/*************************************************************************** * Copyright (C) 2012 by Timothy Pearson * * kb9vqf@pearsoncomputing.net * * * * This program is free software; you can redistribute it and/or modify * * it under the terms of the GNU General Public License as published by * * the Free Software Foundation; either version 2 of the License, or * * (at your option) any later version. * * * * This program is distributed in the hope that it will be useful, * * but WITHOUT ANY WARRANTY; without even the implied warranty of * * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * * GNU General Public License for more details. * * * * You should have received a copy of the GNU General Public License * * along with this program; if not, write to the * * Free Software Foundation, Inc., * * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ***************************************************************************/ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "ldapbonding.h" #include "bondwizard.h" #include "ldappasswddlg.h" #include "realmpropertiesdialog.h" // FIXME // Connect this to CMake/Automake #define KDE_CONFDIR "/etc/trinity" #define KRB5_FILE "/etc/krb5.conf" #define NSSWITCH_FILE "/etc/nsswitch.conf" #define PAMD_DIRECTORY "/etc/pam.d/" #define PAMD_COMMON_ACCOUNT "common-account" #define PAMD_COMMON_AUTH "common-auth" typedef KGenericFactory ldapFactory; K_EXPORT_COMPONENT_FACTORY( kcm_ldap, ldapFactory("kcmldap")) KSimpleConfig *systemconfig = 0; LDAPConfig::LDAPConfig(TQWidget *parent, const char *name, const TQStringList&) : KCModule(parent, name), myAboutData(0) { TQVBoxLayout *layout = new TQVBoxLayout(this, KDialog::marginHint(), KDialog::spacingHint()); systemconfig = new KSimpleConfig( TQString::fromLatin1( KDE_CONFDIR "/ldap/ldapconfigrc" )); systemconfig->setFileWriteMode(S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); KAboutData* about = new KAboutData("ldap", I18N_NOOP("TDE LDAP Manager"), "0.1", I18N_NOOP("TDE LDAP Manager Control Panel Module"), KAboutData::License_GPL, I18N_NOOP("(c) 2012 Timothy Pearson"), 0, 0); about->addAuthor("Timothy Pearson", 0, "kb9vqf@pearsoncomputing.net"); setAboutData( about ); base = new LDAPConfigBase(this); layout->add(base); base->ldapRealmList->setAllColumnsShowFocus(true); base->ldapRealmList->setFullWidth(true); setRootOnlyMsg(i18n("Bonded LDAP realms take effect system wide, and require administrator access to modify
To alter the system's bonded LDAP realms, click on the \"Administrator Mode\" button below.")); setUseRootOnlyMsg(true); connect(base->systemEnableSupport, TQT_SIGNAL(clicked()), this, TQT_SLOT(changed())); connect(base->defaultRealm, TQT_SIGNAL(activated(int)), this, TQT_SLOT(changed())); connect(base->ticketLifetime, TQT_SIGNAL(valueChanged(int)), this, TQT_SLOT(changed())); connect(base->systemEnableSupport, TQT_SIGNAL(clicked()), this, TQT_SLOT(processLockouts())); connect(base->ldapRealmList, TQT_SIGNAL(selectionChanged()), this, TQT_SLOT(processLockouts())); connect(base->btnBondRealm, TQT_SIGNAL(clicked()), this, TQT_SLOT(bondToNewRealm())); connect(base->btnReBondRealm, TQT_SIGNAL(clicked()), this, TQT_SLOT(reBondToRealm())); connect(base->btnRemoveRealm, TQT_SIGNAL(clicked()), this, TQT_SLOT(removeRealm())); connect(base->btnDeactivateRealm, TQT_SIGNAL(clicked()), this, TQT_SLOT(deactivateRealm())); connect(base->btnRealmProperties, TQT_SIGNAL(clicked()), this, TQT_SLOT(realmProperties())); connect(base->ldapVersion, TQT_SIGNAL(valueChanged(int)), this, TQT_SLOT(changed())); connect(base->ldapTimeout, TQT_SIGNAL(valueChanged(int)), this, TQT_SLOT(changed())); connect(base->bindPolicy, TQT_SIGNAL(activated(int)), this, TQT_SLOT(changed())); connect(base->ldapBindTimeout, TQT_SIGNAL(valueChanged(int)), this, TQT_SLOT(changed())); connect(base->passwordHash, TQT_SIGNAL(activated(int)), this, TQT_SLOT(changed())); connect(base->ignoredUsers, TQT_SIGNAL(textChanged(const TQString&)), this, TQT_SLOT(changed())); m_fqdn = LDAPManager::getMachineFQDN(); base->hostFQDN->setEnabled(false); base->hostFQDN->clear(); base->hostFQDN->insertItem(m_fqdn); load(); systemconfig->setGroup(NULL); TQString ldapRole = systemconfig->readEntry("LDAPRole", "Workstation"); if ((getuid() != 0) || (!systemconfig->checkConfigFilesWritable( true )) || (ldapRole != "Workstation")) { base->systemEnableSupport->setEnabled(false); } processLockouts(); }; LDAPConfig::~LDAPConfig() { delete systemconfig; } void LDAPConfig::load() { kgs = new KGlobalSettings(); load(false); } void LDAPConfig::load(bool useDefaults ) { int i; bool thisIsMyMachine; //Update the toggle buttons with the current configuration systemconfig->setReadDefaults( useDefaults ); systemconfig->setGroup(NULL); base->systemEnableSupport->setChecked(systemconfig->readBoolEntry("EnableLDAP", false)); m_defaultRealm = systemconfig->readEntry("DefaultRealm", TQString::null); m_ticketLifetime = systemconfig->readNumEntry("TicketLifetime", 86400); if (m_fqdn == systemconfig->readEntry("HostFQDN", "")) { thisIsMyMachine = true; } else { thisIsMyMachine = false; } m_ldapVersion = systemconfig->readNumEntry("ConnectionLDAPVersion", 3); m_ldapTimeout = systemconfig->readNumEntry("ConnectionLDAPTimeout", 2); m_bindPolicy = systemconfig->readEntry("ConnectionBindPolicy", "soft"); m_ldapBindTimeout = systemconfig->readNumEntry("ConnectionBindTimeout", 2); m_passwordHash = systemconfig->readEntry("ConnectionPasswordHash", "exop"); m_ignoredUsers = systemconfig->readEntry("ConnectionIgnoredUsers", DEFAULT_IGNORED_USERS_LIST); // Load realms m_realms.clear(); m_realms = LDAPManager::readTDERealmList(systemconfig, !thisIsMyMachine); base->ticketLifetime->setValue(m_ticketLifetime); base->ldapVersion->setValue(m_ldapVersion); base->ldapTimeout->setValue(m_ldapTimeout); for (i=0; ibindPolicy->count(); i++) { if (base->bindPolicy->text(i).lower() == m_defaultRealm.lower()) { base->bindPolicy->setCurrentItem(i); break; } } base->ldapBindTimeout->setValue(m_ldapBindTimeout); for (i=0; ipasswordHash->count(); i++) { if (base->passwordHash->text(i).lower() == m_passwordHash.lower()) { base->passwordHash->setCurrentItem(i); break; } } base->ignoredUsers->setText(m_ignoredUsers); updateRealmList(); processLockouts(); emit changed(useDefaults); } void LDAPConfig::updateRealmList() { base->ldapRealmList->clear(); base->defaultRealm->clear(); LDAPRealmConfigList::Iterator it; for (it = m_realms.begin(); it != m_realms.end(); ++it) { LDAPRealmConfig realmcfg = it.data(); (void)new TQListViewItem(base->ldapRealmList, ((realmcfg.bonded)?i18n("Bonded"):i18n("Deactivated")), realmcfg.name); base->defaultRealm->insertItem(realmcfg.name); } if (m_defaultRealm != "") { for (int i=0; idefaultRealm->count(); i++) { if (base->defaultRealm->text(i) == m_defaultRealm) { base->defaultRealm->setCurrentItem(i); break; } } } processLockouts(); } void LDAPConfig::defaults() { } void LDAPConfig::save() { TQString errorstring; // Write system configuration systemconfig->setGroup(NULL); systemconfig->writeEntry("EnableLDAP", base->systemEnableSupport->isChecked()); systemconfig->writeEntry("HostFQDN", m_fqdn); m_defaultRealm = base->defaultRealm->currentText(); m_ticketLifetime = base->ticketLifetime->value(); m_ldapVersion = base->ldapVersion->value(); m_ldapTimeout = base->ldapTimeout->value(); m_bindPolicy = base->bindPolicy->currentText(); m_ldapBindTimeout = base->ldapBindTimeout->value(); m_passwordHash = base->passwordHash->currentText(); m_ignoredUsers = base->ignoredUsers->text(); if (m_defaultRealm != "") { systemconfig->writeEntry("DefaultRealm", m_defaultRealm); } else { systemconfig->deleteEntry("DefaultRealm"); } systemconfig->writeEntry("TicketLifetime", m_ticketLifetime); systemconfig->writeEntry("ConnectionLDAPVersion", m_ldapVersion); systemconfig->writeEntry("ConnectionLDAPTimeout", m_ldapTimeout); systemconfig->writeEntry("ConnectionBindPolicy", m_bindPolicy); systemconfig->writeEntry("ConnectionBindTimeout", m_ldapBindTimeout); systemconfig->writeEntry("ConnectionPasswordHash", m_passwordHash); systemconfig->writeEntry("ConnectionIgnoredUsers", m_ignoredUsers); LDAPManager::writeTDERealmList(m_realms, systemconfig); systemconfig->sync(); if (base->systemEnableSupport->isChecked()) { // Write the Kerberos5 configuration file writeKrb5ConfFile(); // Write the LDAP configuration file writeLDAPConfFile(); // Write the NSSwitch configuration file writeNSSwitchFile(); // Write the PAM configuration files writePAMFiles(); // Write the cron files LDAPManager::writeCronFiles(); // Bind anonymously to LDAP LDAPCredentials* credentials = new LDAPCredentials; credentials->username = ""; credentials->password = ""; credentials->realm = m_defaultRealm.upper(); LDAPManager* ldap_mgr = new LDAPManager(m_defaultRealm.upper(), "ldap://", credentials); // Add the domain-wide computer local admin group to local sudoers ldap_mgr->writeSudoersConfFile(&errorstring); // Get and install the CA root certificate from LDAP mkdir(TDE_CERTIFICATE_DIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH); mkdir(KERBEROS_PKI_PUBLICDIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH); ldap_mgr->getTDECertificate("publicRootCertificate", KERBEROS_PKI_PUBLICDIR + m_realms[m_defaultRealm].admin_server + ".ldap.crt", &errorstring); delete ldap_mgr; delete credentials; } load(); } void LDAPConfig::processLockouts() { bool panelIsEnabled = (base->systemEnableSupport->isEnabled() && base->systemEnableSupport->isChecked()); base->groupRealms->setEnabled(panelIsEnabled); base->groupKrbDefaults->setEnabled(panelIsEnabled); base->groupConnectionParameters->setEnabled(panelIsEnabled); TQListViewItem *selrealm = base->ldapRealmList->selectedItem(); if (selrealm) { LDAPRealmConfig realmcfg = m_realms[selrealm->text(1)]; base->btnBondRealm->setEnabled(true); base->btnReBondRealm->setEnabled(true); if (realmcfg.bonded) { base->btnDeactivateRealm->setEnabled(true); base->btnRemoveRealm->setEnabled(false); base->btnRealmProperties->setEnabled(false); } else { base->btnDeactivateRealm->setEnabled(false); base->btnRemoveRealm->setEnabled(true); base->btnRealmProperties->setEnabled(true); } } else { base->btnBondRealm->setEnabled(true); base->btnReBondRealm->setEnabled(false); base->btnDeactivateRealm->setEnabled(false); base->btnRemoveRealm->setEnabled(false); base->btnRealmProperties->setEnabled(false); } } void LDAPConfig::bondToNewRealm() { // Something will probably change save(); BondWizard bondwizard(&m_realms, this, this); bondwizard.exec(); // Something probably changed load(); } void LDAPConfig::reBondToRealm() { TQListViewItem *selrealm = base->ldapRealmList->selectedItem(); if (selrealm) { TQString realmName = selrealm->text(1); LDAPRealmConfig realmcfg = m_realms[realmName]; // Password prompt... TQString errorString; LDAPPasswordDialog passdlg(this); passdlg.m_base->ldapAdminRealm->setEnabled(false); passdlg.m_base->ldapAdminRealm->setText(realmName); if (passdlg.exec() == TQDialog::Accepted) { setEnabled(false); if (bondRealm(m_realms[realmName], passdlg.m_base->ldapAdminUsername->text(), passdlg.m_base->ldapAdminPassword->password(), passdlg.m_base->ldapAdminRealm->text(), &errorString) == 0) { // Success! realmcfg.bonded = true; m_realms.remove(realmName); m_realms.insert(realmName, realmcfg); save(); } else { KMessageBox::error(this, i18n("Unable to bond to realm!

Details: %1").arg(errorString), i18n("Unable to Bond to Realm")); } setEnabled(true); } } updateRealmList(); } void LDAPConfig::removeRealm() { TQListViewItem *selrealm = base->ldapRealmList->selectedItem(); if (selrealm) { m_realms.remove(selrealm->text(1)); updateRealmList(); changed(); } } void LDAPConfig::deactivateRealm() { TQListViewItem *selrealm = base->ldapRealmList->selectedItem(); if (selrealm) { TQString realmName = selrealm->text(1); LDAPRealmConfig realmcfg = m_realms[realmName]; if (realmcfg.bonded == true) { // Password prompt... TQString errorString; LDAPPasswordDialog passdlg(this); passdlg.m_base->ldapAdminRealm->setEnabled(false); passdlg.m_base->ldapAdminRealm->setText(realmName); passdlg.m_base->passprompt->setText(i18n("Please provide LDAP realm administrator credentials below to complete the unbonding process")); if (passdlg.exec() == TQDialog::Accepted) { setEnabled(false); if (unbondRealm(m_realms[realmName], passdlg.m_base->ldapAdminUsername->text(), passdlg.m_base->ldapAdminPassword->password(), passdlg.m_base->ldapAdminRealm->text(), &errorString) == 0) { // Success! realmcfg.bonded = false; m_realms.remove(realmName); m_realms.insert(realmName, realmcfg); save(); } else { KMessageBox::error(this, i18n("Unable to unbond from realm!

%1").arg(errorString), i18n("Unable to Unbond from Realm")); } setEnabled(true); } } } updateRealmList(); } TQString readFullLineFromPtyProcess(PtyProcess* proc) { TQString result = ""; while ((!result.contains("\n")) && (!result.contains(":")) && (!result.contains(">"))) { result = result + TQString(proc->readLine(false)); tqApp->processEvents(); } return result; } int LDAPConfig::bondRealm(LDAPRealmConfig realmcfg, TQString adminUserName, const char * adminPassword, TQString adminRealm, TQString *errstr) { TQCString command = "kadmin"; QCStringList args; args << TQCString("-p") << TQCString(adminUserName+"@"+(adminRealm.upper())) << TQCString("-r") << TQCString(adminRealm.upper()); TQString hoststring = "host/"+m_fqdn; TQString prompt; PtyProcess kadminProc; kadminProc.exec(command, args); prompt = kadminProc.readLine(true); prompt = prompt.stripWhiteSpace(); if (prompt == "kadmin>") { kadminProc.writeLine(TQCString("ext "+hoststring), true); prompt = kadminProc.readLine(true); // Discard our own input prompt = readFullLineFromPtyProcess(&kadminProc); prompt = prompt.stripWhiteSpace(); if (prompt.endsWith(" Password:")) { kadminProc.writeLine(adminPassword, true); prompt = kadminProc.readLine(true); // Discard our own input prompt = kadminProc.readLine(true); prompt = prompt.stripWhiteSpace(); } if (prompt.contains("authentication failed")) { if (errstr) *errstr = prompt; kadminProc.writeLine("quit", true); return 1; } else if (prompt.endsWith("Principal does not exist")) { kadminProc.writeLine(TQCString("ank --random-key "+hoststring), true); prompt = kadminProc.readLine(true); // Discard our own input prompt = readFullLineFromPtyProcess(&kadminProc); prompt = prompt.stripWhiteSpace(); // Use all defaults while (prompt != "kadmin>") { if (prompt.endsWith(" Password:")) { kadminProc.writeLine(adminPassword, true); prompt = kadminProc.readLine(true); // Discard our own input prompt = kadminProc.readLine(true); prompt = prompt.stripWhiteSpace(); } if (prompt.contains("authentication failed")) { if (errstr) *errstr = prompt; kadminProc.writeLine("quit", true); return 1; } else { // Extract whatever default is in the [brackets] and feed it back to kadmin TQString defaultParam; int leftbracket = prompt.find("["); int rightbracket = prompt.find("]"); if ((leftbracket >= 0) && (rightbracket >= 0)) { leftbracket++; defaultParam = prompt.mid(leftbracket, rightbracket-leftbracket); } kadminProc.writeLine(TQCString(defaultParam), true); prompt = kadminProc.readLine(true); // Discard our own input prompt = kadminProc.readLine(true); prompt = prompt.stripWhiteSpace(); } } kadminProc.writeLine(TQCString("ext "+hoststring), true); prompt = kadminProc.readLine(true); // Discard our own input prompt = readFullLineFromPtyProcess(&kadminProc); prompt = prompt.stripWhiteSpace(); if (prompt != "kadmin>") { if (errstr) *errstr = prompt; kadminProc.writeLine("quit", true); return 1; } // Success! kadminProc.writeLine("quit", true); return 0; } else if (prompt == "kadmin>") { // Success! kadminProc.writeLine("quit", true); return 0; } // Failure if (errstr) *errstr = prompt; kadminProc.writeLine("quit", true); return 1; } if (errstr) *errstr = "Internal error. Verify that kadmin exists and can be executed."; return 1; // Failure } int LDAPConfig::unbondRealm(LDAPRealmConfig realmcfg, TQString adminUserName, const char * adminPassword, TQString adminRealm, TQString *errstr) { TQCString command = "kadmin"; QCStringList args; args << TQCString("-p") << TQCString(adminUserName+"@"+(adminRealm.upper())); TQString hoststring = "host/"+m_fqdn; TQString prompt; PtyProcess kadminProc; kadminProc.exec(command, args); prompt = kadminProc.readLine(true); prompt = prompt.stripWhiteSpace(); if (prompt == "kadmin>") { kadminProc.writeLine(TQCString("delete "+hoststring), true); prompt = kadminProc.readLine(true); // Discard our own input prompt = readFullLineFromPtyProcess(&kadminProc); prompt = prompt.stripWhiteSpace(); if (prompt.endsWith(" Password:")) { kadminProc.writeLine(adminPassword, true); prompt = kadminProc.readLine(true); // Discard our own input prompt = kadminProc.readLine(true); prompt = prompt.stripWhiteSpace(); } if (prompt != "kadmin>") { if (errstr) *errstr = prompt; kadminProc.writeLine("quit", true); return 1; } // Success! kadminProc.writeLine("quit", true); return 0; } return 1; // Failure } void LDAPConfig::realmProperties() { TQListViewItem *selrealm = base->ldapRealmList->selectedItem(); if (selrealm) { RealmPropertiesDialog rpdialog(&m_realms, selrealm->text(1), this); if (rpdialog.exec() == TQDialog::Accepted) { updateRealmList(); changed(); } } } void LDAPConfig::writeKrb5ConfFile() { TQFile file(KRB5_FILE); if (file.open(IO_WriteOnly)) { TQTextStream stream( &file ); stream << "# This file was automatically generated by TDE\n"; stream << "# All changes will be lost!\n"; stream << "\n"; // Defaults stream << "[libdefaults]\n"; stream << " ticket_lifetime = " << m_ticketLifetime << "\n"; if (m_defaultRealm != "") { stream << " default_realm = " << m_defaultRealm << "\n"; } stream << "\n"; // Realms stream << "[realms]\n"; LDAPRealmConfigList::Iterator it; for (it = m_realms.begin(); it != m_realms.end(); ++it) { LDAPRealmConfig realmcfg = it.data(); stream << " " << realmcfg.name << " = {\n"; stream << " kdc = " << realmcfg.kdc << ":" << realmcfg.kdc_port << "\n"; stream << " admin_server = " << realmcfg.admin_server << ":" << realmcfg.admin_server_port << "\n"; stream << " pkinit_require_eku = " << (realmcfg.pkinit_require_eku?"true":"false") << "\n"; stream << " pkinit_require_krbtgt_otherName = " << (realmcfg.pkinit_require_krbtgt_otherName?"true":"false") << "\n"; stream << " win2k_pkinit = " << (realmcfg.win2k_pkinit?"yes":"no") << "\n"; stream << " win2k_pkinit_require_binding = " << (realmcfg.win2k_pkinit_require_binding?"yes":"no") << "\n"; stream << " }\n"; } stream << "\n"; // Domain aliases stream << "[domain_realm]\n"; LDAPRealmConfigList::Iterator it2; for (it2 = m_realms.begin(); it2 != m_realms.end(); ++it2) { LDAPRealmConfig realmcfg = it2.data(); TQStringList domains = realmcfg.domain_mappings; for (TQStringList::Iterator it3 = domains.begin(); it3 != domains.end(); ++it3 ) { stream << " " << *it3 << " = " << realmcfg.name << "\n"; } } file.close(); } } void LDAPConfig::writeLDAPConfFile() { LDAPManager::writeLDAPConfFile(m_realms[m_defaultRealm]); } void LDAPConfig::writeNSSwitchFile() { TQFile file(NSSWITCH_FILE); if (file.open(IO_WriteOnly)) { TQTextStream stream( &file ); stream << "# This file was automatically generated by TDE\n"; stream << "# All changes will be lost!\n"; stream << "\n"; stream << "passwd: files ldap [NOTFOUND=return] db" << "\n"; stream << "group: files ldap [NOTFOUND=return] db" << "\n"; stream << "shadow: files ldap [NOTFOUND=return] db" << "\n"; stream << "\n"; stream << "hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4" << "\n"; stream << "networks: files" << "\n"; stream << "\n"; stream << "protocols: db files" << "\n"; stream << "services: db files" << "\n"; stream << "ethers: db files" << "\n"; stream << "rpc: db files" << "\n"; stream << "\n"; stream << "netgroup: nis" << "\n"; file.close(); } } void LDAPConfig::writePAMFiles() { TQFile file(PAMD_DIRECTORY PAMD_COMMON_ACCOUNT); if (file.open(IO_WriteOnly)) { TQTextStream stream( &file ); stream << "# This file was automatically generated by TDE\n"; stream << "# All changes will be lost!\n"; stream << "\n"; stream << "account sufficient pam_unix.so nullok_secure" << "\n"; stream << "account sufficient pam_ldap.so" << "\n"; stream << "account required pam_permit.so" << "\n"; file.close(); } TQFile file2(PAMD_DIRECTORY PAMD_COMMON_AUTH); if (file2.open(IO_WriteOnly)) { TQTextStream stream( &file2 ); stream << "# This file was automatically generated by TDE\n"; stream << "# All changes will be lost!\n"; stream << "\n"; stream << "auth [default=ignore success=ignore] pam_mount.so" << "\n"; stream << "auth sufficient pam_unix.so nullok try_first_pass" << "\n"; stream << "auth [default=ignore success=1 service_err=reset] pam_krb5.so ccache=/tmp/krb5cc_%u use_first_pass" << "\n"; stream << "auth [default=die success=done] pam_ccreds.so action=validate use_first_pass" << "\n"; stream << "auth sufficient pam_ccreds.so action=store use_first_pass" << "\n"; stream << "auth required pam_deny.so" << "\n"; file2.close(); } } int LDAPConfig::buttons() { return KCModule::Apply|KCModule::Help; } TQString LDAPConfig::quickHelp() const { return i18n("This module configures which LDAP realms TDE uses for authentication."); }