diff options
author | Timothy Pearson <[email protected]> | 2012-06-02 17:03:40 -0500 |
---|---|---|
committer | Timothy Pearson <[email protected]> | 2012-06-02 17:03:40 -0500 |
commit | bd05fcffd6b8bbc21ceb8511e971135e539fdc7a (patch) | |
tree | de1704c14c1165f6b9b627b8269a943acade97f8 /src/ldapcontroller.cpp | |
parent | 8daa9e9e96c6b088bfe8ed1a69947238c7d6e62e (diff) | |
download | kcmldapcontroller-bd05fcffd6b8bbc21ceb8511e971135e539fdc7a.tar.gz kcmldapcontroller-bd05fcffd6b8bbc21ceb8511e971135e539fdc7a.zip |
LDAP and Kerberos now partially work together
Diffstat (limited to 'src/ldapcontroller.cpp')
-rw-r--r-- | src/ldapcontroller.cpp | 251 |
1 files changed, 188 insertions, 63 deletions
diff --git a/src/ldapcontroller.cpp b/src/ldapcontroller.cpp index 4bcf59d..ed3449f 100644 --- a/src/ldapcontroller.cpp +++ b/src/ldapcontroller.cpp @@ -42,6 +42,8 @@ #include <tqcheckbox.h> #include <ktempdir.h> #include <kprocess.h> +#include <tdesu/process.h> +#include <libtdeldap.h> #include "sha1.h" @@ -251,43 +253,51 @@ void replacePlaceholdersInFile(TQString infile, TQString outfile, LDAPRealmConfi TQFile ifile(infile); TQFile ofile(outfile); - if (ifile.open(IO_ReadOnly) && ofile.open(IO_WriteOnly)) { - TQString line; - TQTextStream istream(&ifile); - TQTextStream ostream(&ofile); - while (!istream.atEnd()) { - line = istream.readLine(); - line.replace("@@@REALM_DCNAME@@@", basedcname); - line.replace("@@@REALM_UCNAME@@@", realmconfig.name.upper()); - line.replace("@@@REALM_LCNAME@@@", realmconfig.name.lower()); - line.replace("@@@ADMINSERVER@@@", realmconfig.admin_server); - line.replace("@@@ADMINPORT@@@", TQString("%1").arg(realmconfig.admin_server_port)); - line.replace("@@@KDCSERVER@@@", realmconfig.kdc); - line.replace("@@@KDCPORT@@@", TQString("%1").arg(realmconfig.kdc_port)); - line.replace("@@@ROOTUSER@@@", rootUserName); - line.replace("@@@ROOTPW_SHA@@@", rootpw_hash); - line.replace("@@@ADMINUSER@@@", adminUserName); - line.replace("@@@ADMINGROUP@@@", adminGroupName); - line.replace("@@@ADMINPW_SHA@@@", adminpw_hash); - line.replace("@@@PKINIT_REQUIRE_EKU@@@", (realmconfig.pkinit_require_eku)?"yes":"no"); - line.replace("@@@PKINIT_REQUIRE_KRBTGT_OTHERNAME@@@", (realmconfig.pkinit_require_krbtgt_otherName)?"yes":"no"); - line.replace("@@@WIN2K_PKINIT@@@", (realmconfig.win2k_pkinit)?"yes":"no"); - line.replace("@@@WIN2K_PKINIT_REQUIRE_BINDING@@@", (realmconfig.win2k_pkinit_require_binding)?"yes":"no"); - line.replace("@@@REALM_SIMPLE_CP_NAME@@@", simpledcnamecap); - line.replace("@@@REALM_SIMPLE_LC_NAME@@@", simpledcname.lower()); - line.replace("@@@TIMESTAMP@@@", timestamp); - if (ldifSchemaNumber >= 0) { - line.replace("@@@LDIFSCHEMANUMBER@@@", TQString("%1").arg(ldifSchemaNumber)); + if (ifile.open(IO_ReadOnly)) { + if (ofile.open(IO_WriteOnly)) { + TQString line; + TQTextStream istream(&ifile); + TQTextStream ostream(&ofile); + while (!istream.atEnd()) { + line = istream.readLine(); + line.replace("@@@REALM_DCNAME@@@", basedcname); + line.replace("@@@REALM_UCNAME@@@", realmconfig.name.upper()); + line.replace("@@@REALM_LCNAME@@@", realmconfig.name.lower()); + line.replace("@@@ADMINSERVER@@@", realmconfig.admin_server); + line.replace("@@@ADMINPORT@@@", TQString("%1").arg(realmconfig.admin_server_port)); + line.replace("@@@KDCSERVER@@@", realmconfig.kdc); + line.replace("@@@KDCPORT@@@", TQString("%1").arg(realmconfig.kdc_port)); + line.replace("@@@ROOTUSER@@@", rootUserName); + line.replace("@@@ROOTPW_SHA@@@", rootpw_hash); + line.replace("@@@ADMINUSER@@@", adminUserName); + line.replace("@@@ADMINGROUP@@@", adminGroupName); + line.replace("@@@ADMINPW_SHA@@@", adminpw_hash); + line.replace("@@@PKINIT_REQUIRE_EKU@@@", (realmconfig.pkinit_require_eku)?"yes":"no"); + line.replace("@@@PKINIT_REQUIRE_KRBTGT_OTHERNAME@@@", (realmconfig.pkinit_require_krbtgt_otherName)?"yes":"no"); + line.replace("@@@WIN2K_PKINIT@@@", (realmconfig.win2k_pkinit)?"yes":"no"); + line.replace("@@@WIN2K_PKINIT_REQUIRE_BINDING@@@", (realmconfig.win2k_pkinit_require_binding)?"yes":"no"); + line.replace("@@@REALM_SIMPLE_CP_NAME@@@", simpledcnamecap); + line.replace("@@@REALM_SIMPLE_LC_NAME@@@", simpledcname.lower()); + line.replace("@@@TIMESTAMP@@@", timestamp); + if (ldifSchemaNumber >= 0) { + line.replace("@@@LDIFSCHEMANUMBER@@@", TQString("%1").arg(ldifSchemaNumber)); + } + ostream << line << "\n"; + } + ifile.close(); + ofile.close(); + + // Set permissions + if ((userid > 0) && (groupid > 0)) { + chown(outfile.ascii(), userid, groupid); } - ostream << line << "\n"; } - ifile.close(); - ofile.close(); + else { + KMessageBox::error(0, i18n("<qt>Unable to open output schema file %1 for writing</qt>").arg(infile), i18n("Internal Failure")); + } } - - // Set permissions - if ((userid > 0) && (groupid > 0)) { - chown(outfile.ascii(), userid, groupid); + else { + KMessageBox::error(0, i18n("<qt>Unable to open template schema file %1</qt>").arg(infile), i18n("Internal Failure")); } // Keep UI responsive @@ -333,6 +343,7 @@ int LDAPController::controlLDAPServer(sc_command command, uid_t userid, gid_t gr // FIXME // This assumes Debian! system("rm -rf /var/lib/ldap/*"); + system("rm -rf /etc/ldap/slapd.d/cn=config/cn=schema/*"); } if (command == SC_SETDBPERMS) { if ((userid > 0) && (groupid > 0)) { @@ -348,6 +359,67 @@ int LDAPController::controlLDAPServer(sc_command command, uid_t userid, gid_t gr return -2; } +TQString readFullLineFromPtyProcess(PtyProcess* proc) { + TQString result = ""; + while ((!result.contains("\n")) && (!result.contains(":")) && (!result.contains(">"))) { + result = result + TQString(proc->readLine(false)); + tqApp->processEvents(); + } + return result; +} + +int LDAPController::initializeNewKerberosRealm(TQString realmName, TQString *errstr) { + TQCString command = "kadmin"; + QCStringList args; + args << TQCString("-l"); + + TQString prompt; + PtyProcess kadminProc; + kadminProc.exec(command, args); + prompt = kadminProc.readLine(true); + prompt = prompt.stripWhiteSpace(); + if (prompt == "kadmin>") { + kadminProc.writeLine(TQCString("init "+realmName), true); + prompt = kadminProc.readLine(true); // Discard our own input + prompt = readFullLineFromPtyProcess(&kadminProc); + prompt = prompt.stripWhiteSpace(); + if (prompt.contains("authentication failed")) { + if (errstr) *errstr = prompt; + kadminProc.writeLine("quit", true); + return 1; + } + else if (prompt.startsWith("Realm max")) { + kadminProc.writeLine("unlimited", true); + prompt = kadminProc.readLine(true); // Discard our own input + prompt = readFullLineFromPtyProcess(&kadminProc); + prompt = prompt.stripWhiteSpace(); + if (prompt.startsWith("Realm max")) { + kadminProc.writeLine("unlimited", true); + prompt = kadminProc.readLine(true); // Discard our own input + prompt = readFullLineFromPtyProcess(&kadminProc); + prompt = prompt.stripWhiteSpace(); + } + if (prompt != "kadmin>") { + if (errstr) *errstr = prompt; + kadminProc.writeLine("quit", true); + return 1; + } + + // Success! + kadminProc.writeLine("quit", true); + return 0; + } + + // Failure + if (errstr) *errstr = prompt; + kadminProc.writeLine("quit", true); + return 1; + } + + if (errstr) *errstr = "Internal error. Verify that kadmin exists and can be executed."; + return 1; // Failure +} + int LDAPController::createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig realmconfig, TQString adminUserName, TQString adminGroupName, const char * adminPassword, TQString rootUserName, const char * rootPassword, TQString adminRealm, TQString *errstr) { int ldifSchemaNumber; @@ -368,15 +440,39 @@ int LDAPController::createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig r KTempDir configTempDir; configTempDir.setAutoDelete(true); -configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY +configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME TQString destDir = "/etc/"; - mkdir(TQString(destDir + "heimdal").ascii(), S_IRUSR|S_IWUSR|S_IXUSR); - mkdir(TQString(destDir + "openldap").ascii(), S_IRUSR|S_IWUSR|S_IXUSR); - mkdir(TQString(destDir + "openldap/ldap").ascii(), S_IRUSR|S_IWUSR|S_IXUSR); + pdialog.setStatusMessage(i18n("Stopping servers...")); + + // Stop Heimdal + if (controlHeimdalServer(SC_STOP) != 0) { + if (errstr) *errstr = i18n("Unable to stop Kerberos server"); + pdialog.closeDialog(); + return -1; + } + // Stop slapd + if (controlLDAPServer(SC_STOP) != 0) { + if (errstr) *errstr = i18n("Unable to stop LDAP server"); + pdialog.closeDialog(); + return -1; + } + + pdialog.setStatusMessage(i18n("Purging existing LDAP database...")); + tqApp->processEvents(); + controlLDAPServer(SC_PURGE); + + pdialog.setStatusMessage(i18n("Installing new LDAP schema...")); + tqApp->processEvents(); + + mkdir(TQString(destDir + "heimdal-kdc").ascii(), S_IRUSR|S_IWUSR|S_IXUSR); + mkdir(TQString(destDir + "ldap").ascii(), S_IRUSR|S_IWUSR|S_IXUSR); + mkdir(TQString(destDir + "ldap/slapd.d").ascii(), S_IRUSR|S_IWUSR|S_IXUSR); + mkdir(TQString(destDir + "ldap/slapd.d/cn=config").ascii(), S_IRUSR|S_IWUSR|S_IXUSR); + mkdir(TQString(destDir + "ldap/slapd.d/cn=config/cn=schema").ascii(), S_IRUSR|S_IWUSR|S_IXUSR); replacePlaceholdersInFile(templateDir + "heimdal/heimdal.defaults", destDir + "heimdal.defaults", realmconfig, adminUserName, adminGroupName, adminPassword, rootUserName, rootPassword); - replacePlaceholdersInFile(templateDir + "heimdal/kadmind.acl", destDir + "kadmind.acl", realmconfig, adminUserName, adminGroupName, adminPassword, rootUserName, rootPassword); + replacePlaceholdersInFile(templateDir + "heimdal/kadmind.acl", destDir + "heimdal-kdc/kadmind.acl", realmconfig, adminUserName, adminGroupName, adminPassword, rootUserName, rootPassword); replacePlaceholdersInFile(templateDir + "heimdal/kdc.conf", destDir + "heimdal-kdc/kdc.conf", realmconfig, adminUserName, adminGroupName, adminPassword, rootUserName, rootPassword); replacePlaceholdersInFile(templateDir + "heimdal/krb5.conf", destDir + "krb5.conf", realmconfig, adminUserName, adminGroupName, adminPassword, rootUserName, rootPassword); @@ -397,16 +493,28 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY replacePlaceholdersInFile(templateDir + "openldap/ldif/olcDatabase.ldif", destDir + "ldap/slapd.d/cn=config/" + TQString("olcDatabase={%1}hdb.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid); // Schema files - ldifSchemaNumber = 10; + ldifSchemaNumber = 0; + replacePlaceholdersInFile(templateDir + "openldap/ldif/core.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}core.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid); + ldifSchemaNumber = 1; + replacePlaceholdersInFile(templateDir + "openldap/ldif/cosine.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}cosine.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid); + ldifSchemaNumber = 2; + replacePlaceholdersInFile(templateDir + "openldap/ldif/inetorgperson.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}inetorgperson.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid); + ldifSchemaNumber = 3; + replacePlaceholdersInFile(templateDir + "openldap/ldif/rfc2307bis.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}rfc2307bis.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid); + ldifSchemaNumber = 4; + replacePlaceholdersInFile(templateDir + "openldap/ldif/rfc2739.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}rfc2739.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid); + ldifSchemaNumber = 5; + replacePlaceholdersInFile(templateDir + "openldap/ldif/ppolicy.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}ppolicy.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid); + ldifSchemaNumber = 6; replacePlaceholdersInFile(templateDir + "openldap/ldif/ems-core.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}ems-core.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid); - ldifSchemaNumber = 11; + ldifSchemaNumber = 7; replacePlaceholdersInFile(templateDir + "openldap/ldif/hdb.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}hdb.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid); - ldifSchemaNumber = 12; + ldifSchemaNumber = 8; replacePlaceholdersInFile(templateDir + "openldap/ldif/tde-core.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}tde-core.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid); // Set permissions chmod(TQString(destDir + "heimdal.defaults").ascii(), S_IRUSR|S_IWUSR|S_IRGRP); - chmod(TQString(destDir + "kadmind.acl").ascii(), S_IRUSR|S_IWUSR|S_IRGRP); + chmod(TQString(destDir + "heimdal-kdc/kadmind.acl").ascii(), S_IRUSR|S_IWUSR|S_IRGRP); chmod(TQString(destDir + "heimdal-kdc/kdc.conf").ascii(), S_IRUSR|S_IWUSR|S_IRGRP); chmod(TQString(destDir + "krb5.conf").ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); @@ -414,25 +522,6 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY chmod(TQString(destDir + "ldap/slapd.conf").ascii(), S_IRUSR|S_IWUSR); chmod(TQString(destDir + "ldap/slapd.defaults").ascii(), S_IRUSR|S_IWUSR|S_IRGRP); - pdialog.setStatusMessage(i18n("Stopping servers...")); - - // Stop Heimdal - if (controlHeimdalServer(SC_STOP) != 0) { - if (errstr) *errstr = i18n("Unable to stop Kerberos server"); - pdialog.closeDialog(); - return -1; - } - // Stop slapd - if (controlLDAPServer(SC_STOP) != 0) { - if (errstr) *errstr = i18n("Unable to stop LDAP server"); - pdialog.closeDialog(); - return -1; - } - - pdialog.setStatusMessage(i18n("Purging existing LDAP database...")); - tqApp->processEvents(); - controlLDAPServer(SC_PURGE); - pdialog.setStatusMessage(i18n("Loading initial database into LDAP...")); tqApp->processEvents(); @@ -451,7 +540,7 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY controlLDAPServer(SC_SETDBPERMS, slapd_uid, slapd_gid); - pdialog.setStatusMessage(i18n("Starting LDAP server...")); + pdialog.setStatusMessage(i18n("Starting servers...")); tqApp->processEvents(); // Start slapd @@ -467,6 +556,42 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY return -1; } + pdialog.setStatusMessage(i18n("Initializing Kerberos database...")); + tqApp->processEvents(); + + TQString errorstring; + if (initializeNewKerberosRealm(realmconfig.name.upper(), &errorstring) != 0) { + if (errstr) *errstr = i18n("Unable to initialize Kerberos database<p>").append(errorstring); + pdialog.closeDialog(); + return -1; + } + + // RAJA FIXME + // Move all those new Heimdal entries to the correct tree/branch + // ,o=kerberos,cn=kerberos control,ou=master services,ou=core,ou=realm,dc=cluster90,dc=edu + TQStringList domainChunks = TQStringList::split(".", realmconfig.name.lower()); + TQString basedcname = "dc=" + domainChunks.join(",dc="); + LDAPCredentials* credentials = new LDAPCredentials; + credentials->username = "cn="+rootUserName+","+basedcname; + credentials->password = rootPassword; + credentials->realm = realmconfig.name.upper(); + LDAPManager* ldap_mgr = new LDAPManager(realmconfig.name.upper(), realmconfig.admin_server, credentials); + if (ldap_mgr->moveKerberosEntries("o=kerberos,cn=kerberos control,ou=master services,ou=core,ou=realm," + basedcname, &errorstring) != 0) { + delete ldap_mgr; + delete credentials; + if (errstr) *errstr = errorstring; + pdialog.closeDialog(); + return -1; + } + delete ldap_mgr; + delete credentials; + + // RAJA FIXME + // Write the ldap.conf file! + + // RAJA FIXME + // Clean out all realms from the TDE configuration files and insert this realm ONLY! + // RAJA FIXME pdialog.closeDialog(); } |