Add initial support for realm-wide certificate authority certificates

author: Timothy Pearson <[email protected]> 2013-07-01 19:05:32 +0000
committer: Timothy Pearson <[email protected]> 2013-07-01 19:05:32 +0000
commit: 2a0b3a4f1d16ad0afa36cf62ddce4f8eb44f287c (patch)
tree: c8679034447d54ad52409e7b2f19bc4b31055393 /src/ldapcontroller.cpp
parent: f5f1d1557d02a5cd1b1beb407ba553cbc01a0047 (diff)
download: kcmldapcontroller-2a0b3a4f1d16ad0afa36cf62ddce4f8eb44f287c.tar.gz
kcmldapcontroller-2a0b3a4f1d16ad0afa36cf62ddce4f8eb44f287c.zip
1 files changed, 114 insertions, 40 deletions
diff --git a/src/ldapcontroller.cpp b/src/ldapcontroller.cpp
index 27ae4cb..d8f344a 100644
--- a/src/ldapcontroller.cpp
+++ b/src/ldapcontroller.cpp
@@ -118,6 +118,8 @@ LDAPController::LDAPController(TQWidget *parent, const char *name, const TQStrin
 	connect(m_base->systemEnableSupport, TQT_SIGNAL(clicked()), this, TQT_SLOT(processLockouts()));
 	connect(m_base->systemRole, TQT_SIGNAL(activated(const TQString&)), this, TQT_SLOT(systemRoleChanged()));
 
+	connect(m_base->caSetMaster, TQT_SIGNAL(clicked()), this, TQT_SLOT(btncaSetMaster()));
+
 	connect(m_base->caRegenerate, TQT_SIGNAL(clicked()), this, TQT_SLOT(btncaRegenerate()));
 	connect(m_base->caExportKey, TQT_SIGNAL(clicked()), this, TQT_SLOT(btncaExportKey()));
 	connect(m_base->caExportCert, TQT_SIGNAL(clicked()), this, TQT_SLOT(btncaExportCert()));
@@ -161,13 +163,13 @@ LDAPController::~LDAPController() {
 
 void system_safe(const char * cmdstr) {
 	if (system(cmdstr) < 0) {
-		printf("[ERROR] System call to '%s' failed!\n", cmdstr);
+		printf("[ERROR] System call to '%s' failed!\n\r", cmdstr);
 	}
 }
 
 void chown_safe(const char * file, uid_t user, gid_t group) {
 	if (chown(file, user, group) < 0) {
-		printf("[ERROR] Chown call to '%s' for %d:%d failed!\n", file, user, group);
+		printf("[ERROR] Chown call to '%s' for %d:%d failed!\n\r", file, user, group);
 	}
 }
 
@@ -298,6 +300,7 @@ void LDAPController::systemRoleChanged() {
 				LDAPManager::writeTDERealmList(realms, m_systemconfig);
 				m_systemconfig->setGroup(NULL);
 				m_systemconfig->deleteEntry("DefaultRealm");
+				m_systemconfig->deleteGroup("Replication", true, false);
 				m_systemconfig->sync();
 
 				pdialog.closeDialog();
@@ -357,33 +360,16 @@ void LDAPController::load() {
 	}
 	if (ldapRole == "Primary Realm Controller") {
 		m_base->systemRole->setCurrentItem(ROLE_PRIMARY_REALM_CONTROLLER);
-
-		// Connect to LDAP
-		TQString realmname = m_defaultRealm.upper();
-		LDAPCredentials* credentials = new LDAPCredentials;
-		credentials->username = "";
-		credentials->password = "";
-		credentials->realm = realmname;
-		LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials);
-		TQString errorstring;
-
-		// Get replication mappings from LDAP
-		LDAPMasterReplicationInfo replicationsettings = ldap_mgr->getLDAPMasterReplicationSettings(&errorstring);
-		m_base->advancedEnableMultiMasterReplication->setChecked(replicationsettings.enabled);
-		m_base->multiMasterReplicationMappings->clear();
-		LDAPMasterReplicationMap::iterator it;
-		for (it = replicationsettings.serverIDs.begin(); it != replicationsettings.serverIDs.end(); ++it) {
-			new TQListViewItem(m_base->multiMasterReplicationMappings, TQString("%1").arg((*it).id), (*it).fqdn);
-		}
-
-		delete ldap_mgr;
-		delete credentials;
 	}
 	else {
 		m_base->systemRole->setCurrentItem(ROLE_WORKSTATION);
 	}
 	m_prevRole = m_base->systemRole->currentItem();
 
+	// Load server-specific replication settings
+	m_systemconfig->setGroup("Replication");
+	m_base->ignoreReplicationSSLFailures->setChecked(m_systemconfig->readBoolEntry("IgnoreSSLFailures", false));
+
 	// Load cert config
 	m_systemconfig->setGroup("Certificates");
 	m_certconfig.countryName = m_systemconfig->readEntry("countryName");
@@ -415,9 +401,12 @@ void LDAPController::load() {
 		// Display builtin account and group names, and provide a password reset button for each builtin user (yes, this includes the LDAP admin account!)
 		// FIXME
 		// root account should not be locked to "admin"!
-		// when fixing, please fix the other instance of locked "admin" in realmwizard.cpp ::accept()
+		// when fixing, please fix the two instances of locked "admin":
+		// 1.) in realmwizard.cpp ::accept()
+		// 2.) in LDAPManager::setLDAPMasterReplicationSettings()
 		m_base->ldapRootUser->setText(TQString("cn=%1,").arg("admin") + LDAPManager::ldapdnForRealm(m_defaultRealm));
 
+		// Connect to LDAP
 		TQString realmname = m_defaultRealm.upper();
 		LDAPCredentials* credentials = new LDAPCredentials;
 		credentials->username = "";
@@ -425,7 +414,22 @@ void LDAPController::load() {
 		credentials->realm = realmname;
 		LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials);
 		TQString errorstring;
+
+		// Get builtin TDE account mappings from LDAP
 		LDAPTDEBuiltinsInfo builtins = ldap_mgr->getTDEBuiltinMappings(&errorstring);
+
+		// Get replication mappings from LDAP
+		LDAPMasterReplicationInfo replicationsettings = ldap_mgr->getLDAPMasterReplicationSettings(&errorstring);
+		m_base->advancedEnableMultiMasterReplication->setChecked(replicationsettings.enabled);
+		m_base->multiMasterReplicationMappings->clear();
+		LDAPMasterReplicationMap::iterator it;
+		for (it = replicationsettings.serverIDs.begin(); it != replicationsettings.serverIDs.end(); ++it) {
+			new TQListViewItem(m_base->multiMasterReplicationMappings, TQString("%1").arg((*it).id), (*it).fqdn);
+		}
+
+		// Get certificate settings from LDAP
+		TQString realmCAMaster = ldap_mgr->getRealmCAMaster(&errorstring);
+
 		delete ldap_mgr;
 		delete credentials;
 
@@ -434,6 +438,14 @@ void LDAPController::load() {
 		m_base->realmMachineAdminGroup->setText(LDAPManager::cnFromDn(builtins.builtinMachineAdminGroup));
 		m_base->realmStandardUserGroup->setText(LDAPManager::cnFromDn(builtins.builtinStandardUserGroup));
 
+		m_base->caCurrentMaster->setText(realmCAMaster);
+		if (m_fqdn == realmCAMaster) {
+			m_base->caSetMaster->setEnabled(false);
+		}
+		else {
+			m_base->caSetMaster->setEnabled(true);
+		}
+
 		updateCertDisplay();
 		m_certRefreshTimer.start(60*1000);
 	}
@@ -533,6 +545,37 @@ void LDAPController::updateCertDisplay() {
 	}
 }
 
+void LDAPController::btncaSetMaster() {
+	if (KMessageBox::warningYesNo(this, i18n("<qt><b>You are about to promote the server '%1' to the role of Certificate Authority Master</b><p>Are you sure you want to proceed?</qt>").arg(m_fqdn), i18n("Confirmation Required")) == KMessageBox::Yes) {
+		TQString errorstring;
+
+		TQString realmname = m_defaultRealm.upper();
+		LDAPCredentials* credentials = new LDAPCredentials;
+		credentials->username = "";
+		credentials->password = "";
+		credentials->realm = realmname;
+		LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials);
+
+		if (ldap_mgr->setRealmCAMaster(m_fqdn, &errorstring) != 0) {
+			KMessageBox::error(0, i18n("<qt>Unable to change certificate authority master server!<p>%1</qt>").arg(errorstring), i18n("Internal Failure"));
+			delete ldap_mgr;
+			load();
+			return;
+		}
+
+		LDAPManager::generatePublicKerberosCACertificate(m_certconfig);
+	
+		// Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server
+		if (uploadKerberosCAFileToLDAP(ldap_mgr, &errorstring) != 0) {
+			KMessageBox::error(0, i18n("<qt>Unable to upload new certificate to LDAP server!<p>%1</qt>").arg(errorstring), i18n("Internal Failure"));
+		}
+	
+		delete ldap_mgr;
+	
+		load();
+	}
+}
+
 void LDAPController::btncaRegenerate() {
 	LDAPManager::generatePublicKerberosCACertificate(m_certconfig);
 
@@ -723,6 +766,11 @@ void LDAPController::btnChangeRealmAdminPassword() {
 		if (adminuserinfo.informationValid) {
 			adminuserinfo.new_password = adminPassword;
 			ldap_mgr->setPasswordForUser(adminuserinfo, &errorstring);
+
+			m_systemconfig->setGroup("Replication");
+			m_systemconfig->writeEntry("Password", adminPassword.data());
+			m_systemconfig->setGroup(NULL);
+			m_systemconfig->sync();
 		}
 		
 		delete ldap_mgr;
@@ -853,6 +901,10 @@ void LDAPController::save() {
 	m_systemconfig->writeEntry("HostFQDN", m_fqdn);
 	m_systemconfig->writeEntry("LDAPRole", m_base->systemRole->currentText());
 
+	// Write server-specific replication settings
+	m_systemconfig->setGroup("Replication");
+	m_systemconfig->writeEntry("IgnoreSSLFailures", m_base->ignoreReplicationSSLFailures->isChecked());
+
 	// Write cert config
 	m_systemconfig->setGroup("Certificates");
 	m_systemconfig->writeEntry("countryName", m_certconfig.countryName);
@@ -891,6 +943,14 @@ void LDAPController::save() {
 				replicationSettings.serverIDs.append(mapping);
 				++it;
 			}
+			// Use the local password for inter-master authentication
+			// All realm controllers in a realm must (obviously) use the same admin/config password!
+			m_systemconfig->setGroup("Replication");
+			replicationSettings.syncPassword = m_systemconfig->readEntry("Password");
+			m_systemconfig->setGroup(NULL);
+
+			replicationSettings.ignore_ssl_failure = m_base->ignoreReplicationSSLFailures->isChecked();
+
 			if (ldap_mgr->setLDAPMasterReplicationSettings(replicationSettings, NULL) != 0) {
 				// ERROR
 			}
@@ -983,13 +1043,13 @@ void replacePlaceholdersInFile(TQString infile, TQString outfile, LDAPRealmConfi
 		}
 		else {
 			//KMessageBox::error(0, i18n("<qt>Unable to open output schema file %1 for writing</qt>").arg(outfile), i18n("Internal Failure"));
-			printf("[INTERNAL FAILURE] Unable to open output schema file %s for writing\n", outfile.ascii()); fflush(stdout);
+			printf("[INTERNAL FAILURE] Unable to open output schema file %s for writing\n\r", outfile.ascii()); fflush(stdout);
 		}
 		ifile.close();
 	}
 	else {
 		//KMessageBox::error(0, i18n("<qt>Unable to open template schema file %1</qt>").arg(infile), i18n("Internal Failure"));
-		printf("[INTERNAL FAILURE] Unable to open template schema file %s\n", infile.ascii()); fflush(stdout);
+		printf("[INTERNAL FAILURE] Unable to open template schema file %s\n\r", infile.ascii()); fflush(stdout);
 	}
 
 	// Keep UI responsive
@@ -1117,7 +1177,7 @@ int LDAPController::initializeNewKerberosRealm(TQString realmName, TQString *err
 		kadminProc.writeLine(command, true);
 		do { // Discard our own input
 			prompt = LDAPManager::readFullLineFromPtyProcess(&kadminProc);
-			printf("(kadmin) '%s'\n", prompt.ascii());
+			printf("(kadmin) '%s'\n\r", prompt.ascii());
 		} while (prompt == TQString(command));
 		prompt = prompt.stripWhiteSpace();
 		if (prompt.contains("authentication failed")) {
@@ -1132,7 +1192,7 @@ int LDAPController::initializeNewKerberosRealm(TQString realmName, TQString *err
 			kadminProc.writeLine(command, true);
 			do { // Discard our own input
 				prompt = LDAPManager::readFullLineFromPtyProcess(&kadminProc);
-				printf("(kadmin) '%s'\n", prompt.ascii());
+				printf("(kadmin) '%s'\n\r", prompt.ascii());
 			} while (prompt == TQString(command));
 			prompt = prompt.stripWhiteSpace();
 			if (prompt.startsWith("Realm max")) {
@@ -1141,7 +1201,7 @@ int LDAPController::initializeNewKerberosRealm(TQString realmName, TQString *err
 				kadminProc.writeLine(command, true);
 				do { // Discard our own input
 					prompt = LDAPManager::readFullLineFromPtyProcess(&kadminProc);
-					printf("(kadmin) '%s'\n", prompt.ascii());
+					printf("(kadmin) '%s'\n\r", prompt.ascii());
 				} while (prompt == TQString(command));
 				prompt = prompt.stripWhiteSpace();
 			}
@@ -1187,7 +1247,7 @@ int LDAPController::addHostEntryToKerberosRealm(TQString kerberosHost, TQString
 		kadminProc.writeLine(command, true);
 		do { // Discard our own input
 			prompt = LDAPManager::readFullLineFromPtyProcess(&kadminProc);
-			printf("(kadmin) '%s'\n", prompt.ascii());
+			printf("(kadmin) '%s'\n\r", prompt.ascii());
 		} while (prompt == TQString(command));
 		prompt = prompt.stripWhiteSpace();
 		if (prompt.contains("authentication failed")) {
@@ -1210,7 +1270,7 @@ int LDAPController::addHostEntryToKerberosRealm(TQString kerberosHost, TQString
 			kadminProc.writeLine(command, true);
 			do { // Discard our own input
 				prompt = LDAPManager::readFullLineFromPtyProcess(&kadminProc);
-				printf("(kadmin) '%s'\n", prompt.ascii());
+				printf("(kadmin) '%s'\n\r", prompt.ascii());
 			} while (prompt == TQString(command));
 			prompt = prompt.stripWhiteSpace();
 			// Use all defaults
@@ -1235,7 +1295,7 @@ int LDAPController::addHostEntryToKerberosRealm(TQString kerberosHost, TQString
 					kadminProc.writeLine(command, true);
 					do { // Discard our own input
 						prompt = LDAPManager::readFullLineFromPtyProcess(&kadminProc);
-						printf("(kadmin) '%s'\n", prompt.ascii());
+						printf("(kadmin) '%s'\n\r", prompt.ascii());
 					} while (prompt == TQString(command));
 					prompt = prompt.stripWhiteSpace();
 				}
@@ -1245,7 +1305,7 @@ int LDAPController::addHostEntryToKerberosRealm(TQString kerberosHost, TQString
 			kadminProc.writeLine(command, true);
 			do { // Discard our own input
 				prompt = LDAPManager::readFullLineFromPtyProcess(&kadminProc);
-				printf("(kadmin) '%s'\n", prompt.ascii());
+				printf("(kadmin) '%s'\n\r", prompt.ascii());
 			} while (prompt == TQString(command));
 			prompt = prompt.stripWhiteSpace();
 			if (prompt != "kadmin>") {
@@ -1296,7 +1356,7 @@ int LDAPController::addLDAPEntryToKerberosRealm(TQString ldapProcessOwnerName, T
 		kadminProc.writeLine(command, true);
 		do { // Discard our own input
 			prompt = LDAPManager::readFullLineFromPtyProcess(&kadminProc);
-			printf("(kadmin) '%s'\n", prompt.ascii());
+			printf("(kadmin) '%s'\n\r", prompt.ascii());
 		} while (prompt.startsWith("ext --keytab="));
 		prompt = prompt.stripWhiteSpace();
 		if (prompt.contains("authentication failed")) {
@@ -1319,7 +1379,7 @@ int LDAPController::addLDAPEntryToKerberosRealm(TQString ldapProcessOwnerName, T
 			kadminProc.writeLine(command, true);
 			do { // Discard our own input
 				prompt = LDAPManager::readFullLineFromPtyProcess(&kadminProc);
-				printf("(kadmin) '%s'\n", prompt.ascii());
+				printf("(kadmin) '%s'\n\r", prompt.ascii());
 			} while (prompt == TQString(command));
 			prompt = prompt.stripWhiteSpace();
 			// Use all defaults
@@ -1344,7 +1404,7 @@ int LDAPController::addLDAPEntryToKerberosRealm(TQString ldapProcessOwnerName, T
 					kadminProc.writeLine(command, true);
 					do { // Discard our own input
 						prompt = LDAPManager::readFullLineFromPtyProcess(&kadminProc);
-						printf("(kadmin) '%s'\n", prompt.ascii());
+						printf("(kadmin) '%s'\n\r", prompt.ascii());
 					} while (prompt == TQString(command));
 					prompt = prompt.stripWhiteSpace();
 				}
@@ -1354,7 +1414,7 @@ int LDAPController::addLDAPEntryToKerberosRealm(TQString ldapProcessOwnerName, T
 			kadminProc.writeLine(command, true);
 			do { // Discard our own input
 				prompt = LDAPManager::readFullLineFromPtyProcess(&kadminProc);
-				printf("(kadmin) '%s'\n", prompt.ascii());
+				printf("(kadmin) '%s'\n\r", prompt.ascii());
 			} while (prompt.startsWith("ext --keytab="));
 			prompt = prompt.stripWhiteSpace();
 			if (prompt != "kadmin>") {
@@ -1407,7 +1467,7 @@ int LDAPController::setKerberosPasswordForUser(LDAPCredentials user, TQString *e
 		kadminProc.writeLine(command, true);
 		do { // Discard our own input
 			prompt = LDAPManager::readFullLineFromPtyProcess(&kadminProc);
-			printf("(kadmin) '%s'\n", prompt.ascii());
+			printf("(kadmin) '%s'\n\r", prompt.ascii());
 		} while (prompt == TQString(command));
 		prompt = prompt.stripWhiteSpace();
 		if (prompt.contains("authentication failed")) {
@@ -1421,7 +1481,7 @@ int LDAPController::setKerberosPasswordForUser(LDAPCredentials user, TQString *e
 			kadminProc.writeLine(user.password, true);
 			do { // Discard our own input
 				prompt = LDAPManager::readFullLineFromPtyProcess(&kadminProc);
-				printf("(kadmin) '%s'\n", prompt.ascii());
+				printf("(kadmin) '%s'\n\r", prompt.ascii());
 			} while (prompt == "");
 			prompt = prompt.stripWhiteSpace();
 			if ((prompt.endsWith(" Password:")) && (prompt.startsWith("Verify"))) {
@@ -1429,7 +1489,7 @@ int LDAPController::setKerberosPasswordForUser(LDAPCredentials user, TQString *e
 				kadminProc.writeLine(user.password, true);
 				do { // Discard our own input
 					prompt = LDAPManager::readFullLineFromPtyProcess(&kadminProc);
-					printf("(kadmin) '%s'\n", prompt.ascii());
+					printf("(kadmin) '%s'\n\r", prompt.ascii());
 				} while (prompt == "");
 				prompt = prompt.stripWhiteSpace();
 			}
@@ -1897,6 +1957,15 @@ int LDAPController::createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig r
 		return -1;
 	}
 
+	// Set CA master
+	if (ldap_mgr->setRealmCAMaster(m_fqdn, &errorstring) != 0) {
+		delete ldap_mgr;
+		delete credentials;
+		if (errstr) *errstr = errorstring;
+		pdialog.closeDialog();
+		return -1;
+	}
+
 	// Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server
 	if (uploadKerberosCAFileToLDAP(ldap_mgr, &errorstring) != 0) {
 		delete ldap_mgr;
@@ -1937,6 +2006,11 @@ int LDAPController::createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig r
 	LDAPManager::writeTDERealmList(realms, m_systemconfig);
 	m_systemconfig->setGroup(NULL);
 	m_systemconfig->writeEntry("DefaultRealm", realmconfig.name);
+
+	m_systemconfig->setGroup("Replication");
+	m_systemconfig->writeEntry("Password", adminPassword);
+	m_systemconfig->setGroup(NULL);
+
 	m_systemconfig->sync();
 
 	LDAPManager::writeLDAPConfFile(realmconfig);
author	Timothy Pearson <[email protected]>	2013-07-01 19:05:32 +0000
committer	Timothy Pearson <[email protected]>	2013-07-01 19:05:32 +0000
commit	2a0b3a4f1d16ad0afa36cf62ddce4f8eb44f287c (patch)
tree	c8679034447d54ad52409e7b2f19bc4b31055393 /src/ldapcontroller.cpp
parent	f5f1d1557d02a5cd1b1beb407ba553cbc01a0047 (diff)
download	kcmldapcontroller-2a0b3a4f1d16ad0afa36cf62ddce4f8eb44f287c.tar.gz kcmldapcontroller-2a0b3a4f1d16ad0afa36cf62ddce4f8eb44f287c.zip