diff options
author | Timothy Pearson <[email protected]> | 2012-06-04 17:05:03 -0500 |
---|---|---|
committer | Timothy Pearson <[email protected]> | 2012-06-04 17:05:03 -0500 |
commit | ded257d2225a74343c32b3303ec3778da216b688 (patch) | |
tree | 37765cf04edbfea0f507ed0208de2bc89cc62ac8 /acl-updater/plugin/plugin.cpp | |
parent | 085abd94d86b16825501b4215bd852fa546b31a9 (diff) | |
download | kcmldapcontroller-ded257d2225a74343c32b3303ec3778da216b688.tar.gz kcmldapcontroller-ded257d2225a74343c32b3303ec3778da216b688.zip |
Add utility to manage kadmind ACL list based on group membership
Diffstat (limited to 'acl-updater/plugin/plugin.cpp')
-rw-r--r-- | acl-updater/plugin/plugin.cpp | 193 |
1 files changed, 193 insertions, 0 deletions
diff --git a/acl-updater/plugin/plugin.cpp b/acl-updater/plugin/plugin.cpp new file mode 100644 index 0000000..e458ee6 --- /dev/null +++ b/acl-updater/plugin/plugin.cpp @@ -0,0 +1,193 @@ +/*************************************************************************** + * Copyright (C) 2012 by Timothy Pearson * + * [email protected] * + * * + * This program is free software; you can redistribute it and/or modify * + * it under the terms of the GNU General Public License as published by * + * the Free Software Foundation; either version 2 of the License, or * + * (at your option) any later version. * + * * + * This program is distributed in the hope that it will be useful, * + * but WITHOUT ANY WARRANTY; without even the implied warranty of * + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * + * GNU General Public License for more details. * + * * + * You should have received a copy of the GNU General Public License * + * along with this program; if not, write to the * + * Free Software Foundation, Inc., * + * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * + ***************************************************************************/ + +#include "config.h" + +#include "plugin.h" + +#include <sys/wait.h> + +#include <stdarg.h> +#include <string.h> +#include <stdio.h> +#include <assert.h> +#include <stdlib.h> +#include <ctype.h> +#include <syslog.h> + +#include <tqstringlist.h> +#include <tqfile.h> + +#include <libtdeldap.h> + +static char **plugin_arguments = NULL; + +static TQString admingroup_dn; +static TQString realmname; +static TQString aclfilename; +static TQString rootaccountname; +static LDAPManager* ldapManagerObject = 0; + +void log_plugin (const char* msg, ...) +{ + va_list ap; + va_start (ap, msg); +// FIXME +// log_msg_va (SLAPI_LOG_PLUGIN, msg, ap); + va_end (ap); +} + +static int +post_modify (Slapi_PBlock *pb) +{ + LDAPMod **mods; + char *dn; + int rc, code; + + return_val_if_fail (pb, -1); + + /* Make sure it was successful, don't process errors */ + rc = slapi_pblock_get (pb, SLAPI_RESULT_CODE, &code); + return_val_if_fail (rc >= 0, -1); + if (code != LDAP_SUCCESS) + return 0; + + /* Get out the DN and normalize it */ + rc = slapi_pblock_get (pb, SLAPI_MODIFY_TARGET, &dn); + return_val_if_fail (rc >= 0 && dn, -1); + dn = slapi_ch_strdup (dn); + slapi_dn_normalize_case (dn); + + if (dn == admingroup_dn) { + TQString errorstring; + LDAPGroupInfo admininfo = ldapManagerObject->getGroupByDistinguishedName(admingroup_dn, &errorstring); + if (errorstring == "") { + TQFile file(aclfilename); + if (file.open(IO_WriteOnly)) { + TQTextStream stream( &file ); + + stream << "# This file was automatically generated by TDE\n"; + stream << "# All changes will be lost!\n"; + stream << "\n\n"; + + stream << "# Internal Kerberos administration account\n"; + stream << TQString("kadmin/%1@%2\tall").arg(rootaccountname).arg(realmname); + stream << "\n\n"; + + stream << "# Configured realm administrators\n"; + for ( TQStringList::Iterator it = admininfo.userlist.begin(); it != admininfo.userlist.end(); ++it ) { + TQString krbConvertedUser = *it; + int eqpos = krbConvertedUser.find("=")+1; + int cmpos = krbConvertedUser.find(",", eqpos); + krbConvertedUser.truncate(cmpos); + krbConvertedUser.remove(0, eqpos); + krbConvertedUser.append("@"+realmname); + stream << krbConvertedUser << "\tall\n"; + } + file.close(); + } + } + } + + rc = slapi_pblock_get (pb, SLAPI_MODIFY_MODS, &mods); + return_val_if_fail (rc >= 0 && mods, -1); + + slapi_ch_free_string (&dn); + return 0; +} + +static const char * plugin_compat_ver = SLAPI_PLUGIN_VERSION_03; + +static Slapi_PluginDesc plugin_description = { + PLUGIN_NAME, /* plug-in identifier */ + "[email protected]", /* vendor name */ + VERSION, /* plug-in revision number */ + "Updates kadmind ACL list on group update" /* plug-in description */ +}; + +static int +plugin_destroy (Slapi_PBlock *pb) +{ + slapi_ch_array_free (plugin_arguments); + plugin_arguments = NULL; + + if (ldapManagerObject) delete ldapManagerObject; + + return 0; +} + +extern "C" int internal_plugin_init (Slapi_PBlock *pb) +{ + char **argv = NULL, *arg, *value; + int argc = 0; + int rc, i; + + return_val_if_fail (pb, -1); + + rc = slapi_pblock_get (pb, SLAPI_PLUGIN_ARGV, &argv); + return_val_if_fail (rc >= 0, -1); + slapi_pblock_get (pb, SLAPI_PLUGIN_ARGC, &argc); + return_val_if_fail (rc >= 0, -1); + + /* + * Copy all the arguments, until we get destroyed, and + * send the arguments to the components to configure + * themselves. + */ + plugin_arguments = (char**)slapi_ch_calloc (argc + 1, sizeof (char*)); + for (i = 0; i < argc; ++i) { + plugin_arguments[i] = slapi_ch_strdup (argv[i]); + TQStringList argComponents = TQStringList::split(":=", plugin_arguments[i]); + if (argComponents[0] == "admingroup-dn") { + admingroup_dn = argComponents[1]; + } + else if (argComponents[0] == "realm") { + realmname = argComponents[1]; + } + else if (argComponents[0] == "aclfile") { + aclfilename = argComponents[1]; + } + else if (argComponents[0] == "builtinadmin") { + rootaccountname = argComponents[1]; + } + } + + /* Null terminate */ + plugin_arguments[i] = NULL; + + if (slapi_pblock_set (pb, SLAPI_PLUGIN_VERSION, (void*)plugin_compat_ver) != 0 || + slapi_pblock_set (pb, SLAPI_PLUGIN_DESCRIPTION, (void*)(&plugin_description)) != 0 || + slapi_pblock_set (pb, SLAPI_PLUGIN_DESTROY_FN, (void*)plugin_destroy)) { + log_plugin ("error registering plugin"); + return -1; + } + + ldapManagerObject = new LDAPManager(realmname, "ldapi://"); + + /* Setup the entry add/mobify functions */ + if (slapi_pblock_set (pb, SLAPI_PLUGIN_POST_MODIFY_FN, (void*)post_modify) != 0) { + log_plugin ("error registering plugin hooks"); + return -1; + } + + log_plugin ("%s initialized", PLUGIN_NAME); + return 0; +} + |