diff options
author | Timothy Pearson <[email protected]> | 2013-07-02 18:17:45 +0000 |
---|---|---|
committer | Timothy Pearson <[email protected]> | 2013-07-02 18:17:45 +0000 |
commit | 253f6abaf56ce0008b11aa4db03f09d024efc7ab (patch) | |
tree | 91a852a4107bb4ee37572556b20cab7924c19909 /cert-updater | |
parent | 999fcba2daf30ed9e596df579d0b172874a048f4 (diff) | |
download | kcmldapcontroller-253f6abaf56ce0008b11aa4db03f09d024efc7ab.tar.gz kcmldapcontroller-253f6abaf56ce0008b11aa4db03f09d024efc7ab.zip |
Do not update CA certificates if master is unknown
Diffstat (limited to 'cert-updater')
-rw-r--r-- | cert-updater/main.cpp | 201 |
1 files changed, 103 insertions, 98 deletions
diff --git a/cert-updater/main.cpp b/cert-updater/main.cpp index e4acaa5..e11a73e 100644 --- a/cert-updater/main.cpp +++ b/cert-updater/main.cpp @@ -147,113 +147,118 @@ int main(int argc, char *argv[]) delete ldap_mgr; delete credentials; - if (realmCAMaster == fqdn) { - printf("This server is the realm CA master\n"); fflush(stdout); - if (TQFile::exists(KERBEROS_PKI_PEM_FILE)) { - certExpiry = LDAPManager::getCertificateExpiration(KERBEROS_PKI_PEM_FILE); - if (certExpiry >= now) { - printf("Certificate %s expires %s\n", TQString(KERBEROS_PKI_PEM_FILE).ascii(), certExpiry.toString().ascii()); fflush(stdout); - } - if (force_update || (certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) { - printf("Regenerating certificate %s...\n", TQString(KERBEROS_PKI_PEM_FILE).ascii()); fflush(stdout); - LDAPManager::generatePublicKerberosCACertificate(m_certconfig); - - TQString realmname = m_defaultRealm.upper(); - LDAPCredentials* credentials = new LDAPCredentials; - credentials->username = ""; - credentials->password = ""; - credentials->realm = realmname; - LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials); - - // Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server - TQString errorstring; - if (uploadKerberosCAFileToLDAP(ldap_mgr, &errorstring) != 0) { - printf("[ERROR] Unable to upload new certificate to LDAP server!\n%s\n", errorstring.ascii()); fflush(stdout); + if (realmCAMaster == "") { + printf("[WARNING] Unable to determine the realm CA master! CA will not be updated\n"); fflush(stdout); + } + else { + if (realmCAMaster == fqdn) { + printf("This server is the realm CA master\n"); fflush(stdout); + if (TQFile::exists(KERBEROS_PKI_PEM_FILE)) { + certExpiry = LDAPManager::getCertificateExpiration(KERBEROS_PKI_PEM_FILE); + if (certExpiry >= now) { + printf("Certificate %s expires %s\n", TQString(KERBEROS_PKI_PEM_FILE).ascii(), certExpiry.toString().ascii()); fflush(stdout); + } + if (force_update || (certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) { + printf("Regenerating certificate %s...\n", TQString(KERBEROS_PKI_PEM_FILE).ascii()); fflush(stdout); + LDAPManager::generatePublicKerberosCACertificate(m_certconfig); + + TQString realmname = m_defaultRealm.upper(); + LDAPCredentials* credentials = new LDAPCredentials; + credentials->username = ""; + credentials->password = ""; + credentials->realm = realmname; + LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials); + + // Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server + TQString errorstring; + if (uploadKerberosCAFileToLDAP(ldap_mgr, &errorstring) != 0) { + printf("[ERROR] Unable to upload new certificate to LDAP server!\n%s\n", errorstring.ascii()); fflush(stdout); + } + + delete ldap_mgr; } - delete ldap_mgr; + // Set permissions + chmod(KERBEROS_PKI_PEMKEY_FILE, S_IRUSR|S_IWUSR); + chown_safe(KERBEROS_PKI_PEMKEY_FILE, 0, 0); + chmod(KERBEROS_PKI_PEM_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); + chown_safe(KERBEROS_PKI_PEM_FILE, 0, 0); } - + else { + printf("[WARNING] Certificate file %s not found!\n", TQString(KERBEROS_PKI_PEM_FILE).ascii()); fflush(stdout); + } + } + else { + printf("This server is a realm CA slave\n"); fflush(stdout); + + // Connect to LDAP + TQString realmname = defaultRealm.upper(); + LDAPCredentials* credentials = new LDAPCredentials; + credentials->username = "cn=admin," + basedn; + m_systemconfig->setGroup("Replication"); + credentials->password = m_systemconfig->readEntry("Password"); + m_systemconfig->setGroup(NULL); + credentials->realm = realmname; + LDAPManager* ldap_mgr = new LDAPManager(realmname, TQString("ldaps://%1/").arg(realmCAMaster), credentials); + TQString errorstring; + + if (ldap_mgr->getTDECertificate("privateRootCertificateKey", KERBEROS_PKI_PEMKEY_FILE ".tmp", &errorstring) != 0) { + printf("[ERROR] Unable to get private CA certificate key from LDAP server!\n%s\n", errorstring.ascii()); fflush(stdout); + } + if (ldap_mgr->getTDECertificate("publicRootCertificate", KERBEROS_PKI_PEM_FILE ".tmp", &errorstring) != 0) { + printf("[ERROR] Unable to get public CA certificate from LDAP server!\n%s\n", errorstring.ascii()); fflush(stdout); + } + + delete ldap_mgr; + delete credentials; + + TQByteArray originalPemKeyFile; + TQByteArray originalPemFile; + TQByteArray newPemKeyFile; + TQByteArray newPemFile; + + TQFile* cafile; + cafile = new TQFile(KERBEROS_PKI_PEMKEY_FILE); + if (cafile->open(IO_ReadOnly)) { + originalPemKeyFile = cafile->readAll(); + } + delete cafile; + cafile = new TQFile(KERBEROS_PKI_PEM_FILE); + if (cafile->open(IO_ReadOnly)) { + originalPemFile = cafile->readAll(); + } + delete cafile; + cafile = new TQFile(KERBEROS_PKI_PEMKEY_FILE ".tmp"); + if (cafile->open(IO_ReadOnly)) { + newPemKeyFile = cafile->readAll(); + } + delete cafile; + cafile = new TQFile(KERBEROS_PKI_PEM_FILE ".tmp"); + if (cafile->open(IO_ReadOnly)) { + newPemFile = cafile->readAll(); + } + delete cafile; + + if ((originalPemKeyFile == newPemKeyFile) && (originalPemFile == newPemFile)) { + unlink(KERBEROS_PKI_PEMKEY_FILE ".tmp"); + unlink(KERBEROS_PKI_PEM_FILE ".tmp"); + printf("Certificates have not changed since last update\n"); + } + else { + unlink(KERBEROS_PKI_PEMKEY_FILE); + unlink(KERBEROS_PKI_PEM_FILE); + rename(KERBEROS_PKI_PEMKEY_FILE ".tmp", KERBEROS_PKI_PEMKEY_FILE); + rename(KERBEROS_PKI_PEM_FILE ".tmp", KERBEROS_PKI_PEM_FILE); + force_update = true; + printf("Certificates have changed, forcing certificate regeneration\n"); + } + // Set permissions chmod(KERBEROS_PKI_PEMKEY_FILE, S_IRUSR|S_IWUSR); chown_safe(KERBEROS_PKI_PEMKEY_FILE, 0, 0); chmod(KERBEROS_PKI_PEM_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); chown_safe(KERBEROS_PKI_PEM_FILE, 0, 0); } - else { - printf("[WARNING] Certificate file %s not found!\n", TQString(KERBEROS_PKI_PEM_FILE).ascii()); fflush(stdout); - } - } - else { - printf("This server is a realm CA slave\n"); fflush(stdout); - - // Connect to LDAP - TQString realmname = defaultRealm.upper(); - LDAPCredentials* credentials = new LDAPCredentials; - credentials->username = "cn=admin," + basedn; - m_systemconfig->setGroup("Replication"); - credentials->password = m_systemconfig->readEntry("Password"); - m_systemconfig->setGroup(NULL); - credentials->realm = realmname; - LDAPManager* ldap_mgr = new LDAPManager(realmname, TQString("ldaps://%1/").arg(realmCAMaster), credentials); - TQString errorstring; - - if (ldap_mgr->getTDECertificate("privateRootCertificateKey", KERBEROS_PKI_PEMKEY_FILE ".tmp", &errorstring) != 0) { - printf("[ERROR] Unable to get private CA certificate key from LDAP server!\n%s\n", errorstring.ascii()); fflush(stdout); - } - if (ldap_mgr->getTDECertificate("publicRootCertificate", KERBEROS_PKI_PEM_FILE ".tmp", &errorstring) != 0) { - printf("[ERROR] Unable to get public CA certificate from LDAP server!\n%s\n", errorstring.ascii()); fflush(stdout); - } - - delete ldap_mgr; - delete credentials; - - TQByteArray originalPemKeyFile; - TQByteArray originalPemFile; - TQByteArray newPemKeyFile; - TQByteArray newPemFile; - - TQFile* cafile; - cafile = new TQFile(KERBEROS_PKI_PEMKEY_FILE); - if (cafile->open(IO_ReadOnly)) { - originalPemKeyFile = cafile->readAll(); - } - delete cafile; - cafile = new TQFile(KERBEROS_PKI_PEM_FILE); - if (cafile->open(IO_ReadOnly)) { - originalPemFile = cafile->readAll(); - } - delete cafile; - cafile = new TQFile(KERBEROS_PKI_PEMKEY_FILE ".tmp"); - if (cafile->open(IO_ReadOnly)) { - newPemKeyFile = cafile->readAll(); - } - delete cafile; - cafile = new TQFile(KERBEROS_PKI_PEM_FILE ".tmp"); - if (cafile->open(IO_ReadOnly)) { - newPemFile = cafile->readAll(); - } - delete cafile; - - if ((originalPemKeyFile == newPemKeyFile) && (originalPemFile == newPemFile)) { - unlink(KERBEROS_PKI_PEMKEY_FILE ".tmp"); - unlink(KERBEROS_PKI_PEM_FILE ".tmp"); - printf("Certificates have not changed since last update\n"); - } - else { - unlink(KERBEROS_PKI_PEMKEY_FILE); - unlink(KERBEROS_PKI_PEM_FILE); - rename(KERBEROS_PKI_PEMKEY_FILE ".tmp", KERBEROS_PKI_PEMKEY_FILE); - rename(KERBEROS_PKI_PEM_FILE ".tmp", KERBEROS_PKI_PEM_FILE); - force_update = true; - printf("Certificates have changed, forcing certificate regeneration\n"); - } - - // Set permissions - chmod(KERBEROS_PKI_PEMKEY_FILE, S_IRUSR|S_IWUSR); - chown_safe(KERBEROS_PKI_PEMKEY_FILE, 0, 0); - chmod(KERBEROS_PKI_PEM_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); - chown_safe(KERBEROS_PKI_PEM_FILE, 0, 0); } // Kerberos |