summaryrefslogtreecommitdiffstats
path: root/src/ldapcontroller.cpp
diff options
context:
space:
mode:
authorTimothy Pearson <[email protected]>2012-06-02 17:03:40 -0500
committerTimothy Pearson <[email protected]>2012-06-02 17:03:40 -0500
commitbd05fcffd6b8bbc21ceb8511e971135e539fdc7a (patch)
treede1704c14c1165f6b9b627b8269a943acade97f8 /src/ldapcontroller.cpp
parent8daa9e9e96c6b088bfe8ed1a69947238c7d6e62e (diff)
downloadkcmldapcontroller-bd05fcffd6b8bbc21ceb8511e971135e539fdc7a.tar.gz
kcmldapcontroller-bd05fcffd6b8bbc21ceb8511e971135e539fdc7a.zip
LDAP and Kerberos now partially work together
Diffstat (limited to 'src/ldapcontroller.cpp')
-rw-r--r--src/ldapcontroller.cpp251
1 files changed, 188 insertions, 63 deletions
diff --git a/src/ldapcontroller.cpp b/src/ldapcontroller.cpp
index 4bcf59d..ed3449f 100644
--- a/src/ldapcontroller.cpp
+++ b/src/ldapcontroller.cpp
@@ -42,6 +42,8 @@
#include <tqcheckbox.h>
#include <ktempdir.h>
#include <kprocess.h>
+#include <tdesu/process.h>
+#include <libtdeldap.h>
#include "sha1.h"
@@ -251,43 +253,51 @@ void replacePlaceholdersInFile(TQString infile, TQString outfile, LDAPRealmConfi
TQFile ifile(infile);
TQFile ofile(outfile);
- if (ifile.open(IO_ReadOnly) && ofile.open(IO_WriteOnly)) {
- TQString line;
- TQTextStream istream(&ifile);
- TQTextStream ostream(&ofile);
- while (!istream.atEnd()) {
- line = istream.readLine();
- line.replace("@@@REALM_DCNAME@@@", basedcname);
- line.replace("@@@REALM_UCNAME@@@", realmconfig.name.upper());
- line.replace("@@@REALM_LCNAME@@@", realmconfig.name.lower());
- line.replace("@@@ADMINSERVER@@@", realmconfig.admin_server);
- line.replace("@@@ADMINPORT@@@", TQString("%1").arg(realmconfig.admin_server_port));
- line.replace("@@@KDCSERVER@@@", realmconfig.kdc);
- line.replace("@@@KDCPORT@@@", TQString("%1").arg(realmconfig.kdc_port));
- line.replace("@@@ROOTUSER@@@", rootUserName);
- line.replace("@@@ROOTPW_SHA@@@", rootpw_hash);
- line.replace("@@@ADMINUSER@@@", adminUserName);
- line.replace("@@@ADMINGROUP@@@", adminGroupName);
- line.replace("@@@ADMINPW_SHA@@@", adminpw_hash);
- line.replace("@@@PKINIT_REQUIRE_EKU@@@", (realmconfig.pkinit_require_eku)?"yes":"no");
- line.replace("@@@PKINIT_REQUIRE_KRBTGT_OTHERNAME@@@", (realmconfig.pkinit_require_krbtgt_otherName)?"yes":"no");
- line.replace("@@@WIN2K_PKINIT@@@", (realmconfig.win2k_pkinit)?"yes":"no");
- line.replace("@@@WIN2K_PKINIT_REQUIRE_BINDING@@@", (realmconfig.win2k_pkinit_require_binding)?"yes":"no");
- line.replace("@@@REALM_SIMPLE_CP_NAME@@@", simpledcnamecap);
- line.replace("@@@REALM_SIMPLE_LC_NAME@@@", simpledcname.lower());
- line.replace("@@@TIMESTAMP@@@", timestamp);
- if (ldifSchemaNumber >= 0) {
- line.replace("@@@LDIFSCHEMANUMBER@@@", TQString("%1").arg(ldifSchemaNumber));
+ if (ifile.open(IO_ReadOnly)) {
+ if (ofile.open(IO_WriteOnly)) {
+ TQString line;
+ TQTextStream istream(&ifile);
+ TQTextStream ostream(&ofile);
+ while (!istream.atEnd()) {
+ line = istream.readLine();
+ line.replace("@@@REALM_DCNAME@@@", basedcname);
+ line.replace("@@@REALM_UCNAME@@@", realmconfig.name.upper());
+ line.replace("@@@REALM_LCNAME@@@", realmconfig.name.lower());
+ line.replace("@@@ADMINSERVER@@@", realmconfig.admin_server);
+ line.replace("@@@ADMINPORT@@@", TQString("%1").arg(realmconfig.admin_server_port));
+ line.replace("@@@KDCSERVER@@@", realmconfig.kdc);
+ line.replace("@@@KDCPORT@@@", TQString("%1").arg(realmconfig.kdc_port));
+ line.replace("@@@ROOTUSER@@@", rootUserName);
+ line.replace("@@@ROOTPW_SHA@@@", rootpw_hash);
+ line.replace("@@@ADMINUSER@@@", adminUserName);
+ line.replace("@@@ADMINGROUP@@@", adminGroupName);
+ line.replace("@@@ADMINPW_SHA@@@", adminpw_hash);
+ line.replace("@@@PKINIT_REQUIRE_EKU@@@", (realmconfig.pkinit_require_eku)?"yes":"no");
+ line.replace("@@@PKINIT_REQUIRE_KRBTGT_OTHERNAME@@@", (realmconfig.pkinit_require_krbtgt_otherName)?"yes":"no");
+ line.replace("@@@WIN2K_PKINIT@@@", (realmconfig.win2k_pkinit)?"yes":"no");
+ line.replace("@@@WIN2K_PKINIT_REQUIRE_BINDING@@@", (realmconfig.win2k_pkinit_require_binding)?"yes":"no");
+ line.replace("@@@REALM_SIMPLE_CP_NAME@@@", simpledcnamecap);
+ line.replace("@@@REALM_SIMPLE_LC_NAME@@@", simpledcname.lower());
+ line.replace("@@@TIMESTAMP@@@", timestamp);
+ if (ldifSchemaNumber >= 0) {
+ line.replace("@@@LDIFSCHEMANUMBER@@@", TQString("%1").arg(ldifSchemaNumber));
+ }
+ ostream << line << "\n";
+ }
+ ifile.close();
+ ofile.close();
+
+ // Set permissions
+ if ((userid > 0) && (groupid > 0)) {
+ chown(outfile.ascii(), userid, groupid);
}
- ostream << line << "\n";
}
- ifile.close();
- ofile.close();
+ else {
+ KMessageBox::error(0, i18n("<qt>Unable to open output schema file %1 for writing</qt>").arg(infile), i18n("Internal Failure"));
+ }
}
-
- // Set permissions
- if ((userid > 0) && (groupid > 0)) {
- chown(outfile.ascii(), userid, groupid);
+ else {
+ KMessageBox::error(0, i18n("<qt>Unable to open template schema file %1</qt>").arg(infile), i18n("Internal Failure"));
}
// Keep UI responsive
@@ -333,6 +343,7 @@ int LDAPController::controlLDAPServer(sc_command command, uid_t userid, gid_t gr
// FIXME
// This assumes Debian!
system("rm -rf /var/lib/ldap/*");
+ system("rm -rf /etc/ldap/slapd.d/cn=config/cn=schema/*");
}
if (command == SC_SETDBPERMS) {
if ((userid > 0) && (groupid > 0)) {
@@ -348,6 +359,67 @@ int LDAPController::controlLDAPServer(sc_command command, uid_t userid, gid_t gr
return -2;
}
+TQString readFullLineFromPtyProcess(PtyProcess* proc) {
+ TQString result = "";
+ while ((!result.contains("\n")) && (!result.contains(":")) && (!result.contains(">"))) {
+ result = result + TQString(proc->readLine(false));
+ tqApp->processEvents();
+ }
+ return result;
+}
+
+int LDAPController::initializeNewKerberosRealm(TQString realmName, TQString *errstr) {
+ TQCString command = "kadmin";
+ QCStringList args;
+ args << TQCString("-l");
+
+ TQString prompt;
+ PtyProcess kadminProc;
+ kadminProc.exec(command, args);
+ prompt = kadminProc.readLine(true);
+ prompt = prompt.stripWhiteSpace();
+ if (prompt == "kadmin>") {
+ kadminProc.writeLine(TQCString("init "+realmName), true);
+ prompt = kadminProc.readLine(true); // Discard our own input
+ prompt = readFullLineFromPtyProcess(&kadminProc);
+ prompt = prompt.stripWhiteSpace();
+ if (prompt.contains("authentication failed")) {
+ if (errstr) *errstr = prompt;
+ kadminProc.writeLine("quit", true);
+ return 1;
+ }
+ else if (prompt.startsWith("Realm max")) {
+ kadminProc.writeLine("unlimited", true);
+ prompt = kadminProc.readLine(true); // Discard our own input
+ prompt = readFullLineFromPtyProcess(&kadminProc);
+ prompt = prompt.stripWhiteSpace();
+ if (prompt.startsWith("Realm max")) {
+ kadminProc.writeLine("unlimited", true);
+ prompt = kadminProc.readLine(true); // Discard our own input
+ prompt = readFullLineFromPtyProcess(&kadminProc);
+ prompt = prompt.stripWhiteSpace();
+ }
+ if (prompt != "kadmin>") {
+ if (errstr) *errstr = prompt;
+ kadminProc.writeLine("quit", true);
+ return 1;
+ }
+
+ // Success!
+ kadminProc.writeLine("quit", true);
+ return 0;
+ }
+
+ // Failure
+ if (errstr) *errstr = prompt;
+ kadminProc.writeLine("quit", true);
+ return 1;
+ }
+
+ if (errstr) *errstr = "Internal error. Verify that kadmin exists and can be executed.";
+ return 1; // Failure
+}
+
int LDAPController::createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig realmconfig, TQString adminUserName, TQString adminGroupName, const char * adminPassword, TQString rootUserName, const char * rootPassword, TQString adminRealm, TQString *errstr) {
int ldifSchemaNumber;
@@ -368,15 +440,39 @@ int LDAPController::createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig r
KTempDir configTempDir;
configTempDir.setAutoDelete(true);
-configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY
+configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME
TQString destDir = "/etc/";
- mkdir(TQString(destDir + "heimdal").ascii(), S_IRUSR|S_IWUSR|S_IXUSR);
- mkdir(TQString(destDir + "openldap").ascii(), S_IRUSR|S_IWUSR|S_IXUSR);
- mkdir(TQString(destDir + "openldap/ldap").ascii(), S_IRUSR|S_IWUSR|S_IXUSR);
+ pdialog.setStatusMessage(i18n("Stopping servers..."));
+
+ // Stop Heimdal
+ if (controlHeimdalServer(SC_STOP) != 0) {
+ if (errstr) *errstr = i18n("Unable to stop Kerberos server");
+ pdialog.closeDialog();
+ return -1;
+ }
+ // Stop slapd
+ if (controlLDAPServer(SC_STOP) != 0) {
+ if (errstr) *errstr = i18n("Unable to stop LDAP server");
+ pdialog.closeDialog();
+ return -1;
+ }
+
+ pdialog.setStatusMessage(i18n("Purging existing LDAP database..."));
+ tqApp->processEvents();
+ controlLDAPServer(SC_PURGE);
+
+ pdialog.setStatusMessage(i18n("Installing new LDAP schema..."));
+ tqApp->processEvents();
+
+ mkdir(TQString(destDir + "heimdal-kdc").ascii(), S_IRUSR|S_IWUSR|S_IXUSR);
+ mkdir(TQString(destDir + "ldap").ascii(), S_IRUSR|S_IWUSR|S_IXUSR);
+ mkdir(TQString(destDir + "ldap/slapd.d").ascii(), S_IRUSR|S_IWUSR|S_IXUSR);
+ mkdir(TQString(destDir + "ldap/slapd.d/cn=config").ascii(), S_IRUSR|S_IWUSR|S_IXUSR);
+ mkdir(TQString(destDir + "ldap/slapd.d/cn=config/cn=schema").ascii(), S_IRUSR|S_IWUSR|S_IXUSR);
replacePlaceholdersInFile(templateDir + "heimdal/heimdal.defaults", destDir + "heimdal.defaults", realmconfig, adminUserName, adminGroupName, adminPassword, rootUserName, rootPassword);
- replacePlaceholdersInFile(templateDir + "heimdal/kadmind.acl", destDir + "kadmind.acl", realmconfig, adminUserName, adminGroupName, adminPassword, rootUserName, rootPassword);
+ replacePlaceholdersInFile(templateDir + "heimdal/kadmind.acl", destDir + "heimdal-kdc/kadmind.acl", realmconfig, adminUserName, adminGroupName, adminPassword, rootUserName, rootPassword);
replacePlaceholdersInFile(templateDir + "heimdal/kdc.conf", destDir + "heimdal-kdc/kdc.conf", realmconfig, adminUserName, adminGroupName, adminPassword, rootUserName, rootPassword);
replacePlaceholdersInFile(templateDir + "heimdal/krb5.conf", destDir + "krb5.conf", realmconfig, adminUserName, adminGroupName, adminPassword, rootUserName, rootPassword);
@@ -397,16 +493,28 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY
replacePlaceholdersInFile(templateDir + "openldap/ldif/olcDatabase.ldif", destDir + "ldap/slapd.d/cn=config/" + TQString("olcDatabase={%1}hdb.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
// Schema files
- ldifSchemaNumber = 10;
+ ldifSchemaNumber = 0;
+ replacePlaceholdersInFile(templateDir + "openldap/ldif/core.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}core.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
+ ldifSchemaNumber = 1;
+ replacePlaceholdersInFile(templateDir + "openldap/ldif/cosine.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}cosine.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
+ ldifSchemaNumber = 2;
+ replacePlaceholdersInFile(templateDir + "openldap/ldif/inetorgperson.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}inetorgperson.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
+ ldifSchemaNumber = 3;
+ replacePlaceholdersInFile(templateDir + "openldap/ldif/rfc2307bis.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}rfc2307bis.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
+ ldifSchemaNumber = 4;
+ replacePlaceholdersInFile(templateDir + "openldap/ldif/rfc2739.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}rfc2739.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
+ ldifSchemaNumber = 5;
+ replacePlaceholdersInFile(templateDir + "openldap/ldif/ppolicy.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}ppolicy.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
+ ldifSchemaNumber = 6;
replacePlaceholdersInFile(templateDir + "openldap/ldif/ems-core.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}ems-core.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
- ldifSchemaNumber = 11;
+ ldifSchemaNumber = 7;
replacePlaceholdersInFile(templateDir + "openldap/ldif/hdb.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}hdb.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
- ldifSchemaNumber = 12;
+ ldifSchemaNumber = 8;
replacePlaceholdersInFile(templateDir + "openldap/ldif/tde-core.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}tde-core.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
// Set permissions
chmod(TQString(destDir + "heimdal.defaults").ascii(), S_IRUSR|S_IWUSR|S_IRGRP);
- chmod(TQString(destDir + "kadmind.acl").ascii(), S_IRUSR|S_IWUSR|S_IRGRP);
+ chmod(TQString(destDir + "heimdal-kdc/kadmind.acl").ascii(), S_IRUSR|S_IWUSR|S_IRGRP);
chmod(TQString(destDir + "heimdal-kdc/kdc.conf").ascii(), S_IRUSR|S_IWUSR|S_IRGRP);
chmod(TQString(destDir + "krb5.conf").ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
@@ -414,25 +522,6 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY
chmod(TQString(destDir + "ldap/slapd.conf").ascii(), S_IRUSR|S_IWUSR);
chmod(TQString(destDir + "ldap/slapd.defaults").ascii(), S_IRUSR|S_IWUSR|S_IRGRP);
- pdialog.setStatusMessage(i18n("Stopping servers..."));
-
- // Stop Heimdal
- if (controlHeimdalServer(SC_STOP) != 0) {
- if (errstr) *errstr = i18n("Unable to stop Kerberos server");
- pdialog.closeDialog();
- return -1;
- }
- // Stop slapd
- if (controlLDAPServer(SC_STOP) != 0) {
- if (errstr) *errstr = i18n("Unable to stop LDAP server");
- pdialog.closeDialog();
- return -1;
- }
-
- pdialog.setStatusMessage(i18n("Purging existing LDAP database..."));
- tqApp->processEvents();
- controlLDAPServer(SC_PURGE);
-
pdialog.setStatusMessage(i18n("Loading initial database into LDAP..."));
tqApp->processEvents();
@@ -451,7 +540,7 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY
controlLDAPServer(SC_SETDBPERMS, slapd_uid, slapd_gid);
- pdialog.setStatusMessage(i18n("Starting LDAP server..."));
+ pdialog.setStatusMessage(i18n("Starting servers..."));
tqApp->processEvents();
// Start slapd
@@ -467,6 +556,42 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY
return -1;
}
+ pdialog.setStatusMessage(i18n("Initializing Kerberos database..."));
+ tqApp->processEvents();
+
+ TQString errorstring;
+ if (initializeNewKerberosRealm(realmconfig.name.upper(), &errorstring) != 0) {
+ if (errstr) *errstr = i18n("Unable to initialize Kerberos database<p>").append(errorstring);
+ pdialog.closeDialog();
+ return -1;
+ }
+
+ // RAJA FIXME
+ // Move all those new Heimdal entries to the correct tree/branch
+ // ,o=kerberos,cn=kerberos control,ou=master services,ou=core,ou=realm,dc=cluster90,dc=edu
+ TQStringList domainChunks = TQStringList::split(".", realmconfig.name.lower());
+ TQString basedcname = "dc=" + domainChunks.join(",dc=");
+ LDAPCredentials* credentials = new LDAPCredentials;
+ credentials->username = "cn="+rootUserName+","+basedcname;
+ credentials->password = rootPassword;
+ credentials->realm = realmconfig.name.upper();
+ LDAPManager* ldap_mgr = new LDAPManager(realmconfig.name.upper(), realmconfig.admin_server, credentials);
+ if (ldap_mgr->moveKerberosEntries("o=kerberos,cn=kerberos control,ou=master services,ou=core,ou=realm," + basedcname, &errorstring) != 0) {
+ delete ldap_mgr;
+ delete credentials;
+ if (errstr) *errstr = errorstring;
+ pdialog.closeDialog();
+ return -1;
+ }
+ delete ldap_mgr;
+ delete credentials;
+
+ // RAJA FIXME
+ // Write the ldap.conf file!
+
+ // RAJA FIXME
+ // Clean out all realms from the TDE configuration files and insert this realm ONLY!
+
// RAJA FIXME
pdialog.closeDialog();
}