summaryrefslogtreecommitdiffstats
path: root/src/ldapcontroller.cpp
diff options
context:
space:
mode:
authorTimothy Pearson <[email protected]>2012-06-06 04:16:24 -0500
committerTimothy Pearson <[email protected]>2012-06-06 04:16:24 -0500
commit75044dd48af51f848e49f6705ec6e9423571dd8c (patch)
treea973bc28051a6706dc6e28f807538bc3e8f3488c /src/ldapcontroller.cpp
parentbf4dbda9682241deffb3ec704e2597a12496d2a8 (diff)
downloadkcmldapcontroller-75044dd48af51f848e49f6705ec6e9423571dd8c.tar.gz
kcmldapcontroller-75044dd48af51f848e49f6705ec6e9423571dd8c.zip
Add ssl generation and storage
Diffstat (limited to 'src/ldapcontroller.cpp')
-rw-r--r--src/ldapcontroller.cpp212
1 files changed, 199 insertions, 13 deletions
diff --git a/src/ldapcontroller.cpp b/src/ldapcontroller.cpp
index 58cfff1..a23e5cf 100644
--- a/src/ldapcontroller.cpp
+++ b/src/ldapcontroller.cpp
@@ -63,13 +63,35 @@
// RedHat would be "/etc/sysconfig/ldap"
#define LDAP_DEFAULT_FILE "/etc/default/slapd"
#define HEIMDAL_DEFAULT_FILE "/etc/default/heimdal-kdc"
-#define HEIMDAL_ACL_FILE "/etc/heimdal-kdc/kadmind.acl"
#define SASL_DEFAULT_FILE "/etc/default/saslauthd"
#define SASL_CONTROL_FILE "/etc/ldap/sasl2/slapd.conf"
+#define HEIMDAL_ACL_FILE "/etc/heimdal-kdc/kadmind.acl"
+#define TDE_CERTIFICATE_DIR "/etc/trinity/ldap/tde-ca/"
+#define KERBEROS_PKI_ANCHORDIR "/etc/trinity/ldap/tde-ca/anchors/"
+#define KERBEROS_PKI_PRIVATEDIR "/etc/trinity/ldap/tde-ca/private/"
+#define KERBEROS_PKI_PUBLICDIR "/etc/trinity/ldap/tde-ca/public/"
+#define KERBEROS_PKI_PEM_FILE KERBEROS_PKI_ANCHORDIR "tdeca.pem"
+#define KERBEROS_PKI_PEMKEY_FILE KERBEROS_PKI_ANCHORDIR "tdeca.key.pem"
+#define KERBEROS_PKI_KDC_FILE KERBEROS_PKI_PUBLICDIR "@@@KDCSERVER@@@.pki.crt"
+#define KERBEROS_PKI_KDCKEY_FILE KERBEROS_PKI_PRIVATEDIR "@@@KDCSERVER@@@.pki.key"
+#define KERBEROS_PKI_KDCREQ_FILE KERBEROS_PKI_PRIVATEDIR "@@@KDCSERVER@@@.pki.req"
+
+#define LDAP_CERT_FILE KERBEROS_PKI_PUBLICDIR "@@@ADMINSERVER@@@.ldap.crt"
+#define LDAP_CERTKEY_FILE KERBEROS_PKI_PRIVATEDIR "@@@ADMINSERVER@@@.ldap.key"
+#define LDAP_CERTREQ_FILE KERBEROS_PKI_PRIVATEDIR "@@@ADMINSERVER@@@.ldap.req"
+
+#define OPENSSL_EXTENSIONS_FILE TDE_CERTIFICATE_DIR "pki_extensions"
+
#define ROLE_WORKSTATION 0
#define ROLE_REALM_CONTROLLER 1
+#define KEY_STRENGTH 2048
+
+// RAJA FIXME
+// Provide a way to change the LDAP root password
+// in the olcDatabase (field olcRootPW) after installation!
+
typedef KGenericFactory<LDAPController, TQWidget> ldapFactory;
K_EXPORT_COMPONENT_FACTORY( kcm_ldapcontroller, ldapFactory("kcmldapcontroller"))
@@ -145,7 +167,7 @@ void LDAPController::systemRoleChanged() {
// Something will probably change
save();
- RealmWizard realmwizard(this, m_fqdn, this);
+ RealmWizard realmwizard(this, m_fqdn, m_certconfig, this);
if (realmwizard.exec() < 0) {
// Wizard was cancelled
// Back out all changes!
@@ -191,6 +213,18 @@ void LDAPController::load() {
m_base->systemRole->setCurrentItem(ROLE_WORKSTATION);
}
m_prevRole = m_base->systemRole->currentItem();
+
+ // Load cert config
+ m_systemconfig->setGroup("Certificates");
+ m_certconfig.countryName = m_systemconfig->readEntry("countryName");
+ m_certconfig.stateOrProvinceName = m_systemconfig->readEntry("stateOrProvinceName");
+ m_certconfig.localityName = m_systemconfig->readEntry("localityName");
+ m_certconfig.organizationName = m_systemconfig->readEntry("organizationName");
+ m_certconfig.orgUnitName = m_systemconfig->readEntry("orgUnitName");
+ m_certconfig.commonName = m_systemconfig->readEntry("commonName");
+ m_certconfig.emailAddress = m_systemconfig->readEntry("emailAddress");
+
+ m_systemconfig->setGroup(NULL);
}
void LDAPController::defaults() {
@@ -202,6 +236,18 @@ void LDAPController::save() {
m_systemconfig->writeEntry("EnableLDAP", m_base->systemEnableSupport->isChecked());
m_systemconfig->writeEntry("LDAPRole", m_base->systemRole->currentText());
+ // Write cert config
+ m_systemconfig->setGroup("Certificates");
+ m_systemconfig->writeEntry("countryName", m_certconfig.countryName);
+ m_systemconfig->writeEntry("stateOrProvinceName", m_certconfig.stateOrProvinceName);
+ m_systemconfig->writeEntry("localityName", m_certconfig.localityName);
+ m_systemconfig->writeEntry("organizationName", m_certconfig.organizationName);
+ m_systemconfig->writeEntry("orgUnitName", m_certconfig.orgUnitName);
+ m_systemconfig->writeEntry("commonName", m_certconfig.commonName);
+ m_systemconfig->writeEntry("emailAddress", m_certconfig.emailAddress);
+
+ m_systemconfig->setGroup(NULL);
+
m_systemconfig->sync();
if (m_base->systemEnableSupport->isChecked()) {
@@ -228,8 +274,6 @@ void replacePlaceholdersInFile(TQString infile, TQString outfile, LDAPRealmConfi
sha.process(adminPassword, strlen(rootPassword));
TQString adminpw_hash = sha.base64Hash();
- // RAJA FIXME
-
// Created needed strings
TQStringList domainChunks = TQStringList::split(".", realmconfig.name.lower());
TQString basedcname = "dc=" + domainChunks.join(",dc=");
@@ -241,6 +285,15 @@ void replacePlaceholdersInFile(TQString infile, TQString outfile, LDAPRealmConfi
timestamp.replace(":", "");
timestamp.replace("T", "");
+ TQString kdc_certfile = KERBEROS_PKI_KDC_FILE;
+ TQString kdc_keyfile = KERBEROS_PKI_KDCKEY_FILE;
+ TQString ldap_certfile = LDAP_CERT_FILE;
+ TQString ldap_keyfile = LDAP_CERTKEY_FILE;
+ kdc_certfile.replace("@@@KDCSERVER@@@", realmconfig.kdc);
+ kdc_keyfile.replace("@@@KDCSERVER@@@", realmconfig.kdc);
+ ldap_certfile.replace("@@@ADMINSERVER@@@", realmconfig.admin_server);
+ ldap_keyfile.replace("@@@ADMINSERVER@@@", realmconfig.admin_server);
+
TQFile ifile(infile);
TQFile ofile(outfile);
if (ifile.open(IO_ReadOnly)) {
@@ -275,6 +328,12 @@ void replacePlaceholdersInFile(TQString infile, TQString outfile, LDAPRealmConfi
line.replace("@@@LDAP_GROUP_NAME@@@", ldapgroupname);
line.replace("@@@TDELIBDIR@@@", TDE_LIBDIR);
line.replace("@@@HEIMDALACLFILE@@@", HEIMDAL_ACL_FILE);
+ line.replace("@@@KRBPKIPEMFILE@@@", KERBEROS_PKI_PEM_FILE);
+ line.replace("@@@KRBPKIPEMKEYFILE@@@", KERBEROS_PKI_PEMKEY_FILE);
+ line.replace("@@@KRBKDCPEMFILE@@@", kdc_certfile);
+ line.replace("@@@KRBKDCPEMKEYFILE@@@", kdc_keyfile);
+ line.replace("@@@LDAPPEMFILE@@@", ldap_certfile);
+ line.replace("@@@LDAPPEMKEYFILE@@@", ldap_keyfile);
if (ldifSchemaNumber >= 0) {
line.replace("@@@LDIFSCHEMANUMBER@@@", TQString("%1").arg(ldifSchemaNumber));
}
@@ -683,7 +742,64 @@ int LDAPController::setKerberosPasswordForUser(LDAPCredentials user, TQString *e
return 1; // Failure
}
-int LDAPController::createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig realmconfig, TQString adminUserName, TQString adminGroupName, TQString machineAdminGroupName, const char * adminPassword, TQString rootUserName, const char * rootPassword, TQString adminRealm, TQString *errstr) {
+int LDAPController::createRealmCertificates(LDAPCertConfig certinfo, LDAPRealmConfig realmconfig, uid_t ldap_uid, gid_t ldap_gid) {
+ // Certificate authority certificate
+ TQString command;
+ command = TQString("openssl genrsa -out %1 %2").arg(KERBEROS_PKI_PEMKEY_FILE).arg(KEY_STRENGTH);
+ system(command);
+ chmod(KERBEROS_PKI_PEMKEY_FILE, S_IRUSR|S_IWUSR);
+ chown(KERBEROS_PKI_PEMKEY_FILE, 0, 0);
+
+ command = TQString("openssl req -key %1 -new -x509 -out %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(certinfo.commonName).arg(certinfo.emailAddress);
+ system(command);
+ chmod(KERBEROS_PKI_PEM_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
+ chown(KERBEROS_PKI_PEM_FILE, 0, 0);
+
+ // KDC certificate
+ TQString kdc_certfile = KERBEROS_PKI_KDC_FILE;
+ TQString kdc_keyfile = KERBEROS_PKI_KDCKEY_FILE;
+ TQString kdc_reqfile = KERBEROS_PKI_KDCREQ_FILE;
+ kdc_certfile.replace("@@@KDCSERVER@@@", realmconfig.kdc);
+ kdc_keyfile.replace("@@@KDCSERVER@@@", realmconfig.kdc);
+ kdc_reqfile.replace("@@@KDCSERVER@@@", realmconfig.kdc);
+ command = TQString("openssl genrsa -out %1 %2").arg(kdc_keyfile).arg(KEY_STRENGTH);
+ system(command);
+ chmod(kdc_keyfile.ascii(), S_IRUSR|S_IWUSR);
+ chown(kdc_keyfile.ascii(), 0, 0);
+
+ command = TQString("openssl req -new -out %1 -key %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(kdc_reqfile).arg(kdc_keyfile).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(certinfo.commonName).arg(certinfo.emailAddress);
+ system(command);
+ command = TQString("openssl x509 -req -in %1 -CAkey %2 -CA %3 -out %4 -extfile %5 -extensions kdc_cert -CAcreateserial").arg(kdc_reqfile).arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(kdc_certfile).arg(OPENSSL_EXTENSIONS_FILE);
+ system(command);
+ chmod(kdc_certfile.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
+ chown(kdc_certfile.ascii(), 0, 0);
+ unlink(kdc_reqfile.ascii());
+ unlink(OPENSSL_EXTENSIONS_FILE);
+
+ // LDAP certificate
+ TQString ldap_certfile = LDAP_CERT_FILE;
+ TQString ldap_keyfile = LDAP_CERTKEY_FILE;
+ TQString ldap_reqfile = LDAP_CERTREQ_FILE;
+ ldap_certfile.replace("@@@ADMINSERVER@@@", realmconfig.admin_server);
+ ldap_keyfile.replace("@@@ADMINSERVER@@@", realmconfig.admin_server);
+ ldap_reqfile.replace("@@@ADMINSERVER@@@", realmconfig.admin_server);
+ command = TQString("openssl genrsa -out %1 %2").arg(ldap_keyfile).arg(KEY_STRENGTH);
+ system(command);
+ chmod(ldap_keyfile.ascii(), S_IRUSR|S_IWUSR);
+ chown(ldap_keyfile.ascii(), ldap_uid, ldap_gid);
+
+ command = TQString("openssl req -new -out %1 -key %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(ldap_reqfile).arg(ldap_keyfile).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(realmconfig.admin_server).arg(certinfo.emailAddress);
+ system(command);
+ command = TQString("openssl x509 -req -in %1 -CAkey %2 -CA %3 -out %4 -CAcreateserial").arg(ldap_reqfile).arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(ldap_certfile);
+ system(command);
+ chmod(ldap_certfile.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
+ chown(ldap_certfile.ascii(), ldap_uid, ldap_gid);
+ unlink(ldap_reqfile.ascii());
+
+ return 0;
+}
+
+int LDAPController::createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig realmconfig, TQString adminUserName, TQString adminGroupName, TQString machineAdminGroupName, const char * adminPassword, TQString rootUserName, const char * rootPassword, TQString adminRealm, LDAPCertConfig certinfo, TQString *errstr) {
int ldifSchemaNumber;
ProcessingDialog pdialog(dialogparent);
@@ -747,19 +863,17 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME
mkdir(TQString(destDir + "ldap/slapd.d/cn=config").ascii(), S_IRUSR|S_IWUSR|S_IXUSR);
mkdir(TQString(destDir + "ldap/slapd.d/cn=config/cn=schema").ascii(), S_IRUSR|S_IWUSR|S_IXUSR);
+ mkdir(TDE_CERTIFICATE_DIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
+ mkdir(KERBEROS_PKI_ANCHORDIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
+ mkdir(KERBEROS_PKI_PRIVATEDIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
+ mkdir(KERBEROS_PKI_PUBLICDIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
+
// Heimdal
replacePlaceholdersInFile(templateDir + "heimdal/heimdal.defaults", HEIMDAL_DEFAULT_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword);
replacePlaceholdersInFile(templateDir + "heimdal/kadmind.acl", HEIMDAL_ACL_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword);
replacePlaceholdersInFile(templateDir + "heimdal/kdc.conf", destDir + "heimdal-kdc/kdc.conf", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword);
replacePlaceholdersInFile(templateDir + "heimdal/krb5.conf", destDir + "krb5.conf", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword);
-// RAJA DEBUG
-// if (system("kstash --random-key") != 0) {
-// if (errstr) *errstr = i18n("Unable to create Kerberos foundational key");
-// pdialog.closeDialog();
-// return -1;
-// }
-
// OpenLDAP
replacePlaceholdersInFile(templateDir + "openldap/skel.ldif", configTempDir.name() + "skel.ldif", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword);
// replacePlaceholdersInFile(templateDir + "openldap/ldap/slapd.conf", destDir + "ldap/slapd.conf", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword);
@@ -769,6 +883,9 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME
replacePlaceholdersInFile(templateDir + "sasl/saslauthd.defaults", SASL_DEFAULT_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword);
replacePlaceholdersInFile(templateDir + "sasl/slapd.conf", SASL_CONTROL_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword);
+ // OpenSSL
+ replacePlaceholdersInFile(templateDir + "openssl/pki_extensions", OPENSSL_EXTENSIONS_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword);
+
// FIXME
// This assumes Debian!
// Grant LDAP access to SASL mux pipe
@@ -839,7 +956,62 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME
chmod(TQString(LDAP_DEFAULT_FILE).ascii(), S_IRUSR|S_IWUSR|S_IRGRP);
chmod(TQString(SASL_DEFAULT_FILE).ascii(), S_IRUSR|S_IWUSR|S_IRGRP);
- chmod(TQString(SASL_CONTROL_FILE).ascii(), S_IRUSR|S_IWUSR|S_IRGRP);
+ chmod(TQString(SASL_CONTROL_FILE).ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
+
+ pdialog.setStatusMessage(i18n("Installing realm certificates..."));
+ tqApp->processEvents();
+
+ if (certinfo.generate_certs) {
+ // Generate certificates
+ if (createRealmCertificates(certinfo, realmconfig, slapd_uid, slapd_gid) != 0) {
+ if (errstr) *errstr = i18n("Unable to install realm certificates");
+ pdialog.closeDialog();
+ return -1;
+ }
+ m_certconfig = certinfo;
+ }
+ else {
+ // Copy certificates
+ TQString kdc_certfile = KERBEROS_PKI_KDC_FILE;
+ TQString kdc_keyfile = KERBEROS_PKI_KDCKEY_FILE;
+ kdc_certfile.replace("@@@KDCSERVER@@@", realmconfig.kdc);
+ kdc_keyfile.replace("@@@KDCSERVER@@@", realmconfig.kdc);
+ TQString ldap_certfile = LDAP_CERT_FILE;
+ TQString ldap_keyfile = LDAP_CERTKEY_FILE;
+ ldap_certfile.replace("@@@ADMINSERVER@@@", realmconfig.admin_server);
+ ldap_keyfile.replace("@@@ADMINSERVER@@@", realmconfig.admin_server);
+
+ // Copy files
+ // FIXME
+ // There has GOT to be a better way to do this than system()!!!
+ TQString command;
+ command = TQString("cp %1 %2").arg(certinfo.provided_kerberos_pem).arg(KERBEROS_PKI_PEMKEY_FILE);
+ system(command);
+ command = TQString("cp %1 %2").arg(certinfo.provided_kerberos_pemkey).arg(KERBEROS_PKI_PEM_FILE);
+ system(command);
+ command = TQString("cp %1 %2").arg(certinfo.provided_kerberos_crt).arg(kdc_certfile);
+ system(command);
+ command = TQString("cp %1 %2").arg(certinfo.provided_kerberos_key).arg(kdc_keyfile);
+ system(command);
+ command = TQString("cp %1 %2").arg(certinfo.provided_ldap_crt).arg(ldap_certfile);
+ system(command);
+ command = TQString("cp %1 %2").arg(certinfo.provided_ldap_key).arg(ldap_keyfile);
+ system(command);
+
+ // Set permissions
+ chmod(KERBEROS_PKI_PEMKEY_FILE, S_IRUSR|S_IWUSR);
+ chown(KERBEROS_PKI_PEMKEY_FILE, 0, 0);
+ chmod(KERBEROS_PKI_PEM_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
+ chown(KERBEROS_PKI_PEM_FILE, 0, 0);
+ chmod(kdc_keyfile.ascii(), S_IRUSR|S_IWUSR);
+ chown(kdc_keyfile.ascii(), 0, 0);
+ chmod(kdc_certfile.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
+ chown(kdc_certfile.ascii(), 0, 0);
+ chmod(ldap_keyfile.ascii(), S_IRUSR|S_IWUSR);
+ chown(ldap_keyfile.ascii(), slapd_uid, slapd_gid);
+ chmod(ldap_certfile.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
+ chown(ldap_certfile.ascii(), slapd_uid, slapd_gid);
+ }
pdialog.setStatusMessage(i18n("Loading initial database into LDAP..."));
tqApp->processEvents();
@@ -920,6 +1092,20 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME
pdialog.closeDialog();
return -1;
}
+
+ // Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server
+ TQFile cafile(KERBEROS_PKI_PEM_FILE);
+ if (cafile.open(IO_ReadOnly)) {
+ TQByteArray cafiledata = cafile.readAll();
+ if (ldap_mgr->writeCertificateFileIntoDirectory(cafiledata, "publicRootCertificate", &errorstring) != 0) {
+ delete ldap_mgr;
+ delete credentials;
+ if (errstr) *errstr = errorstring;
+ pdialog.closeDialog();
+ return -1;
+ }
+ }
+
delete ldap_mgr;
delete credentials;