summaryrefslogtreecommitdiffstats
path: root/src/ldapbonding.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'src/ldapbonding.cpp')
-rw-r--r--src/ldapbonding.cpp717
1 files changed, 717 insertions, 0 deletions
diff --git a/src/ldapbonding.cpp b/src/ldapbonding.cpp
new file mode 100644
index 0000000..9c9d9b5
--- /dev/null
+++ b/src/ldapbonding.cpp
@@ -0,0 +1,717 @@
+/***************************************************************************
+ * Copyright (C) 2012 by Timothy Pearson *
+ * [email protected] *
+ * *
+ * This program is free software; you can redistribute it and/or modify *
+ * it under the terms of the GNU General Public License as published by *
+ * the Free Software Foundation; either version 2 of the License, or *
+ * (at your option) any later version. *
+ * *
+ * This program is distributed in the hope that it will be useful, *
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of *
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
+ * GNU General Public License for more details. *
+ * *
+ * You should have received a copy of the GNU General Public License *
+ * along with this program; if not, write to the *
+ * Free Software Foundation, Inc., *
+ * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. *
+ ***************************************************************************/
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netdb.h>
+
+#include <tqlayout.h>
+
+#include <klocale.h>
+#include <kglobal.h>
+#include <kcombobox.h>
+#include <kparts/genericfactory.h>
+#include <ksimpleconfig.h>
+#include <kglobalsettings.h>
+#include <kstandarddirs.h>
+#include <kurlrequester.h>
+#include <klistview.h>
+#include <kopenwith.h>
+#include <kpropertiesdialog.h>
+#include <kio/job.h>
+#include <tqdir.h>
+#include <tqheader.h>
+#include <knuminput.h>
+#include <kpassdlg.h>
+#include <klineedit.h>
+#include <kmessagebox.h>
+
+#include <tdesu/process.h>
+
+#include "ldapbonding.h"
+#include "bondwizard.h"
+#include "ldappasswddlg.h"
+#include "realmpropertiesdialog.h"
+
+// FIXME
+// Connect this to CMake/Automake
+#define KDE_CONFDIR "/etc/trinity"
+#define KRB5_FILE "/etc/krb5.conf"
+#define NSSWITCH_FILE "/etc/nsswitch.conf"
+#define PAMD_DIRECTORY "/etc/pam.d/"
+#define PAMD_COMMON_ACCOUNT "common-account"
+#define PAMD_COMMON_AUTH "common-auth"
+#define CRON_UPDATE_NSS_FILE "/etc/cron.daily/upd-local-nss-db"
+
+typedef KGenericFactory<LDAPConfig, TQWidget> ldapFactory;
+
+K_EXPORT_COMPONENT_FACTORY( kcm_ldap, ldapFactory("kcmldap"))
+
+KSimpleConfig *systemconfig = 0;
+
+LDAPConfig::LDAPConfig(TQWidget *parent, const char *name, const TQStringList&)
+ : KCModule(parent, name), myAboutData(0)
+{
+ TQVBoxLayout *layout = new TQVBoxLayout(this, KDialog::marginHint(), KDialog::spacingHint());
+ systemconfig = new KSimpleConfig( TQString::fromLatin1( KDE_CONFDIR "/ldap/ldapconfigrc" ));
+ systemconfig->setFileWriteMode(S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+
+ KAboutData* about = new KAboutData("ldap", I18N_NOOP("TDE LDAP Manager"), "0.1",
+ I18N_NOOP("TDE LDAP Manager Control Panel Module"),
+ KAboutData::License_GPL,
+ I18N_NOOP("(c) 2012 Timothy Pearson"), 0, 0);
+
+ about->addAuthor("Timothy Pearson", 0, "[email protected]");
+ setAboutData( about );
+
+ base = new LDAPConfigBase(this);
+ layout->add(base);
+ base->ldapRealmList->setAllColumnsShowFocus(true);
+ base->ldapRealmList->setFullWidth(true);
+
+ setRootOnlyMsg(i18n("<b>Bonded LDAP realms take effect system wide, and require administrator access to modify</b><br>To alter the system's bonded LDAP realms, click on the \"Administrator Mode\" button below."));
+ setUseRootOnlyMsg(true);
+
+ connect(base->systemEnableSupport, TQT_SIGNAL(clicked()), this, TQT_SLOT(changed()));
+ connect(base->defaultRealm, TQT_SIGNAL(activated(int)), this, TQT_SLOT(changed()));
+ connect(base->ticketLifetime, TQT_SIGNAL(valueChanged(int)), this, TQT_SLOT(changed()));
+ connect(base->systemEnableSupport, TQT_SIGNAL(clicked()), this, TQT_SLOT(processLockouts()));
+ connect(base->ldapRealmList, TQT_SIGNAL(selectionChanged()), this, TQT_SLOT(processLockouts()));
+
+ connect(base->btnBondRealm, TQT_SIGNAL(clicked()), this, TQT_SLOT(bondToNewRealm()));
+ connect(base->btnReBondRealm, TQT_SIGNAL(clicked()), this, TQT_SLOT(reBondToRealm()));
+ connect(base->btnRemoveRealm, TQT_SIGNAL(clicked()), this, TQT_SLOT(removeRealm()));
+ connect(base->btnDeactivateRealm, TQT_SIGNAL(clicked()), this, TQT_SLOT(deactivateRealm()));
+ connect(base->btnRealmProperties, TQT_SIGNAL(clicked()), this, TQT_SLOT(realmProperties()));
+
+ connect(base->ldapVersion, TQT_SIGNAL(valueChanged(int)), this, TQT_SLOT(changed()));
+ connect(base->ldapTimeout, TQT_SIGNAL(valueChanged(int)), this, TQT_SLOT(changed()));
+ connect(base->bindPolicy, TQT_SIGNAL(activated(int)), this, TQT_SLOT(changed()));
+ connect(base->ldapBindTimeout, TQT_SIGNAL(valueChanged(int)), this, TQT_SLOT(changed()));
+ connect(base->passwordHash, TQT_SIGNAL(activated(int)), this, TQT_SLOT(changed()));
+ connect(base->ignoredUsers, TQT_SIGNAL(textChanged(const TQString&)), this, TQT_SLOT(changed()));
+
+ m_fqdn = getMachineFQDN();
+ base->hostFQDN->setEnabled(false);
+ base->hostFQDN->clear();
+ base->hostFQDN->insertItem(m_fqdn);
+
+ load();
+
+ if (getuid() != 0 || !systemconfig->checkConfigFilesWritable( true )) {
+ base->systemEnableSupport->setEnabled(false);
+ }
+
+ processLockouts();
+};
+
+LDAPConfig::~LDAPConfig() {
+ delete systemconfig;
+}
+
+// FIXME
+// This should be moved to a TDE core library
+TQString LDAPConfig::getMachineFQDN() {
+ struct addrinfo hints, *info, *p;
+ int gai_result;
+
+ char hostname[1024];
+ hostname[1023] = '\0';
+ gethostname(hostname, 1023);
+
+ memset(&hints, 0, sizeof hints);
+ hints.ai_family = AF_UNSPEC; // IPV4 or IPV6
+ hints.ai_socktype = SOCK_STREAM;
+ hints.ai_flags = AI_CANONNAME;
+
+ if ((gai_result = getaddrinfo(hostname, NULL, &hints, &info)) != 0) {
+ return TQString(hostname);
+ }
+ TQString fqdn = TQString(hostname);
+ for (p=info; p!=NULL; p=p->ai_next) {
+ fqdn = TQString(p->ai_canonname);
+ }
+ freeaddrinfo(info);
+
+ return fqdn;
+}
+
+void LDAPConfig::load() {
+ kgs = new KGlobalSettings();
+
+ load(false);
+}
+
+void LDAPConfig::load(bool useDefaults )
+{
+ int i;
+ bool thisIsMyMachine;
+
+ //Update the toggle buttons with the current configuration
+ systemconfig->setReadDefaults( useDefaults );
+
+ systemconfig->setGroup(NULL);
+ base->systemEnableSupport->setChecked(systemconfig->readBoolEntry("EnableLDAP", false));
+ m_defaultRealm = systemconfig->readEntry("DefaultRealm", TQString::null);
+ m_ticketLifetime = systemconfig->readNumEntry("TicketLifetime", 86400);
+ if (m_fqdn == systemconfig->readEntry("HostFQDN", "")) {
+ thisIsMyMachine = true;
+ }
+ else {
+ thisIsMyMachine = false;
+ }
+
+ m_ldapVersion = systemconfig->readNumEntry("ConnectionLDAPVersion", 3);
+ m_ldapTimeout = systemconfig->readNumEntry("ConnectionLDAPTimeout", 2);
+ m_bindPolicy = systemconfig->readEntry("ConnectionBindPolicy", "soft");
+ m_ldapBindTimeout = systemconfig->readNumEntry("ConnectionBindTimeout", 2);
+ m_passwordHash = systemconfig->readEntry("ConnectionPasswordHash", "exop");
+ m_ignoredUsers = systemconfig->readEntry("ConnectionIgnoredUsers", DEFAULT_IGNORED_USERS_LIST);
+
+ // Load realms
+ m_realms.clear();
+ TQStringList cfgRealms = systemconfig->groupList();
+ for (TQStringList::Iterator it(cfgRealms.begin()); it != cfgRealms.end(); ++it) {
+ if ((*it).startsWith("LDAPRealm-")) {
+ systemconfig->setGroup(*it);
+ TQString realmName=*it;
+ realmName.remove(0,strlen("LDAPRealm-"));
+ if (!m_realms.contains(realmName)) {
+ // Read in realm data
+ LDAPRealmConfig realmcfg;
+ realmcfg.name = realmName;
+ if (thisIsMyMachine) {
+ realmcfg.bonded = systemconfig->readBoolEntry("bonded");
+ }
+ else {
+ realmcfg.bonded = false;
+ }
+ realmcfg.uid_offset = systemconfig->readNumEntry("uid_offset");
+ realmcfg.gid_offset = systemconfig->readNumEntry("gid_offset");
+ realmcfg.domain_mappings = systemconfig->readListEntry("domain_mappings");
+ realmcfg.kdc = systemconfig->readEntry("kdc");
+ realmcfg.kdc_port = systemconfig->readNumEntry("kdc_port");
+ realmcfg.admin_server = systemconfig->readEntry("admin_server");
+ realmcfg.admin_server_port = systemconfig->readNumEntry("admin_server_port");
+ realmcfg.pkinit_require_eku = systemconfig->readBoolEntry("pkinit_require_eku");
+ realmcfg.pkinit_require_krbtgt_otherName = systemconfig->readBoolEntry("pkinit_require_krbtgt_otherName");
+ realmcfg.win2k_pkinit = systemconfig->readBoolEntry("win2k_pkinit");
+ realmcfg.win2k_pkinit_require_binding = systemconfig->readBoolEntry("win2k_pkinit_require_binding");
+ // Add realm to list
+ m_realms.insert(realmName, realmcfg);
+ }
+ }
+ }
+
+ base->ticketLifetime->setValue(m_ticketLifetime);
+
+ base->ldapVersion->setValue(m_ldapVersion);
+ base->ldapTimeout->setValue(m_ldapTimeout);
+ for (i=0; i<base->bindPolicy->count(); i++) {
+ if (base->bindPolicy->text(i).lower() == m_defaultRealm.lower()) {
+ base->bindPolicy->setCurrentItem(i);
+ break;
+ }
+ }
+ base->ldapBindTimeout->setValue(m_ldapBindTimeout);
+ for (i=0; i<base->passwordHash->count(); i++) {
+ if (base->passwordHash->text(i).lower() == m_passwordHash.lower()) {
+ base->passwordHash->setCurrentItem(i);
+ break;
+ }
+ }
+ base->ignoredUsers->setText(m_ignoredUsers);
+
+ updateRealmList();
+
+ processLockouts();
+
+ emit changed(useDefaults);
+}
+
+void LDAPConfig::updateRealmList() {
+ base->ldapRealmList->clear();
+ base->defaultRealm->clear();
+ LDAPRealmConfigList::Iterator it;
+ for (it = m_realms.begin(); it != m_realms.end(); ++it) {
+ LDAPRealmConfig realmcfg = it.data();
+ (void)new TQListViewItem(base->ldapRealmList, ((realmcfg.bonded)?i18n("Bonded"):i18n("Deactivated")), realmcfg.name);
+ base->defaultRealm->insertItem(realmcfg.name);
+ }
+ if (m_defaultRealm != "") {
+ for (int i=0; i<base->defaultRealm->count(); i++) {
+ if (base->defaultRealm->text(i) == m_defaultRealm) {
+ base->defaultRealm->setCurrentItem(i);
+ break;
+ }
+ }
+ }
+ processLockouts();
+}
+
+void LDAPConfig::defaults() {
+
+}
+
+void LDAPConfig::save() {
+ // Write system configuration
+ systemconfig->setGroup(NULL);
+ systemconfig->writeEntry("EnableLDAP", base->systemEnableSupport->isChecked());
+ systemconfig->writeEntry("HostFQDN", m_fqdn);
+ m_defaultRealm = base->defaultRealm->currentText();
+ m_ticketLifetime = base->ticketLifetime->value();
+
+ m_ldapVersion = base->ldapVersion->value();
+ m_ldapTimeout = base->ldapTimeout->value();
+ m_bindPolicy = base->bindPolicy->currentText();
+ m_ldapBindTimeout = base->ldapBindTimeout->value();
+ m_passwordHash = base->passwordHash->currentText();
+ m_ignoredUsers = base->ignoredUsers->text();
+
+ if (m_defaultRealm != "") {
+ systemconfig->writeEntry("DefaultRealm", m_defaultRealm);
+ }
+ else {
+ systemconfig->deleteEntry("DefaultRealm");
+ }
+ systemconfig->writeEntry("TicketLifetime", m_ticketLifetime);
+
+ systemconfig->writeEntry("ConnectionLDAPVersion", m_ldapVersion);
+ systemconfig->writeEntry("ConnectionLDAPTimeout", m_ldapTimeout);
+ systemconfig->writeEntry("ConnectionBindPolicy", m_bindPolicy);
+ systemconfig->writeEntry("ConnectionBindTimeout", m_ldapBindTimeout);
+ systemconfig->writeEntry("ConnectionPasswordHash", m_passwordHash);
+ systemconfig->writeEntry("ConnectionIgnoredUsers", m_ignoredUsers);
+
+ LDAPManager::writeTDERealmList(m_realms, systemconfig);
+ systemconfig->sync();
+
+ if (base->systemEnableSupport->isChecked()) {
+ // Write the Kerberos5 configuration file
+ writeKrb5ConfFile();
+ // Write the LDAP configuration file
+ writeLDAPConfFile();
+ // Write the NSSwitch configuration file
+ writeNSSwitchFile();
+ // Write the PAM configuration files
+ writePAMFiles();
+ // Write the cron files
+ writeCronFiles();
+ // RAJA FIXME
+ // Update the SUDOERS file with the domain-wide computer local admin group!
+ }
+
+ load();
+}
+
+void LDAPConfig::processLockouts() {
+ bool panelIsEnabled = (base->systemEnableSupport->isEnabled() && base->systemEnableSupport->isChecked());
+
+ base->groupRealms->setEnabled(panelIsEnabled);
+ base->groupKrbDefaults->setEnabled(panelIsEnabled);
+ base->groupConnectionParameters->setEnabled(panelIsEnabled);
+
+ TQListViewItem *selrealm = base->ldapRealmList->selectedItem();
+ if (selrealm) {
+ LDAPRealmConfig realmcfg = m_realms[selrealm->text(1)];
+ base->btnBondRealm->setEnabled(true);
+ base->btnReBondRealm->setEnabled(true);
+ if (realmcfg.bonded) {
+ base->btnDeactivateRealm->setEnabled(true);
+ base->btnRemoveRealm->setEnabled(false);
+ base->btnRealmProperties->setEnabled(false);
+ }
+ else {
+ base->btnDeactivateRealm->setEnabled(false);
+ base->btnRemoveRealm->setEnabled(true);
+ base->btnRealmProperties->setEnabled(true);
+ }
+ }
+ else {
+ base->btnBondRealm->setEnabled(true);
+ base->btnReBondRealm->setEnabled(false);
+ base->btnDeactivateRealm->setEnabled(false);
+ base->btnRemoveRealm->setEnabled(false);
+ base->btnRealmProperties->setEnabled(false);
+ }
+}
+
+void LDAPConfig::bondToNewRealm() {
+ // Something will probably change
+ save();
+
+ BondWizard bondwizard(&m_realms, this, this);
+ bondwizard.exec();
+
+ // Something probably changed
+ load();
+}
+
+void LDAPConfig::reBondToRealm() {
+ TQListViewItem *selrealm = base->ldapRealmList->selectedItem();
+ if (selrealm) {
+ TQString realmName = selrealm->text(1);
+ LDAPRealmConfig realmcfg = m_realms[realmName];
+
+ // Password prompt...
+ TQString errorString;
+ LDAPPasswordDialog passdlg(this);
+ passdlg.m_base->ldapAdminRealm->setEnabled(false);
+ passdlg.m_base->ldapAdminRealm->setText(realmName);
+ if (passdlg.exec() == TQDialog::Accepted) {
+ setEnabled(false);
+ if (bondRealm(m_realms[realmName], passdlg.m_base->ldapAdminUsername->text(), passdlg.m_base->ldapAdminPassword->password(), passdlg.m_base->ldapAdminRealm->text(), &errorString) == 0) {
+ // Success!
+ realmcfg.bonded = true;
+ m_realms.remove(realmName);
+ m_realms.insert(realmName, realmcfg);
+ save();
+ }
+ else {
+ KMessageBox::error(this, i18n("<qt><b>Unable to bond to realm!</b><p>Details: %1</qt>").arg(errorString), i18n("Unable to Bond to Realm"));
+ }
+ setEnabled(true);
+ }
+ }
+ updateRealmList();
+}
+
+void LDAPConfig::removeRealm() {
+ TQListViewItem *selrealm = base->ldapRealmList->selectedItem();
+ if (selrealm) {
+ m_realms.remove(selrealm->text(1));
+ updateRealmList();
+ changed();
+ }
+}
+
+void LDAPConfig::deactivateRealm() {
+ TQListViewItem *selrealm = base->ldapRealmList->selectedItem();
+ if (selrealm) {
+ TQString realmName = selrealm->text(1);
+ LDAPRealmConfig realmcfg = m_realms[realmName];
+ if (realmcfg.bonded == true) {
+ // Password prompt...
+ TQString errorString;
+ LDAPPasswordDialog passdlg(this);
+ passdlg.m_base->ldapAdminRealm->setEnabled(false);
+ passdlg.m_base->ldapAdminRealm->setText(realmName);
+ passdlg.m_base->passprompt->setText(i18n("Please provide LDAP realm administrator credentials below to complete the unbonding process"));
+ if (passdlg.exec() == TQDialog::Accepted) {
+ setEnabled(false);
+ if (unbondRealm(m_realms[realmName], passdlg.m_base->ldapAdminUsername->text(), passdlg.m_base->ldapAdminPassword->password(), passdlg.m_base->ldapAdminRealm->text(), &errorString) == 0) {
+ // Success!
+ realmcfg.bonded = false;
+ m_realms.remove(realmName);
+ m_realms.insert(realmName, realmcfg);
+ save();
+ }
+ else {
+ KMessageBox::error(this, i18n("<qt><b>Unable to unbond from realm!</b><p>%1</qt>").arg(errorString), i18n("Unable to Unbond from Realm"));
+ }
+ setEnabled(true);
+ }
+ }
+ }
+ updateRealmList();
+}
+
+TQString readFullLineFromPtyProcess(PtyProcess* proc) {
+ TQString result = "";
+ while ((!result.contains("\n")) && (!result.contains(":")) && (!result.contains(">"))) {
+ result = result + TQString(proc->readLine(false));
+ tqApp->processEvents();
+ }
+ return result;
+}
+
+int LDAPConfig::bondRealm(LDAPRealmConfig realmcfg, TQString adminUserName, const char * adminPassword, TQString adminRealm, TQString *errstr) {
+ TQCString command = "kadmin";
+ QCStringList args;
+ args << TQCString("-p") << TQCString(adminUserName+"@"+(adminRealm.upper())) << TQCString("-r") << TQCString(adminRealm.upper());
+
+ TQString hoststring = "host/"+m_fqdn;
+
+ TQString prompt;
+ PtyProcess kadminProc;
+ kadminProc.exec(command, args);
+ prompt = kadminProc.readLine(true);
+ prompt = prompt.stripWhiteSpace();
+ if (prompt == "kadmin>") {
+ kadminProc.writeLine(TQCString("ext "+hoststring), true);
+ prompt = kadminProc.readLine(true); // Discard our own input
+ prompt = readFullLineFromPtyProcess(&kadminProc);
+ prompt = prompt.stripWhiteSpace();
+ if (prompt.endsWith(" Password:")) {
+ kadminProc.writeLine(adminPassword, true);
+ prompt = kadminProc.readLine(true); // Discard our own input
+ prompt = kadminProc.readLine(true);
+ prompt = prompt.stripWhiteSpace();
+ }
+ if (prompt.contains("authentication failed")) {
+ if (errstr) *errstr = prompt;
+ kadminProc.writeLine("quit", true);
+ return 1;
+ }
+ else if (prompt.endsWith("Principal does not exist")) {
+ kadminProc.writeLine(TQCString("ank --random-key "+hoststring), true);
+ prompt = kadminProc.readLine(true); // Discard our own input
+ prompt = readFullLineFromPtyProcess(&kadminProc);
+ prompt = prompt.stripWhiteSpace();
+ // Use all defaults
+ while (prompt != "kadmin>") {
+ if (prompt.endsWith(" Password:")) {
+ kadminProc.writeLine(adminPassword, true);
+ prompt = kadminProc.readLine(true); // Discard our own input
+ prompt = kadminProc.readLine(true);
+ prompt = prompt.stripWhiteSpace();
+ }
+ if (prompt.contains("authentication failed")) {
+ if (errstr) *errstr = prompt;
+ kadminProc.writeLine("quit", true);
+ return 1;
+ }
+ else {
+ // Extract whatever default is in the [brackets] and feed it back to kadmin
+ TQString defaultParam;
+ int leftbracket = prompt.find("[");
+ int rightbracket = prompt.find("]");
+ if ((leftbracket >= 0) && (rightbracket >= 0)) {
+ leftbracket++;
+ defaultParam = prompt.mid(leftbracket, rightbracket-leftbracket);
+ }
+ kadminProc.writeLine(TQCString(defaultParam), true);
+ prompt = kadminProc.readLine(true); // Discard our own input
+ prompt = kadminProc.readLine(true);
+ prompt = prompt.stripWhiteSpace();
+ }
+ }
+ kadminProc.writeLine(TQCString("ext "+hoststring), true);
+ prompt = kadminProc.readLine(true); // Discard our own input
+ prompt = readFullLineFromPtyProcess(&kadminProc);
+ prompt = prompt.stripWhiteSpace();
+ if (prompt != "kadmin>") {
+ if (errstr) *errstr = prompt;
+ kadminProc.writeLine("quit", true);
+ return 1;
+ }
+
+ // Success!
+ kadminProc.writeLine("quit", true);
+ return 0;
+ }
+ else if (prompt == "kadmin>") {
+ // Success!
+ kadminProc.writeLine("quit", true);
+ return 0;
+ }
+
+ // Failure
+ if (errstr) *errstr = prompt;
+ kadminProc.writeLine("quit", true);
+ return 1;
+ }
+
+ if (errstr) *errstr = "Internal error. Verify that kadmin exists and can be executed.";
+ return 1; // Failure
+}
+
+int LDAPConfig::unbondRealm(LDAPRealmConfig realmcfg, TQString adminUserName, const char * adminPassword, TQString adminRealm, TQString *errstr) {
+ TQCString command = "kadmin";
+ QCStringList args;
+ args << TQCString("-p") << TQCString(adminUserName+"@"+(adminRealm.upper()));
+
+ TQString hoststring = "host/"+m_fqdn;
+
+ TQString prompt;
+ PtyProcess kadminProc;
+ kadminProc.exec(command, args);
+ prompt = kadminProc.readLine(true);
+ prompt = prompt.stripWhiteSpace();
+ if (prompt == "kadmin>") {
+ kadminProc.writeLine(TQCString("delete "+hoststring), true);
+ prompt = kadminProc.readLine(true); // Discard our own input
+ prompt = readFullLineFromPtyProcess(&kadminProc);
+ prompt = prompt.stripWhiteSpace();
+ if (prompt.endsWith(" Password:")) {
+ kadminProc.writeLine(adminPassword, true);
+ prompt = kadminProc.readLine(true); // Discard our own input
+ prompt = kadminProc.readLine(true);
+ prompt = prompt.stripWhiteSpace();
+ }
+ if (prompt != "kadmin>") {
+ if (errstr) *errstr = prompt;
+ kadminProc.writeLine("quit", true);
+ return 1;
+ }
+
+ // Success!
+ kadminProc.writeLine("quit", true);
+ return 0;
+ }
+
+ return 1; // Failure
+}
+
+void LDAPConfig::realmProperties() {
+ TQListViewItem *selrealm = base->ldapRealmList->selectedItem();
+ if (selrealm) {
+ RealmPropertiesDialog rpdialog(&m_realms, selrealm->text(1), this);
+ if (rpdialog.exec() == TQDialog::Accepted) {
+ updateRealmList();
+ changed();
+ }
+ }
+}
+
+void LDAPConfig::writeKrb5ConfFile() {
+ TQFile file(KRB5_FILE);
+ if (file.open(IO_WriteOnly)) {
+ TQTextStream stream( &file );
+
+ stream << "# This file was automatically generated by TDE\n";
+ stream << "# All changes will be lost!\n";
+ stream << "\n";
+
+ // Defaults
+ stream << "[libdefaults]\n";
+ stream << " ticket_lifetime = " << m_ticketLifetime << "\n";
+ if (m_defaultRealm != "") {
+ stream << " default_realm = " << m_defaultRealm << "\n";
+ }
+ stream << "\n";
+
+ // Realms
+ stream << "[realms]\n";
+ LDAPRealmConfigList::Iterator it;
+ for (it = m_realms.begin(); it != m_realms.end(); ++it) {
+ LDAPRealmConfig realmcfg = it.data();
+ stream << " " << realmcfg.name << " = {\n";
+ stream << " kdc = " << realmcfg.kdc << ":" << realmcfg.kdc_port << "\n";
+ stream << " admin_server = " << realmcfg.admin_server << ":" << realmcfg.admin_server_port << "\n";
+ stream << " pkinit_require_eku = " << (realmcfg.pkinit_require_eku?"true":"false") << "\n";
+ stream << " pkinit_require_krbtgt_otherName = " << (realmcfg.pkinit_require_krbtgt_otherName?"true":"false") << "\n";
+ stream << " win2k_pkinit = " << (realmcfg.win2k_pkinit?"yes":"no") << "\n";
+ stream << " win2k_pkinit_require_binding = " << (realmcfg.win2k_pkinit_require_binding?"yes":"no") << "\n";
+ stream << " }\n";
+ }
+ stream << "\n";
+
+ // Domain aliases
+ stream << "[domain_realm]\n";
+ LDAPRealmConfigList::Iterator it2;
+ for (it2 = m_realms.begin(); it2 != m_realms.end(); ++it2) {
+ LDAPRealmConfig realmcfg = it2.data();
+ TQStringList domains = realmcfg.domain_mappings;
+ for (TQStringList::Iterator it3 = domains.begin(); it3 != domains.end(); ++it3 ) {
+ stream << " " << *it3 << " = " << realmcfg.name << "\n";
+ }
+ }
+
+ file.close();
+ }
+}
+
+void LDAPConfig::writeLDAPConfFile() {
+ LDAPManager::writeLDAPConfFile(m_realms[m_defaultRealm]);
+}
+
+void LDAPConfig::writeNSSwitchFile() {
+ TQFile file(NSSWITCH_FILE);
+ if (file.open(IO_WriteOnly)) {
+ TQTextStream stream( &file );
+
+ stream << "# This file was automatically generated by TDE\n";
+ stream << "# All changes will be lost!\n";
+ stream << "\n";
+ stream << "passwd: files ldap [NOTFOUND=return] db" << "\n";
+ stream << "group: files ldap [NOTFOUND=return] db" << "\n";
+ stream << "shadow: files ldap [NOTFOUND=return] db" << "\n";
+ stream << "\n";
+ stream << "hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4" << "\n";
+ stream << "networks: files" << "\n";
+ stream << "\n";
+ stream << "protocols: db files" << "\n";
+ stream << "services: db files" << "\n";
+ stream << "ethers: db files" << "\n";
+ stream << "rpc: db files" << "\n";
+ stream << "\n";
+ stream << "netgroup: nis" << "\n";
+
+ file.close();
+ }
+}
+
+void LDAPConfig::writePAMFiles() {
+ TQFile file(PAMD_DIRECTORY PAMD_COMMON_ACCOUNT);
+ if (file.open(IO_WriteOnly)) {
+ TQTextStream stream( &file );
+
+ stream << "# This file was automatically generated by TDE\n";
+ stream << "# All changes will be lost!\n";
+ stream << "\n";
+ stream << "account sufficient pam_unix.so nullok_secure" << "\n";
+ stream << "account sufficient pam_ldap.so" << "\n";
+ stream << "account required pam_permit.so" << "\n";
+
+ file.close();
+ }
+
+ TQFile file2(PAMD_DIRECTORY PAMD_COMMON_AUTH);
+ if (file2.open(IO_WriteOnly)) {
+ TQTextStream stream( &file2 );
+
+ stream << "# This file was automatically generated by TDE\n";
+ stream << "# All changes will be lost!\n";
+ stream << "\n";
+ stream << "auth [default=ignore success=ignore] pam_mount.so" << "\n";
+ stream << "auth sufficient pam_unix.so nullok try_first_pass" << "\n";
+ stream << "auth [default=ignore success=1 service_err=reset] pam_krb5.so ccache=/tmp/krb5cc_%u use_first_pass" << "\n";
+ stream << "auth [default=die success=done] pam_ccreds.so action=validate use_first_pass" << "\n";
+ stream << "auth sufficient pam_ccreds.so action=store use_first_pass" << "\n";
+ stream << "auth required pam_deny.so" << "\n";
+
+ file2.close();
+ }
+}
+
+void LDAPConfig::writeCronFiles() {
+ TQFile file(CRON_UPDATE_NSS_FILE);
+ if (file.open(IO_WriteOnly)) {
+ TQTextStream stream( &file );
+
+ stream << "# This file was automatically generated by TDE\n";
+ stream << "# All changes will be lost!\n";
+ stream << "\n";
+ stream << "#!/bin/sh" << "\n";
+ stream << "/usr/sbin/nss_updatedb ldap" << "\n";
+
+ file.close();
+ }
+}
+
+int LDAPConfig::buttons() {
+ return KCModule::Apply|KCModule::Help;
+}
+
+TQString LDAPConfig::quickHelp() const
+{
+ return i18n("This module configures which LDAP realms TDE uses for authentication.");
+}
generated by cgit v1.2.1 (git 2.18.0) at 2025-01-07 03:43:04 +0000