diff options
author | Timothy Pearson <[email protected]> | 2013-03-21 00:02:51 -0500 |
---|---|---|
committer | Timothy Pearson <[email protected]> | 2013-03-21 00:02:51 -0500 |
commit | f6459b79852caa355c535d96b9a6709a8b85814f (patch) | |
tree | 4148204985e8833771cd463321546a636aa8bc68 | |
parent | 1f14ed9dfeeeefdaafa03ea9a0517ab4900e91bb (diff) | |
download | kcmldap-f6459b79852caa355c535d96b9a6709a8b85814f.tar.gz kcmldap-f6459b79852caa355c535d96b9a6709a8b85814f.zip |
Add new certificate updater daemon
Move core code to libtdeldap
-rw-r--r-- | cert-updater/Makefile.am | 10 | ||||
-rw-r--r-- | cert-updater/main.cpp | 211 | ||||
-rw-r--r-- | src/ldapbonding.cpp | 264 | ||||
-rw-r--r-- | src/ldapbonding.h | 17 | ||||
-rw-r--r-- | subdirs | 1 |
5 files changed, 299 insertions, 204 deletions
diff --git a/cert-updater/Makefile.am b/cert-updater/Makefile.am new file mode 100644 index 0000000..c113f3d --- /dev/null +++ b/cert-updater/Makefile.am @@ -0,0 +1,10 @@ +INCLUDES= $(all_includes) $(KDE_INCLUDES)/tde + +bin_PROGRAMS = tdeldapcertupdater + +tdeldapcertupdater_SOURCES = main.cpp + +tdeldapcertupdater_METASOURCES = AUTO +tdeldapcertupdater_LDFLAGS = $(all_libraries) $(KDE_RPATH) $(LIB_QT) -lDCOP $(LIB_TDECORE) $(LIB_TDEUI) -ltdefx $(LIB_KIO) -ltdetexteditor -ltdeldap + +KDE_OPTIONS = nofinal diff --git a/cert-updater/main.cpp b/cert-updater/main.cpp new file mode 100644 index 0000000..6994626 --- /dev/null +++ b/cert-updater/main.cpp @@ -0,0 +1,211 @@ +/*************************************************************************** + * Copyright (C) 2013 by Timothy Pearson * + * [email protected] * + * * + * This program is free software; you can redistribute it and/or modify * + * it under the terms of the GNU General Public License as published by * + * the Free Software Foundation; either version 2 of the License, or * + * (at your option) any later version. * + * * + * This program is distributed in the hope that it will be useful, * + * but WITHOUT ANY WARRANTY; without even the implied warranty of * + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * + * GNU General Public License for more details. * + * * + * You should have received a copy of the GNU General Public License * + * along with this program; if not, write to the * + * Free Software Foundation, Inc., * + * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * + ***************************************************************************/ + +#include <stdlib.h> +#include <csignal> + +#include <sys/types.h> +#include <sys/socket.h> +#include <sys/stat.h> +#include <sys/time.h> +#include <netdb.h> +#include <pwd.h> + +#include <tdeapplication.h> +#include <tdestartupinfo.h> +#include <tdecmdlineargs.h> +#include <tdeaboutdata.h> + +#include <ksimpleconfig.h> + +#include <tqdatetime.h> +#include <tqfile.h> +#include <tqdir.h> + +#include <libtdeldap.h> + +// FIXME +// Connect this to CMake/Automake +#define KDE_CONFDIR "/etc/trinity" + +static const char description[] = + I18N_NOOP("TDE utility for updating realm certificates"); + +static const char version[] = "v0.0.1"; + +bool received_sighup = false; + +void signalHandler(int signum) +{ + printf("[INFO] Got signal %d\n\r", signum); + if (signum == SIGHUP) { + received_sighup = true; + } + else if (signum == SIGTERM) { + unlink(TDE_LDAP_CERT_UPDATER_PID_FILE); + exit(0); + } + else if (signum == SIGINT) { + unlink(TDE_LDAP_CERT_UPDATER_PID_FILE); + exit(0); + } +} + +int get_certificate_from_server(TQString certificateName, LDAPRealmConfig realmcfg) +{ + int retcode = 0; + TQString errorstring; + + // Bind anonymously to LDAP + LDAPCredentials* credentials = new LDAPCredentials; + credentials->username = ""; + credentials->password = ""; + credentials->realm = realmcfg.name.upper(); + credentials->use_tls = false; + LDAPManager* ldap_mgr = new LDAPManager(realmcfg.name.upper(), TQString("ldap://%1").arg(realmcfg.admin_server).ascii(), credentials); + + // Add the domain-wide computer local admin group to local sudoers + ldap_mgr->writeSudoersConfFile(&errorstring); + + // Get and install the CA root certificate from LDAP + printf("[INFO] Updating certificate %s from LDAP\n\r", certificateName.ascii()); + if (ldap_mgr->getTDECertificate("publicRootCertificate", certificateName, &errorstring) != 0) { + printf("[ERROR] Unable to obtain root certificate for realm %s: %s", realmcfg.name.upper().ascii(), errorstring.ascii()); + retcode = 1; + } + + delete ldap_mgr; + delete credentials; + + return retcode; +} + +int main(int argc, char *argv[]) +{ + // Register signal handler for SIGHUP + signal(SIGHUP, signalHandler); + // Register signal handler for SIGINT + signal(SIGINT, signalHandler); + // Register signal handler for SIGTERM + signal(SIGTERM, signalHandler); + + TQDir pidDir(TDE_LDAP_PID_DIR); + if (!pidDir.exists()) { + mkdir(TDE_LDAP_PID_DIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH); + } + TQFile pidFile(TDE_LDAP_CERT_UPDATER_PID_FILE); + if (pidFile.open(IO_WriteOnly)) { + TQTextStream stream(&pidFile); + stream << getpid(); + pidFile.close(); + } + + // Seed random number generator + struct timeval time; + gettimeofday(&time,NULL); + srand((time.tv_sec * 1000) + (time.tv_usec / 1000)); + + // Initialize TDE application libraries + TDEAboutData aboutData( "tdeldapcertupdater", I18N_NOOP("Realm Certificate Updater"), + version, description, TDEAboutData::License_GPL, + "(c) 2013, Timothy Pearson"); + aboutData.addAuthor("Timothy Pearson",0, "[email protected]"); + TDECmdLineArgs::init( argc, argv, &aboutData ); + TDEApplication::disableAutoDcopRegistration(); + + TDEApplication app(false, false); + + TDEStartupInfo::appStarted(); + + //====================================================================================================================================================== + // + // Updater code follows + // + //====================================================================================================================================================== + + KSimpleConfig* systemconfig = new KSimpleConfig( TQString::fromLatin1( KDE_CONFDIR "/ldap/ldapconfigrc" )); + LDAPRealmConfigList realms = LDAPManager::readTDERealmList(systemconfig, false); + TQString m_defaultRealm = systemconfig->readEntry("DefaultRealm"); + + int prevSecondsToExpiry = (7*24*60*60); + + while (1) { + bool allDownloadsOK = true; + TQDateTime now = TQDateTime::currentDateTime(); + TQDateTime earliestCertExpiry = now.addDays(14); // Recheck every 7 days regardless of last expiry check results + + LDAPRealmConfigList::Iterator it; + for (it = realms.begin(); it != realms.end(); ++it) { + LDAPRealmConfig realmcfg = it.data(); + TQString certificateName = KERBEROS_PKI_PUBLICDIR + realmcfg.admin_server + ".ldap.crt"; + + TQDateTime certExpiry; + TQDateTime soon = now.addDays(7); // Keep in sync with src/ldapcontroller.cpp + + if (TQFile::exists(certificateName)) { + certExpiry = LDAPManager::getCertificateExpiration(certificateName); + if (certExpiry >= now) { + printf("[INFO] Certificate %s expires %s\n\r", certificateName.ascii(), certExpiry.toString().ascii()); fflush(stdout); + } + if ((certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) { + if (get_certificate_from_server(certificateName, realmcfg) != 0) { + allDownloadsOK = false; + } + } + if (certExpiry < earliestCertExpiry) { + earliestCertExpiry = certExpiry; + } + } + else { + mkdir(TDE_CERTIFICATE_DIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH); + mkdir(KERBEROS_PKI_PUBLICDIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH); + if (get_certificate_from_server(certificateName, realmcfg) != 0) { + allDownloadsOK = false; + } + } + } + + earliestCertExpiry = earliestCertExpiry.addDays(-7); // Keep in sync with now.addDays above (use negative of value given above) + int secondsToExpiry = now.secsTo(earliestCertExpiry); + secondsToExpiry = secondsToExpiry + (rand()%(5*60)); // Nothing worse than thousands of clients hammering the LDAP server all at once... + if (secondsToExpiry < 1) { + secondsToExpiry = 1; + } + if ((prevSecondsToExpiry == 1) && (allDownloadsOK)) { + // The server has not yet updated its certificate, even though our copy is close to expiration + // Therefore, do not hammer the server with useless requests! + prevSecondsToExpiry = (15*60) + (rand()%(5*60)); + } + prevSecondsToExpiry = secondsToExpiry; + printf("[INFO] Will recheck certificates in %d seconds (%d days)\n\r", secondsToExpiry, secondsToExpiry/60/60/24); fflush(stdout); + if (sleep(secondsToExpiry) != 0) { + // Signal caught + if (!received_sighup) { + break; + } + } + } + + unlink(TDE_LDAP_CERT_UPDATER_PID_FILE); + + //====================================================================================================================================================== + + return 0; +} diff --git a/src/ldapbonding.cpp b/src/ldapbonding.cpp index b7e1c23..f8b16c0 100644 --- a/src/ldapbonding.cpp +++ b/src/ldapbonding.cpp @@ -1,5 +1,5 @@ /*************************************************************************** - * Copyright (C) 2012 by Timothy Pearson * + * Copyright (C) 2012-2013 by Timothy Pearson * * * * This program is free software; you can redistribute it and/or modify * @@ -18,6 +18,9 @@ * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ***************************************************************************/ +#include <sys/types.h> +#include <signal.h> + #include <tqlayout.h> #include <tdelocale.h> @@ -49,11 +52,6 @@ // FIXME // Connect this to CMake/Automake #define KDE_CONFDIR "/etc/trinity" -#define KRB5_FILE "/etc/krb5.conf" -#define NSSWITCH_FILE "/etc/nsswitch.conf" -#define PAMD_DIRECTORY "/etc/pam.d/" -#define PAMD_COMMON_ACCOUNT "common-account" -#define PAMD_COMMON_AUTH "common-auth" typedef KGenericFactory<LDAPConfig, TQWidget> ldapFactory; @@ -71,7 +69,7 @@ LDAPConfig::LDAPConfig(TQWidget *parent, const char *name, const TQStringList&) TDEAboutData* about = new TDEAboutData("ldap", I18N_NOOP("TDE LDAP Manager"), "0.1", I18N_NOOP("TDE LDAP Manager Control Panel Module"), TDEAboutData::License_GPL, - I18N_NOOP("(c) 2012 Timothy Pearson"), 0, 0); + I18N_NOOP("(c) 2012-2013 Timothy Pearson"), 0, 0); about->addAuthor("Timothy Pearson", 0, "[email protected]"); setAboutData( about ); @@ -103,17 +101,16 @@ LDAPConfig::LDAPConfig(TQWidget *parent, const char *name, const TQStringList&) connect(base->passwordHash, TQT_SIGNAL(activated(int)), this, TQT_SLOT(changed())); connect(base->ignoredUsers, TQT_SIGNAL(textChanged(const TQString&)), this, TQT_SLOT(changed())); - m_fqdn = LDAPManager::getMachineFQDN(); + hostFQDN = LDAPManager::getMachineFQDN(); base->hostFQDN->setEnabled(false); base->hostFQDN->clear(); - base->hostFQDN->insertItem(m_fqdn); + base->hostFQDN->insertItem(hostFQDN); load(); systemconfig->setGroup(NULL); - TQString ldapRole = systemconfig->readEntry("LDAPRole", "Workstation"); - if ((getuid() != 0) || (!systemconfig->checkConfigFilesWritable( true )) || (ldapRole != "Workstation")) { + if ((getuid() != 0) || (!systemconfig->checkConfigFilesWritable( true )) || (m_clientRealmConfig.ldapRole != "Workstation")) { base->systemEnableSupport->setEnabled(false); } @@ -133,51 +130,33 @@ void LDAPConfig::load() { void LDAPConfig::load(bool useDefaults ) { int i; - bool thisIsMyMachine; - //Update the toggle buttons with the current configuration - systemconfig->setReadDefaults( useDefaults ); - - systemconfig->setGroup(NULL); - base->systemEnableSupport->setChecked(systemconfig->readBoolEntry("EnableLDAP", false)); - m_defaultRealm = systemconfig->readEntry("DefaultRealm", TQString::null); - m_ticketLifetime = systemconfig->readNumEntry("TicketLifetime", 86400); - if (m_fqdn == systemconfig->readEntry("HostFQDN", "")) { - thisIsMyMachine = true; - } - else { - thisIsMyMachine = false; - } + m_clientRealmConfig = LDAPManager::loadClientRealmConfig(systemconfig, useDefaults); - m_ldapVersion = systemconfig->readNumEntry("ConnectionLDAPVersion", 3); - m_ldapTimeout = systemconfig->readNumEntry("ConnectionLDAPTimeout", 2); - m_bindPolicy = systemconfig->readEntry("ConnectionBindPolicy", "soft"); - m_ldapBindTimeout = systemconfig->readNumEntry("ConnectionBindTimeout", 2); - m_passwordHash = systemconfig->readEntry("ConnectionPasswordHash", "exop"); - m_ignoredUsers = systemconfig->readEntry("ConnectionIgnoredUsers", DEFAULT_IGNORED_USERS_LIST); + base->systemEnableSupport->setChecked(m_clientRealmConfig.enable_bonding); // Load realms m_realms.clear(); - m_realms = LDAPManager::readTDERealmList(systemconfig, !thisIsMyMachine); + m_realms = LDAPManager::readTDERealmList(systemconfig, !m_clientRealmConfig.configurationVerifiedForLocalMachine); - base->ticketLifetime->setValue(m_ticketLifetime); + base->ticketLifetime->setValue(m_clientRealmConfig.ticketLifetime); - base->ldapVersion->setValue(m_ldapVersion); - base->ldapTimeout->setValue(m_ldapTimeout); + base->ldapVersion->setValue(m_clientRealmConfig.ldapVersion); + base->ldapTimeout->setValue(m_clientRealmConfig.ldapTimeout); for (i=0; i<base->bindPolicy->count(); i++) { - if (base->bindPolicy->text(i).lower() == m_defaultRealm.lower()) { + if (base->bindPolicy->text(i).lower() == m_clientRealmConfig.defaultRealm.lower()) { base->bindPolicy->setCurrentItem(i); break; } } - base->ldapBindTimeout->setValue(m_ldapBindTimeout); + base->ldapBindTimeout->setValue(m_clientRealmConfig.ldapBindTimeout); for (i=0; i<base->passwordHash->count(); i++) { - if (base->passwordHash->text(i).lower() == m_passwordHash.lower()) { + if (base->passwordHash->text(i).lower() == m_clientRealmConfig.passwordHash.lower()) { base->passwordHash->setCurrentItem(i); break; } } - base->ignoredUsers->setText(m_ignoredUsers); + base->ignoredUsers->setText(m_clientRealmConfig.ignoredUsers); updateRealmList(); @@ -195,9 +174,9 @@ void LDAPConfig::updateRealmList() { (void)new TQListViewItem(base->ldapRealmList, ((realmcfg.bonded)?i18n("Bonded"):i18n("Deactivated")), realmcfg.name); base->defaultRealm->insertItem(realmcfg.name); } - if (m_defaultRealm != "") { + if (m_clientRealmConfig.defaultRealm != "") { for (int i=0; i<base->defaultRealm->count(); i++) { - if (base->defaultRealm->text(i) == m_defaultRealm) { + if (base->defaultRealm->text(i) == m_clientRealmConfig.defaultRealm) { base->defaultRealm->setCurrentItem(i); break; } @@ -213,71 +192,87 @@ void LDAPConfig::defaults() { void LDAPConfig::save() { TQString errorstring; + m_clientRealmConfig.hostFQDN = hostFQDN; + + m_clientRealmConfig.enable_bonding = base->systemEnableSupport->isChecked(); + m_clientRealmConfig.defaultRealm = base->defaultRealm->currentText(); + m_clientRealmConfig.ticketLifetime = base->ticketLifetime->value(); + + m_clientRealmConfig.ldapVersion = base->ldapVersion->value(); + m_clientRealmConfig.ldapTimeout = base->ldapTimeout->value(); + m_clientRealmConfig.bindPolicy = base->bindPolicy->currentText(); + m_clientRealmConfig.ldapBindTimeout = base->ldapBindTimeout->value(); + m_clientRealmConfig.passwordHash = base->passwordHash->currentText(); + m_clientRealmConfig.ignoredUsers = base->ignoredUsers->text(); + // Write system configuration - systemconfig->setGroup(NULL); - systemconfig->writeEntry("EnableLDAP", base->systemEnableSupport->isChecked()); - systemconfig->writeEntry("HostFQDN", m_fqdn); - m_defaultRealm = base->defaultRealm->currentText(); - m_ticketLifetime = base->ticketLifetime->value(); - - m_ldapVersion = base->ldapVersion->value(); - m_ldapTimeout = base->ldapTimeout->value(); - m_bindPolicy = base->bindPolicy->currentText(); - m_ldapBindTimeout = base->ldapBindTimeout->value(); - m_passwordHash = base->passwordHash->currentText(); - m_ignoredUsers = base->ignoredUsers->text(); - - if (m_defaultRealm != "") { - systemconfig->writeEntry("DefaultRealm", m_defaultRealm); - } - else { - systemconfig->deleteEntry("DefaultRealm"); + if (LDAPManager::saveClientRealmConfig(m_clientRealmConfig, systemconfig, &errorstring) != 0) { + KMessageBox::error(this, i18n("<qt><b>Unable to save configuration!</b><p>Details: %2</qt>").arg(errorstring), i18n("Unable to Save Configuration")); + return; } - systemconfig->writeEntry("TicketLifetime", m_ticketLifetime); - - systemconfig->writeEntry("ConnectionLDAPVersion", m_ldapVersion); - systemconfig->writeEntry("ConnectionLDAPTimeout", m_ldapTimeout); - systemconfig->writeEntry("ConnectionBindPolicy", m_bindPolicy); - systemconfig->writeEntry("ConnectionBindTimeout", m_ldapBindTimeout); - systemconfig->writeEntry("ConnectionPasswordHash", m_passwordHash); - systemconfig->writeEntry("ConnectionIgnoredUsers", m_ignoredUsers); LDAPManager::writeTDERealmList(m_realms, systemconfig); systemconfig->sync(); - if (base->systemEnableSupport->isChecked()) { + if (m_clientRealmConfig.enable_bonding) { // Write the Kerberos5 configuration file - writeKrb5ConfFile(); + if (LDAPManager::writeClientKrb5ConfFile(m_clientRealmConfig, m_realms, &errorstring) != 0) { + KMessageBox::error(this, i18n("<qt><b>Unable to save configuration!</b><p>Details: %2</qt>").arg(errorstring), i18n("Unable to Save Configuration")); + return; + } // Write the LDAP configuration file - writeLDAPConfFile(); + if (LDAPManager::writeLDAPConfFile(m_realms[m_clientRealmConfig.defaultRealm], &errorstring) != 0) { + KMessageBox::error(this, i18n("<qt><b>Unable to save configuration!</b><p>Details: %2</qt>").arg(errorstring), i18n("Unable to Save Configuration")); + return; + } // Write the NSSwitch configuration file - writeNSSwitchFile(); + if (LDAPManager::writeNSSwitchFile(&errorstring) != 0) { + KMessageBox::error(this, i18n("<qt><b>Unable to save configuration!</b><p>Details: %2</qt>").arg(errorstring), i18n("Unable to Save Configuration")); + return; + } // Write the PAM configuration files - writePAMFiles(); + if (LDAPManager::writePAMFiles(&errorstring) != 0) { + KMessageBox::error(this, i18n("<qt><b>Unable to save configuration!</b><p>Details: %2</qt>").arg(errorstring), i18n("Unable to Save Configuration")); + return; + } // Write the cron files - LDAPManager::writeCronFiles(); + if (LDAPManager::writeClientCronFiles() != 0) { + KMessageBox::error(this, i18n("<qt><b>Unable to save configuration!</b><p>Details: %2</qt>").arg(errorstring), i18n("Unable to Save Configuration")); + return; + } - if (m_defaultRealm != "") { + if (m_clientRealmConfig.defaultRealm != "") { // Bind anonymously to LDAP LDAPCredentials* credentials = new LDAPCredentials; credentials->username = ""; credentials->password = ""; - credentials->realm = m_defaultRealm.upper(); + credentials->realm = m_clientRealmConfig.defaultRealm.upper(); credentials->use_tls = false; - LDAPManager* ldap_mgr = new LDAPManager(m_defaultRealm.upper(), TQString("ldap://%1").arg(m_realms[m_defaultRealm].admin_server).ascii(), credentials); + LDAPManager* ldap_mgr = new LDAPManager(m_clientRealmConfig.defaultRealm.upper(), TQString("ldap://%1").arg(m_realms[m_clientRealmConfig.defaultRealm].admin_server).ascii(), credentials); // Add the domain-wide computer local admin group to local sudoers ldap_mgr->writeSudoersConfFile(&errorstring); + // Get and install the CA root certificate from LDAP mkdir(TDE_CERTIFICATE_DIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH); mkdir(KERBEROS_PKI_PUBLICDIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH); - if (ldap_mgr->getTDECertificate("publicRootCertificate", KERBEROS_PKI_PUBLICDIR + m_realms[m_defaultRealm].admin_server + ".ldap.crt", &errorstring) != 0) { - KMessageBox::sorry(this, i18n("<qt><b>Unable to obtain root certificate for realm %1!</b><p>Details: %2</qt>").arg(m_defaultRealm.upper()).arg(errorstring), i18n("Unable to Obtain Certificate")); + if (ldap_mgr->getTDECertificate("publicRootCertificate", KERBEROS_PKI_PUBLICDIR + m_realms[m_clientRealmConfig.defaultRealm].admin_server + ".ldap.crt", &errorstring) != 0) { + KMessageBox::sorry(this, i18n("<qt><b>Unable to obtain root certificate for realm %1!</b><p>Details: %2</qt>").arg(m_clientRealmConfig.defaultRealm.upper()).arg(errorstring), i18n("Unable to Obtain Certificate")); } delete ldap_mgr; delete credentials; } + + // Certificates may have changed; force the certificate update daemon to reload its configuration + pid_t certUpdaterPID; + TQFile pidFile(TDE_LDAP_CERT_UPDATER_PID_FILE); + if (pidFile.open(IO_ReadOnly)) { + TQTextStream stream(&pidFile); + stream >> certUpdaterPID; + pidFile.close(); + kill(certUpdaterPID, SIGHUP); + } } load(); @@ -339,7 +334,7 @@ void LDAPConfig::reBondToRealm() { passdlg.m_base->ldapAdminRealm->setText(realmName); if (passdlg.exec() == TQDialog::Accepted) { setEnabled(false); - if (LDAPManager::bondRealm(m_realms[realmName], passdlg.m_base->ldapAdminUsername->text(), passdlg.m_base->ldapAdminPassword->password(), passdlg.m_base->ldapAdminRealm->text(), &errorString) == 0) { + if (LDAPManager::bondRealm(passdlg.m_base->ldapAdminUsername->text(), passdlg.m_base->ldapAdminPassword->password(), passdlg.m_base->ldapAdminRealm->text(), &errorString) == 0) { // Success! realmcfg.bonded = true; m_realms.remove(realmName); @@ -406,117 +401,6 @@ void LDAPConfig::realmProperties() { } } -void LDAPConfig::writeKrb5ConfFile() { - TQFile file(KRB5_FILE); - if (file.open(IO_WriteOnly)) { - TQTextStream stream( &file ); - - stream << "# This file was automatically generated by TDE\n"; - stream << "# All changes will be lost!\n"; - stream << "\n"; - - // Defaults - stream << "[libdefaults]\n"; - stream << " ticket_lifetime = " << m_ticketLifetime << "\n"; - if (m_defaultRealm != "") { - stream << " default_realm = " << m_defaultRealm << "\n"; - } - stream << "\n"; - - // Realms - stream << "[realms]\n"; - LDAPRealmConfigList::Iterator it; - for (it = m_realms.begin(); it != m_realms.end(); ++it) { - LDAPRealmConfig realmcfg = it.data(); - stream << " " << realmcfg.name << " = {\n"; - stream << " kdc = " << realmcfg.kdc << ":" << realmcfg.kdc_port << "\n"; - stream << " admin_server = " << realmcfg.admin_server << ":" << realmcfg.admin_server_port << "\n"; - stream << " pkinit_require_eku = " << (realmcfg.pkinit_require_eku?"true":"false") << "\n"; - stream << " pkinit_require_krbtgt_otherName = " << (realmcfg.pkinit_require_krbtgt_otherName?"true":"false") << "\n"; - stream << " win2k_pkinit = " << (realmcfg.win2k_pkinit?"yes":"no") << "\n"; - stream << " win2k_pkinit_require_binding = " << (realmcfg.win2k_pkinit_require_binding?"yes":"no") << "\n"; - stream << " }\n"; - } - stream << "\n"; - - // Domain aliases - stream << "[domain_realm]\n"; - LDAPRealmConfigList::Iterator it2; - for (it2 = m_realms.begin(); it2 != m_realms.end(); ++it2) { - LDAPRealmConfig realmcfg = it2.data(); - TQStringList domains = realmcfg.domain_mappings; - for (TQStringList::Iterator it3 = domains.begin(); it3 != domains.end(); ++it3 ) { - stream << " " << *it3 << " = " << realmcfg.name << "\n"; - } - } - - file.close(); - } -} - -void LDAPConfig::writeLDAPConfFile() { - LDAPManager::writeLDAPConfFile(m_realms[m_defaultRealm]); -} - -void LDAPConfig::writeNSSwitchFile() { - TQFile file(NSSWITCH_FILE); - if (file.open(IO_WriteOnly)) { - TQTextStream stream( &file ); - - stream << "# This file was automatically generated by TDE\n"; - stream << "# All changes will be lost!\n"; - stream << "\n"; - stream << "passwd: files ldap [NOTFOUND=return] db" << "\n"; - stream << "group: files ldap [NOTFOUND=return] db" << "\n"; - stream << "shadow: files ldap [NOTFOUND=return] db" << "\n"; - stream << "\n"; - stream << "hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4" << "\n"; - stream << "networks: files" << "\n"; - stream << "\n"; - stream << "protocols: db files" << "\n"; - stream << "services: db files" << "\n"; - stream << "ethers: db files" << "\n"; - stream << "rpc: db files" << "\n"; - stream << "\n"; - stream << "netgroup: nis" << "\n"; - - file.close(); - } -} - -void LDAPConfig::writePAMFiles() { - TQFile file(PAMD_DIRECTORY PAMD_COMMON_ACCOUNT); - if (file.open(IO_WriteOnly)) { - TQTextStream stream( &file ); - - stream << "# This file was automatically generated by TDE\n"; - stream << "# All changes will be lost!\n"; - stream << "\n"; - stream << "account sufficient pam_unix.so nullok_secure" << "\n"; - stream << "account sufficient pam_ldap.so" << "\n"; - stream << "account required pam_permit.so" << "\n"; - - file.close(); - } - - TQFile file2(PAMD_DIRECTORY PAMD_COMMON_AUTH); - if (file2.open(IO_WriteOnly)) { - TQTextStream stream( &file2 ); - - stream << "# This file was automatically generated by TDE\n"; - stream << "# All changes will be lost!\n"; - stream << "\n"; - stream << "auth [default=ignore success=ignore] pam_mount.so" << "\n"; - stream << "auth sufficient pam_unix.so nullok try_first_pass" << "\n"; - stream << "auth [default=ignore success=1 service_err=reset] pam_krb5.so ccache=/tmp/krb5cc_%u use_first_pass" << "\n"; - stream << "auth [default=die success=done] pam_ccreds.so action=validate use_first_pass" << "\n"; - stream << "auth sufficient pam_ccreds.so action=store use_first_pass" << "\n"; - stream << "auth required pam_deny.so" << "\n"; - - file2.close(); - } -} - int LDAPConfig::buttons() { return TDECModule::Apply|TDECModule::Help; } diff --git a/src/ldapbonding.h b/src/ldapbonding.h index a6686a3..d7ab3ff 100644 --- a/src/ldapbonding.h +++ b/src/ldapbonding.h @@ -1,5 +1,5 @@ /*************************************************************************** - * Copyright (C) 2012 by Timothy Pearson * + * Copyright (C) 2012-2013 by Timothy Pearson * * * * This program is free software; you can redistribute it and/or modify * @@ -65,26 +65,15 @@ class LDAPConfig: public TDECModule private: void updateRealmList(); - void writeKrb5ConfFile(); - void writeLDAPConfFile(); - void writeNSSwitchFile(); - void writePAMFiles(); private: TDEAboutData *myAboutData; TDEGlobalSettings *kgs; LDAPConfigBase *base; LDAPRealmConfigList m_realms; - TQString m_fqdn; - TQString m_defaultRealm; - int m_ticketLifetime; + LDAPClientRealmConfig m_clientRealmConfig; - int m_ldapVersion; - int m_ldapTimeout; - TQString m_bindPolicy; - int m_ldapBindTimeout; - TQString m_passwordHash; - TQString m_ignoredUsers; + TQString hostFQDN; }; #endif // _KCMLDAP_H_ @@ -1,3 +1,4 @@ +cert-updater cmdline doc pics |