diff options
author | Timothy Pearson <[email protected]> | 2012-06-06 04:16:24 -0500 |
---|---|---|
committer | Timothy Pearson <[email protected]> | 2012-06-06 04:16:24 -0500 |
commit | 75044dd48af51f848e49f6705ec6e9423571dd8c (patch) | |
tree | a973bc28051a6706dc6e28f807538bc3e8f3488c /src/ldapcontroller.cpp | |
parent | bf4dbda9682241deffb3ec704e2597a12496d2a8 (diff) | |
download | kcmldapcontroller-75044dd48af51f848e49f6705ec6e9423571dd8c.tar.gz kcmldapcontroller-75044dd48af51f848e49f6705ec6e9423571dd8c.zip |
Add ssl generation and storage
Diffstat (limited to 'src/ldapcontroller.cpp')
-rw-r--r-- | src/ldapcontroller.cpp | 212 |
1 files changed, 199 insertions, 13 deletions
diff --git a/src/ldapcontroller.cpp b/src/ldapcontroller.cpp index 58cfff1..a23e5cf 100644 --- a/src/ldapcontroller.cpp +++ b/src/ldapcontroller.cpp @@ -63,13 +63,35 @@ // RedHat would be "/etc/sysconfig/ldap" #define LDAP_DEFAULT_FILE "/etc/default/slapd" #define HEIMDAL_DEFAULT_FILE "/etc/default/heimdal-kdc" -#define HEIMDAL_ACL_FILE "/etc/heimdal-kdc/kadmind.acl" #define SASL_DEFAULT_FILE "/etc/default/saslauthd" #define SASL_CONTROL_FILE "/etc/ldap/sasl2/slapd.conf" +#define HEIMDAL_ACL_FILE "/etc/heimdal-kdc/kadmind.acl" +#define TDE_CERTIFICATE_DIR "/etc/trinity/ldap/tde-ca/" +#define KERBEROS_PKI_ANCHORDIR "/etc/trinity/ldap/tde-ca/anchors/" +#define KERBEROS_PKI_PRIVATEDIR "/etc/trinity/ldap/tde-ca/private/" +#define KERBEROS_PKI_PUBLICDIR "/etc/trinity/ldap/tde-ca/public/" +#define KERBEROS_PKI_PEM_FILE KERBEROS_PKI_ANCHORDIR "tdeca.pem" +#define KERBEROS_PKI_PEMKEY_FILE KERBEROS_PKI_ANCHORDIR "tdeca.key.pem" +#define KERBEROS_PKI_KDC_FILE KERBEROS_PKI_PUBLICDIR "@@@KDCSERVER@@@.pki.crt" +#define KERBEROS_PKI_KDCKEY_FILE KERBEROS_PKI_PRIVATEDIR "@@@KDCSERVER@@@.pki.key" +#define KERBEROS_PKI_KDCREQ_FILE KERBEROS_PKI_PRIVATEDIR "@@@KDCSERVER@@@.pki.req" + +#define LDAP_CERT_FILE KERBEROS_PKI_PUBLICDIR "@@@ADMINSERVER@@@.ldap.crt" +#define LDAP_CERTKEY_FILE KERBEROS_PKI_PRIVATEDIR "@@@ADMINSERVER@@@.ldap.key" +#define LDAP_CERTREQ_FILE KERBEROS_PKI_PRIVATEDIR "@@@ADMINSERVER@@@.ldap.req" + +#define OPENSSL_EXTENSIONS_FILE TDE_CERTIFICATE_DIR "pki_extensions" + #define ROLE_WORKSTATION 0 #define ROLE_REALM_CONTROLLER 1 +#define KEY_STRENGTH 2048 + +// RAJA FIXME +// Provide a way to change the LDAP root password +// in the olcDatabase (field olcRootPW) after installation! + typedef KGenericFactory<LDAPController, TQWidget> ldapFactory; K_EXPORT_COMPONENT_FACTORY( kcm_ldapcontroller, ldapFactory("kcmldapcontroller")) @@ -145,7 +167,7 @@ void LDAPController::systemRoleChanged() { // Something will probably change save(); - RealmWizard realmwizard(this, m_fqdn, this); + RealmWizard realmwizard(this, m_fqdn, m_certconfig, this); if (realmwizard.exec() < 0) { // Wizard was cancelled // Back out all changes! @@ -191,6 +213,18 @@ void LDAPController::load() { m_base->systemRole->setCurrentItem(ROLE_WORKSTATION); } m_prevRole = m_base->systemRole->currentItem(); + + // Load cert config + m_systemconfig->setGroup("Certificates"); + m_certconfig.countryName = m_systemconfig->readEntry("countryName"); + m_certconfig.stateOrProvinceName = m_systemconfig->readEntry("stateOrProvinceName"); + m_certconfig.localityName = m_systemconfig->readEntry("localityName"); + m_certconfig.organizationName = m_systemconfig->readEntry("organizationName"); + m_certconfig.orgUnitName = m_systemconfig->readEntry("orgUnitName"); + m_certconfig.commonName = m_systemconfig->readEntry("commonName"); + m_certconfig.emailAddress = m_systemconfig->readEntry("emailAddress"); + + m_systemconfig->setGroup(NULL); } void LDAPController::defaults() { @@ -202,6 +236,18 @@ void LDAPController::save() { m_systemconfig->writeEntry("EnableLDAP", m_base->systemEnableSupport->isChecked()); m_systemconfig->writeEntry("LDAPRole", m_base->systemRole->currentText()); + // Write cert config + m_systemconfig->setGroup("Certificates"); + m_systemconfig->writeEntry("countryName", m_certconfig.countryName); + m_systemconfig->writeEntry("stateOrProvinceName", m_certconfig.stateOrProvinceName); + m_systemconfig->writeEntry("localityName", m_certconfig.localityName); + m_systemconfig->writeEntry("organizationName", m_certconfig.organizationName); + m_systemconfig->writeEntry("orgUnitName", m_certconfig.orgUnitName); + m_systemconfig->writeEntry("commonName", m_certconfig.commonName); + m_systemconfig->writeEntry("emailAddress", m_certconfig.emailAddress); + + m_systemconfig->setGroup(NULL); + m_systemconfig->sync(); if (m_base->systemEnableSupport->isChecked()) { @@ -228,8 +274,6 @@ void replacePlaceholdersInFile(TQString infile, TQString outfile, LDAPRealmConfi sha.process(adminPassword, strlen(rootPassword)); TQString adminpw_hash = sha.base64Hash(); - // RAJA FIXME - // Created needed strings TQStringList domainChunks = TQStringList::split(".", realmconfig.name.lower()); TQString basedcname = "dc=" + domainChunks.join(",dc="); @@ -241,6 +285,15 @@ void replacePlaceholdersInFile(TQString infile, TQString outfile, LDAPRealmConfi timestamp.replace(":", ""); timestamp.replace("T", ""); + TQString kdc_certfile = KERBEROS_PKI_KDC_FILE; + TQString kdc_keyfile = KERBEROS_PKI_KDCKEY_FILE; + TQString ldap_certfile = LDAP_CERT_FILE; + TQString ldap_keyfile = LDAP_CERTKEY_FILE; + kdc_certfile.replace("@@@KDCSERVER@@@", realmconfig.kdc); + kdc_keyfile.replace("@@@KDCSERVER@@@", realmconfig.kdc); + ldap_certfile.replace("@@@ADMINSERVER@@@", realmconfig.admin_server); + ldap_keyfile.replace("@@@ADMINSERVER@@@", realmconfig.admin_server); + TQFile ifile(infile); TQFile ofile(outfile); if (ifile.open(IO_ReadOnly)) { @@ -275,6 +328,12 @@ void replacePlaceholdersInFile(TQString infile, TQString outfile, LDAPRealmConfi line.replace("@@@LDAP_GROUP_NAME@@@", ldapgroupname); line.replace("@@@TDELIBDIR@@@", TDE_LIBDIR); line.replace("@@@HEIMDALACLFILE@@@", HEIMDAL_ACL_FILE); + line.replace("@@@KRBPKIPEMFILE@@@", KERBEROS_PKI_PEM_FILE); + line.replace("@@@KRBPKIPEMKEYFILE@@@", KERBEROS_PKI_PEMKEY_FILE); + line.replace("@@@KRBKDCPEMFILE@@@", kdc_certfile); + line.replace("@@@KRBKDCPEMKEYFILE@@@", kdc_keyfile); + line.replace("@@@LDAPPEMFILE@@@", ldap_certfile); + line.replace("@@@LDAPPEMKEYFILE@@@", ldap_keyfile); if (ldifSchemaNumber >= 0) { line.replace("@@@LDIFSCHEMANUMBER@@@", TQString("%1").arg(ldifSchemaNumber)); } @@ -683,7 +742,64 @@ int LDAPController::setKerberosPasswordForUser(LDAPCredentials user, TQString *e return 1; // Failure } -int LDAPController::createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig realmconfig, TQString adminUserName, TQString adminGroupName, TQString machineAdminGroupName, const char * adminPassword, TQString rootUserName, const char * rootPassword, TQString adminRealm, TQString *errstr) { +int LDAPController::createRealmCertificates(LDAPCertConfig certinfo, LDAPRealmConfig realmconfig, uid_t ldap_uid, gid_t ldap_gid) { + // Certificate authority certificate + TQString command; + command = TQString("openssl genrsa -out %1 %2").arg(KERBEROS_PKI_PEMKEY_FILE).arg(KEY_STRENGTH); + system(command); + chmod(KERBEROS_PKI_PEMKEY_FILE, S_IRUSR|S_IWUSR); + chown(KERBEROS_PKI_PEMKEY_FILE, 0, 0); + + command = TQString("openssl req -key %1 -new -x509 -out %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(certinfo.commonName).arg(certinfo.emailAddress); + system(command); + chmod(KERBEROS_PKI_PEM_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); + chown(KERBEROS_PKI_PEM_FILE, 0, 0); + + // KDC certificate + TQString kdc_certfile = KERBEROS_PKI_KDC_FILE; + TQString kdc_keyfile = KERBEROS_PKI_KDCKEY_FILE; + TQString kdc_reqfile = KERBEROS_PKI_KDCREQ_FILE; + kdc_certfile.replace("@@@KDCSERVER@@@", realmconfig.kdc); + kdc_keyfile.replace("@@@KDCSERVER@@@", realmconfig.kdc); + kdc_reqfile.replace("@@@KDCSERVER@@@", realmconfig.kdc); + command = TQString("openssl genrsa -out %1 %2").arg(kdc_keyfile).arg(KEY_STRENGTH); + system(command); + chmod(kdc_keyfile.ascii(), S_IRUSR|S_IWUSR); + chown(kdc_keyfile.ascii(), 0, 0); + + command = TQString("openssl req -new -out %1 -key %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(kdc_reqfile).arg(kdc_keyfile).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(certinfo.commonName).arg(certinfo.emailAddress); + system(command); + command = TQString("openssl x509 -req -in %1 -CAkey %2 -CA %3 -out %4 -extfile %5 -extensions kdc_cert -CAcreateserial").arg(kdc_reqfile).arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(kdc_certfile).arg(OPENSSL_EXTENSIONS_FILE); + system(command); + chmod(kdc_certfile.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); + chown(kdc_certfile.ascii(), 0, 0); + unlink(kdc_reqfile.ascii()); + unlink(OPENSSL_EXTENSIONS_FILE); + + // LDAP certificate + TQString ldap_certfile = LDAP_CERT_FILE; + TQString ldap_keyfile = LDAP_CERTKEY_FILE; + TQString ldap_reqfile = LDAP_CERTREQ_FILE; + ldap_certfile.replace("@@@ADMINSERVER@@@", realmconfig.admin_server); + ldap_keyfile.replace("@@@ADMINSERVER@@@", realmconfig.admin_server); + ldap_reqfile.replace("@@@ADMINSERVER@@@", realmconfig.admin_server); + command = TQString("openssl genrsa -out %1 %2").arg(ldap_keyfile).arg(KEY_STRENGTH); + system(command); + chmod(ldap_keyfile.ascii(), S_IRUSR|S_IWUSR); + chown(ldap_keyfile.ascii(), ldap_uid, ldap_gid); + + command = TQString("openssl req -new -out %1 -key %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(ldap_reqfile).arg(ldap_keyfile).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(realmconfig.admin_server).arg(certinfo.emailAddress); + system(command); + command = TQString("openssl x509 -req -in %1 -CAkey %2 -CA %3 -out %4 -CAcreateserial").arg(ldap_reqfile).arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(ldap_certfile); + system(command); + chmod(ldap_certfile.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); + chown(ldap_certfile.ascii(), ldap_uid, ldap_gid); + unlink(ldap_reqfile.ascii()); + + return 0; +} + +int LDAPController::createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig realmconfig, TQString adminUserName, TQString adminGroupName, TQString machineAdminGroupName, const char * adminPassword, TQString rootUserName, const char * rootPassword, TQString adminRealm, LDAPCertConfig certinfo, TQString *errstr) { int ldifSchemaNumber; ProcessingDialog pdialog(dialogparent); @@ -747,19 +863,17 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME mkdir(TQString(destDir + "ldap/slapd.d/cn=config").ascii(), S_IRUSR|S_IWUSR|S_IXUSR); mkdir(TQString(destDir + "ldap/slapd.d/cn=config/cn=schema").ascii(), S_IRUSR|S_IWUSR|S_IXUSR); + mkdir(TDE_CERTIFICATE_DIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH); + mkdir(KERBEROS_PKI_ANCHORDIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH); + mkdir(KERBEROS_PKI_PRIVATEDIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH); + mkdir(KERBEROS_PKI_PUBLICDIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH); + // Heimdal replacePlaceholdersInFile(templateDir + "heimdal/heimdal.defaults", HEIMDAL_DEFAULT_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword); replacePlaceholdersInFile(templateDir + "heimdal/kadmind.acl", HEIMDAL_ACL_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword); replacePlaceholdersInFile(templateDir + "heimdal/kdc.conf", destDir + "heimdal-kdc/kdc.conf", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword); replacePlaceholdersInFile(templateDir + "heimdal/krb5.conf", destDir + "krb5.conf", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword); -// RAJA DEBUG -// if (system("kstash --random-key") != 0) { -// if (errstr) *errstr = i18n("Unable to create Kerberos foundational key"); -// pdialog.closeDialog(); -// return -1; -// } - // OpenLDAP replacePlaceholdersInFile(templateDir + "openldap/skel.ldif", configTempDir.name() + "skel.ldif", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword); // replacePlaceholdersInFile(templateDir + "openldap/ldap/slapd.conf", destDir + "ldap/slapd.conf", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword); @@ -769,6 +883,9 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME replacePlaceholdersInFile(templateDir + "sasl/saslauthd.defaults", SASL_DEFAULT_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword); replacePlaceholdersInFile(templateDir + "sasl/slapd.conf", SASL_CONTROL_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword); + // OpenSSL + replacePlaceholdersInFile(templateDir + "openssl/pki_extensions", OPENSSL_EXTENSIONS_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword); + // FIXME // This assumes Debian! // Grant LDAP access to SASL mux pipe @@ -839,7 +956,62 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME chmod(TQString(LDAP_DEFAULT_FILE).ascii(), S_IRUSR|S_IWUSR|S_IRGRP); chmod(TQString(SASL_DEFAULT_FILE).ascii(), S_IRUSR|S_IWUSR|S_IRGRP); - chmod(TQString(SASL_CONTROL_FILE).ascii(), S_IRUSR|S_IWUSR|S_IRGRP); + chmod(TQString(SASL_CONTROL_FILE).ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); + + pdialog.setStatusMessage(i18n("Installing realm certificates...")); + tqApp->processEvents(); + + if (certinfo.generate_certs) { + // Generate certificates + if (createRealmCertificates(certinfo, realmconfig, slapd_uid, slapd_gid) != 0) { + if (errstr) *errstr = i18n("Unable to install realm certificates"); + pdialog.closeDialog(); + return -1; + } + m_certconfig = certinfo; + } + else { + // Copy certificates + TQString kdc_certfile = KERBEROS_PKI_KDC_FILE; + TQString kdc_keyfile = KERBEROS_PKI_KDCKEY_FILE; + kdc_certfile.replace("@@@KDCSERVER@@@", realmconfig.kdc); + kdc_keyfile.replace("@@@KDCSERVER@@@", realmconfig.kdc); + TQString ldap_certfile = LDAP_CERT_FILE; + TQString ldap_keyfile = LDAP_CERTKEY_FILE; + ldap_certfile.replace("@@@ADMINSERVER@@@", realmconfig.admin_server); + ldap_keyfile.replace("@@@ADMINSERVER@@@", realmconfig.admin_server); + + // Copy files + // FIXME + // There has GOT to be a better way to do this than system()!!! + TQString command; + command = TQString("cp %1 %2").arg(certinfo.provided_kerberos_pem).arg(KERBEROS_PKI_PEMKEY_FILE); + system(command); + command = TQString("cp %1 %2").arg(certinfo.provided_kerberos_pemkey).arg(KERBEROS_PKI_PEM_FILE); + system(command); + command = TQString("cp %1 %2").arg(certinfo.provided_kerberos_crt).arg(kdc_certfile); + system(command); + command = TQString("cp %1 %2").arg(certinfo.provided_kerberos_key).arg(kdc_keyfile); + system(command); + command = TQString("cp %1 %2").arg(certinfo.provided_ldap_crt).arg(ldap_certfile); + system(command); + command = TQString("cp %1 %2").arg(certinfo.provided_ldap_key).arg(ldap_keyfile); + system(command); + + // Set permissions + chmod(KERBEROS_PKI_PEMKEY_FILE, S_IRUSR|S_IWUSR); + chown(KERBEROS_PKI_PEMKEY_FILE, 0, 0); + chmod(KERBEROS_PKI_PEM_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); + chown(KERBEROS_PKI_PEM_FILE, 0, 0); + chmod(kdc_keyfile.ascii(), S_IRUSR|S_IWUSR); + chown(kdc_keyfile.ascii(), 0, 0); + chmod(kdc_certfile.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); + chown(kdc_certfile.ascii(), 0, 0); + chmod(ldap_keyfile.ascii(), S_IRUSR|S_IWUSR); + chown(ldap_keyfile.ascii(), slapd_uid, slapd_gid); + chmod(ldap_certfile.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); + chown(ldap_certfile.ascii(), slapd_uid, slapd_gid); + } pdialog.setStatusMessage(i18n("Loading initial database into LDAP...")); tqApp->processEvents(); @@ -920,6 +1092,20 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME pdialog.closeDialog(); return -1; } + + // Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server + TQFile cafile(KERBEROS_PKI_PEM_FILE); + if (cafile.open(IO_ReadOnly)) { + TQByteArray cafiledata = cafile.readAll(); + if (ldap_mgr->writeCertificateFileIntoDirectory(cafiledata, "publicRootCertificate", &errorstring) != 0) { + delete ldap_mgr; + delete credentials; + if (errstr) *errstr = errorstring; + pdialog.closeDialog(); + return -1; + } + } + delete ldap_mgr; delete credentials; |