_ticketLifetime;
74
+		LDAPClientRealmConfig m_clientRealmConfig;
81 75
 
82
-		int m_ldapVersion;
83
-		int m_ldapTimeout;
84
-		TQString m_bindPolicy;
85
-		int m_ldapBindTimeout;
86
-		TQString m_passwordHash;
87
-		TQString m_ignoredUsers;
76
+		TQString hostFQDN;
88 77
 };
89 78
 
90 79
 #endif // _KCMLDAP_H_

+ 1
- 0
subdirs View File

@@ -1,3 +1,4 @@
1
+cert-updater
1 2
 cmdline
2 3
 doc
3 4
 pics

Loading…
Cancel
Save