diff options
author | Timothy Pearson <[email protected]> | 2012-06-04 02:43:34 -0500 |
---|---|---|
committer | Timothy Pearson <[email protected]> | 2012-06-04 02:43:34 -0500 |
commit | ffa65c885b78a8d783f9e8cd51cf7c0b751207f9 (patch) | |
tree | 5265da262e38753ddad75c7b9a98fb9119dd9215 /src | |
parent | c39d52d4c9425c45394105bebdd6f2fac29569ee (diff) | |
download | kcmldapcontroller-ffa65c885b78a8d783f9e8cd51cf7c0b751207f9.tar.gz kcmldapcontroller-ffa65c885b78a8d783f9e8cd51cf7c0b751207f9.zip |
New realm now functions almost fully
Diffstat (limited to 'src')
-rw-r--r-- | src/ldapcontroller.cpp | 402 | ||||
-rw-r--r-- | src/ldapcontroller.h | 8 | ||||
-rw-r--r-- | src/realmwizard.cpp | 3 |
3 files changed, 399 insertions, 14 deletions
diff --git a/src/ldapcontroller.cpp b/src/ldapcontroller.cpp index 3f553be..3d679a0 100644 --- a/src/ldapcontroller.cpp +++ b/src/ldapcontroller.cpp @@ -21,6 +21,7 @@ #include <sys/types.h> #include <sys/socket.h> #include <netdb.h> +#include <pwd.h> #include <tqlayout.h> @@ -54,6 +55,15 @@ // FIXME // Connect this to CMake/Automake #define KDE_CONFDIR "/etc/trinity" +#define LDAP_KEYTAB_FILE "/etc/ldap/ldap.keytab" + +// FIXME +// This assumes Debian! +// RedHat would be "/etc/sysconfig/ldap" +#define LDAP_DEFAULT_FILE "/etc/default/slapd" +#define HEIMDAL_DEFAULT_FILE "/etc/default/heimdal-kdc" +#define SASL_DEFAULT_FILE "/etc/default/saslauthd" +#define SASL_CONTROL_FILE "/etc/ldap/sasl2/slapd.conf" #define ROLE_WORKSTATION 0 #define ROLE_REALM_CONTROLLER 1 @@ -93,6 +103,11 @@ LDAPController::LDAPController(TQWidget *parent, const char *name, const TQStrin m_fqdn = getMachineFQDN(); + // FIXME + // This assumes Debian! + m_ldapUserName = "openldap"; + m_ldapGroupName = "openldap"; + load(); if (getuid() != 0 || !m_systemconfig->checkConfigFilesWritable( true )) { @@ -230,7 +245,7 @@ void LDAPController::save() { load(); } -void replacePlaceholdersInFile(TQString infile, TQString outfile, LDAPRealmConfig realmconfig, TQString adminUserName, TQString adminGroupName, TQString machineAdminGroupName, const char * adminPassword, TQString rootUserName, const char * rootPassword, int ldifSchemaNumber=-1, uid_t userid=-1, gid_t groupid=-1) { +void replacePlaceholdersInFile(TQString infile, TQString outfile, LDAPRealmConfig realmconfig, TQString adminUserName, TQString adminGroupName, TQString machineAdminGroupName, const char * adminPassword, TQString rootUserName, const char * rootPassword, int ldifSchemaNumber=-1, uid_t userid=-1, gid_t groupid=-1, TQString ldapusername=TQString::null, TQString ldapgroupname=TQString::null) { SHA1 sha; sha.process(rootPassword, strlen(rootPassword)); TQString rootpw_hash = sha.base64Hash(); @@ -280,6 +295,9 @@ void replacePlaceholdersInFile(TQString infile, TQString outfile, LDAPRealmConfi line.replace("@@@REALM_SIMPLE_CP_NAME@@@", simpledcnamecap); line.replace("@@@REALM_SIMPLE_LC_NAME@@@", simpledcname.lower()); line.replace("@@@TIMESTAMP@@@", timestamp); + line.replace("@@@LDAP_KEYTAB_FILE@@@", LDAP_KEYTAB_FILE); + line.replace("@@@LDAP_USER_NAME@@@", ldapusername); + line.replace("@@@LDAP_GROUP_NAME@@@", ldapgroupname); if (ldifSchemaNumber >= 0) { line.replace("@@@LDIFSCHEMANUMBER@@@", TQString("%1").arg(ldifSchemaNumber)); } @@ -294,18 +312,38 @@ void replacePlaceholdersInFile(TQString infile, TQString outfile, LDAPRealmConfi } } else { - KMessageBox::error(0, i18n("<qt>Unable to open output schema file %1 for writing</qt>").arg(infile), i18n("Internal Failure")); + //KMessageBox::error(0, i18n("<qt>Unable to open output schema file %1 for writing</qt>").arg(outfile), i18n("Internal Failure")); + printf("[INTERNAL FAILURE] Unable to open output schema file %s for writing\n\r", outfile.ascii()); fflush(stdout); } } else { - KMessageBox::error(0, i18n("<qt>Unable to open template schema file %1</qt>").arg(infile), i18n("Internal Failure")); + //KMessageBox::error(0, i18n("<qt>Unable to open template schema file %1</qt>").arg(infile), i18n("Internal Failure")); + printf("[INTERNAL FAILURE] Unable to open template schema file %s\n\r", infile.ascii()); fflush(stdout); } // Keep UI responsive tqApp->processEvents(); } -int LDAPController::controlHeimdalServer(sc_command command) { +int LDAPController::controlSASLServer(sc_command command) { + if (command == SC_START) { + // FIXME + // This assumes Debian! + return system("/etc/init.d/saslauthd start"); + } + if (command == SC_STOP) { + // FIXME + // This assumes Debian! + return system("/etc/init.d/saslauthd stop"); + } + if (command == SC_RESTART) { + // FIXME + // This assumes Debian! + return system("/etc/init.d/saslauthd restart"); + } +} + +int LDAPController::controlHeimdalServer(sc_command command, uid_t userid, gid_t groupid) { if (command == SC_START) { // FIXME // This assumes Debian! @@ -321,6 +359,22 @@ int LDAPController::controlHeimdalServer(sc_command command) { // This assumes Debian! return system("/etc/init.d/heimdal-kdc restart"); } + if (command == SC_PURGE) { + controlHeimdalServer(SC_STOP); + system("rm -f " + TQString(LDAP_KEYTAB_FILE)); + // FIXME + // This assumes Debian + system("rm -f /etc/krb5.keytab"); + system("rm -rf /var/lib/heimdal-kdc/*"); + } + if (command == SC_SETDBPERMS) { + if ((userid > 0) && (groupid > 0)) { + TQString command; + command = TQString("chgrp %1 " + TQString(LDAP_KEYTAB_FILE)).arg(groupid); + system(command.ascii()); + chmod(LDAP_KEYTAB_FILE, S_IRUSR|S_IWUSR|S_IRGRP); + } + } } int LDAPController::controlLDAPServer(sc_command command, uid_t userid, gid_t groupid) { @@ -344,7 +398,7 @@ int LDAPController::controlLDAPServer(sc_command command, uid_t userid, gid_t gr // FIXME // This assumes Debian! system("rm -rf /var/lib/ldap/*"); - system("rm -rf /etc/ldap/slapd.d/cn=config/cn=schema/*"); + system("rm -rf /etc/ldap/slapd.d/*"); } if (command == SC_SETDBPERMS) { if ((userid > 0) && (groupid > 0)) { @@ -355,6 +409,10 @@ int LDAPController::controlLDAPServer(sc_command command, uid_t userid, gid_t gr system(command.ascii()); command = TQString("chgrp -R %1 /var/lib/ldap/*").arg(groupid); system(command.ascii()); + command = TQString("chown -R %1 /etc/ldap/slapd.d/*").arg(userid); + system(command.ascii()); + command = TQString("chgrp -R %1 /etc/ldap/slapd.d/*").arg(groupid); + system(command.ascii()); } } return -2; @@ -421,6 +479,225 @@ int LDAPController::initializeNewKerberosRealm(TQString realmName, TQString *err return 1; // Failure } +int LDAPController::addHostEntryToKerberosRealm(TQString kerberosHost, TQString *errstr) { + TQCString command = "kadmin"; + QCStringList args; + args << TQCString("-l"); + + TQString hoststring = "host/"+kerberosHost; + + TQString prompt; + PtyProcess kadminProc; + kadminProc.exec(command, args); + prompt = kadminProc.readLine(true); + prompt = prompt.stripWhiteSpace(); + if (prompt == "kadmin>") { + kadminProc.writeLine(TQCString("ext "+hoststring), true); + prompt = kadminProc.readLine(true); // Discard our own input + prompt = readFullLineFromPtyProcess(&kadminProc); + prompt = prompt.stripWhiteSpace(); + if (prompt.contains("authentication failed")) { + if (errstr) *errstr = prompt; + kadminProc.writeLine("quit", true); + return 1; + } + else if (prompt.endsWith("Principal does not exist")) { + kadminProc.writeLine(TQCString("ank --random-key "+hoststring), true); + prompt = kadminProc.readLine(true); // Discard our own input + prompt = readFullLineFromPtyProcess(&kadminProc); + prompt = prompt.stripWhiteSpace(); + // Use all defaults + while (prompt != "kadmin>") { + if (prompt.contains("authentication failed")) { + if (errstr) *errstr = prompt; + kadminProc.writeLine("quit", true); + return 1; + } + else { + // Extract whatever default is in the [brackets] and feed it back to kadmin + TQString defaultParam; + int leftbracket = prompt.find("["); + int rightbracket = prompt.find("]"); + if ((leftbracket >= 0) && (rightbracket >= 0)) { + leftbracket++; + defaultParam = prompt.mid(leftbracket, rightbracket-leftbracket); + } + kadminProc.writeLine(TQCString(defaultParam), true); + prompt = kadminProc.readLine(true); // Discard our own input + prompt = kadminProc.readLine(true); + prompt = prompt.stripWhiteSpace(); + } + } + kadminProc.writeLine(TQCString("ext "+hoststring), true); + prompt = kadminProc.readLine(true); // Discard our own input + prompt = readFullLineFromPtyProcess(&kadminProc); + prompt = prompt.stripWhiteSpace(); + if (prompt != "kadmin>") { + if (errstr) *errstr = prompt; + kadminProc.writeLine("quit", true); + return 1; + } + + // Success! + kadminProc.writeLine("quit", true); + return 0; + } + else if (prompt == "kadmin>") { + // Success! + kadminProc.writeLine("quit", true); + return 0; + } + + // Failure + if (errstr) *errstr = prompt; + kadminProc.writeLine("quit", true); + return 1; + } + + if (errstr) *errstr = "Internal error. Verify that kadmin exists and can be executed."; + return 1; // Failure +} + +int LDAPController::addLDAPEntryToKerberosRealm(TQString ldapProcessOwnerName, TQString ldapHost, TQString *errstr) { + TQCString command = "kadmin"; + QCStringList args; + args << TQCString("-l"); + + TQString hoststring = ldapProcessOwnerName+"/"+ldapHost; + + TQString prompt; + PtyProcess kadminProc; + kadminProc.exec(command, args); + prompt = kadminProc.readLine(true); + prompt = prompt.stripWhiteSpace(); + if (prompt == "kadmin>") { + kadminProc.writeLine(TQCString("ext --keytab="+TQString(LDAP_KEYTAB_FILE)+" "+hoststring), true); + prompt = kadminProc.readLine(true); // Discard our own input + prompt = readFullLineFromPtyProcess(&kadminProc); + prompt = prompt.stripWhiteSpace(); + if (prompt.contains("authentication failed")) { + if (errstr) *errstr = prompt; + kadminProc.writeLine("quit", true); + return 1; + } + else if (prompt.endsWith("Principal does not exist")) { + kadminProc.writeLine(TQCString("ank --random-key "+hoststring), true); + prompt = kadminProc.readLine(true); // Discard our own input + prompt = readFullLineFromPtyProcess(&kadminProc); + prompt = prompt.stripWhiteSpace(); + // Use all defaults + while (prompt != "kadmin>") { + if (prompt.contains("authentication failed")) { + if (errstr) *errstr = prompt; + kadminProc.writeLine("quit", true); + return 1; + } + else { + // Extract whatever default is in the [brackets] and feed it back to kadmin + TQString defaultParam; + int leftbracket = prompt.find("["); + int rightbracket = prompt.find("]"); + if ((leftbracket >= 0) && (rightbracket >= 0)) { + leftbracket++; + defaultParam = prompt.mid(leftbracket, rightbracket-leftbracket); + } + kadminProc.writeLine(TQCString(defaultParam), true); + prompt = kadminProc.readLine(true); // Discard our own input + prompt = kadminProc.readLine(true); + prompt = prompt.stripWhiteSpace(); + } + } + kadminProc.writeLine(TQCString("ext --keytab="+TQString(LDAP_KEYTAB_FILE)+" "+hoststring), true); + prompt = kadminProc.readLine(true); // Discard our own input + prompt = readFullLineFromPtyProcess(&kadminProc); + prompt = prompt.stripWhiteSpace(); + if (prompt != "kadmin>") { + if (errstr) *errstr = prompt; + kadminProc.writeLine("quit", true); + return 1; + } + + // Success! + kadminProc.writeLine("quit", true); + return 0; + } + else if (prompt == "kadmin>") { + // Success! + kadminProc.writeLine("quit", true); + return 0; + } + + // Failure + if (errstr) *errstr = prompt; + kadminProc.writeLine("quit", true); + return 1; + } + + if (errstr) *errstr = "Internal error. Verify that kadmin exists and can be executed."; + return 1; // Failure +} + +int LDAPController::setKerberosPasswordForUser(LDAPCredentials user, TQString *errstr) { + if (user.password == "") { + return 0; + } + + TQCString command = "kadmin"; + QCStringList args; + args << TQCString("-l") << TQCString("-r") << TQCString(user.realm.upper()); + + TQString prompt; + PtyProcess kadminProc; + kadminProc.exec(command, args); + prompt = kadminProc.readLine(true); + prompt = prompt.stripWhiteSpace(); + if (prompt == "kadmin>") { + kadminProc.writeLine(TQCString("passwd "+user.username), true); + prompt = kadminProc.readLine(true); // Discard our own input + prompt = readFullLineFromPtyProcess(&kadminProc); + prompt = prompt.stripWhiteSpace(); + if (prompt.contains("authentication failed")) { + if (errstr) *errstr = prompt; + kadminProc.writeLine("quit", true); + return 1; + } + else if ((prompt.endsWith(" Password:")) && (prompt.startsWith(TQString(user.username + "@")))) { + kadminProc.writeLine(user.password, true); + prompt = kadminProc.readLine(true); // Discard our own input + prompt = kadminProc.readLine(true); + prompt = prompt.stripWhiteSpace(); + if ((prompt.endsWith(" Password:")) && (prompt.startsWith("Verify"))) { + kadminProc.writeLine(user.password, true); + prompt = kadminProc.readLine(true); // Discard our own input + prompt = kadminProc.readLine(true); + prompt = prompt.stripWhiteSpace(); + } + if (prompt != "kadmin>") { + if (errstr) *errstr = prompt; + kadminProc.writeLine("quit", true); + return 1; + } + + // Success! + kadminProc.writeLine("quit", true); + return 0; + } + else if (prompt == "kadmin>") { + // Success! + kadminProc.writeLine("quit", true); + return 0; + } + + // Failure + if (errstr) *errstr = prompt; + kadminProc.writeLine("quit", true); + return 1; + } + + if (errstr) *errstr = "Internal error. Verify that kadmin exists and can be executed."; + return 1; // Failure +} + int LDAPController::createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig realmconfig, TQString adminUserName, TQString adminGroupName, TQString machineAdminGroupName, const char * adminPassword, TQString rootUserName, const char * rootPassword, TQString adminRealm, TQString *errstr) { int ldifSchemaNumber; @@ -449,6 +726,12 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME pdialog.setStatusMessage(i18n("Stopping servers...")); + // Stop SASL + if (controlSASLServer(SC_STOP) != 0) { + if (errstr) *errstr = i18n("Unable to stop SASL server"); + pdialog.closeDialog(); + return -1; + } // Stop Heimdal if (controlHeimdalServer(SC_STOP) != 0) { if (errstr) *errstr = i18n("Unable to stop Kerberos server"); @@ -464,6 +747,7 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME pdialog.setStatusMessage(i18n("Purging existing LDAP database...")); tqApp->processEvents(); + controlHeimdalServer(SC_PURGE); controlLDAPServer(SC_PURGE); pdialog.setStatusMessage(i18n("Installing new LDAP schema...")); @@ -475,24 +759,60 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME mkdir(TQString(destDir + "ldap/slapd.d/cn=config").ascii(), S_IRUSR|S_IWUSR|S_IXUSR); mkdir(TQString(destDir + "ldap/slapd.d/cn=config/cn=schema").ascii(), S_IRUSR|S_IWUSR|S_IXUSR); - replacePlaceholdersInFile(templateDir + "heimdal/heimdal.defaults", destDir + "heimdal.defaults", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword); + // Heimdal + replacePlaceholdersInFile(templateDir + "heimdal/heimdal.defaults", HEIMDAL_DEFAULT_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword); replacePlaceholdersInFile(templateDir + "heimdal/kadmind.acl", destDir + "heimdal-kdc/kadmind.acl", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword); replacePlaceholdersInFile(templateDir + "heimdal/kdc.conf", destDir + "heimdal-kdc/kdc.conf", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword); replacePlaceholdersInFile(templateDir + "heimdal/krb5.conf", destDir + "krb5.conf", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword); +// RAJA DEBUG +// if (system("kstash --random-key") != 0) { +// if (errstr) *errstr = i18n("Unable to create Kerberos foundational key"); +// pdialog.closeDialog(); +// return -1; +// } + + // OpenLDAP replacePlaceholdersInFile(templateDir + "openldap/skel.ldif", configTempDir.name() + "skel.ldif", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword); // replacePlaceholdersInFile(templateDir + "openldap/ldap/slapd.conf", destDir + "ldap/slapd.conf", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword); - replacePlaceholdersInFile(templateDir + "openldap/ldap/slapd.defaults", destDir + "ldap/slapd.defaults", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword); + replacePlaceholdersInFile(templateDir + "openldap/ldap/slapd.defaults", LDAP_DEFAULT_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, -1, -1, -1, m_ldapUserName, m_ldapGroupName); + + // SASL + replacePlaceholdersInFile(templateDir + "sasl/saslauthd.defaults", SASL_DEFAULT_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword); + replacePlaceholdersInFile(templateDir + "sasl/slapd.conf", SASL_CONTROL_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword); + + // FIXME + // This assumes Debian! + // Grant LDAP access to SASL mux pipe + system("dpkg-statoverride --remove --quiet /var/run/saslauthd"); + system(TQString("dpkg-statoverride --add root %1 710 /var/run/saslauthd").arg(m_ldapGroupName).ascii()); + + // FIXME + // This assumes Debian! + system("ln -s /etc/heimdal-kdc/kadmind.acl /var/lib/heimdal-kdc/kadmind.acl"); + system("ln -s /etc/heimdal-kdc/kdc.conf /var/lib/heimdal-kdc/kdc.conf"); struct stat sb; uid_t slapd_uid = 0; gid_t slapd_gid = 0; - if (stat(destDir + "ldap/slapd.d/cn=config/cn=schema", &sb) == 0) { - slapd_uid = sb.st_uid; - slapd_gid = sb.st_gid; - } + + // Get LDAP user uid/gid + struct passwd *pwd; + pwd = getpwnam(m_ldapUserName); + slapd_uid = pwd->pw_uid; + slapd_gid = pwd->pw_gid; + +// RAJA FIXME +// SECURITY +// The ldapi:/// socket in /var/run/ldap is world readable/writable +// This means anyone with access to the server running LDAP can dump the KRB5 keys!!!! // Base database configuration + replacePlaceholdersInFile(templateDir + "openldap/ldif/config.ldif", destDir + "ldap/slapd.d/" + TQString("cn=config.ldif"), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, -1, slapd_uid, slapd_gid); + replacePlaceholdersInFile(templateDir + "openldap/ldif/schema.ldif", destDir + "ldap/slapd.d/cn=config/" + TQString("cn=schema.ldif"), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, -1, slapd_uid, slapd_gid); + ldifSchemaNumber = 0; + replacePlaceholdersInFile(templateDir + "openldap/ldif/olcConfig.ldif", destDir + "ldap/slapd.d/cn=config/" + TQString("olcDatabase={%1}config.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid); + replacePlaceholdersInFile(templateDir + "openldap/ldif/moduleConfig.ldif", destDir + "ldap/slapd.d/cn=config/" + TQString("cn=module{%1}.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid); ldifSchemaNumber = 1; replacePlaceholdersInFile(templateDir + "openldap/ldif/olcDatabase.ldif", destDir + "ldap/slapd.d/cn=config/" + TQString("olcDatabase={%1}hdb.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid); @@ -565,11 +885,31 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME TQString errorstring; if (initializeNewKerberosRealm(realmconfig.name.upper(), &errorstring) != 0) { - if (errstr) *errstr = i18n("Unable to initialize Kerberos database<p>").append(errorstring); + if (errstr) *errstr = i18n("Unable to initialize Kerberos database").append(errorstring); pdialog.closeDialog(); return -1; } + if (addHostEntryToKerberosRealm(realmconfig.kdc, &errorstring) != 0) { + if (errstr) *errstr = i18n("Unable to add KDC server entry to Kerberos database").arg(m_ldapUserName).append(errorstring); + pdialog.closeDialog(); + return -1; + } + + if (addLDAPEntryToKerberosRealm(m_ldapUserName, realmconfig.admin_server, &errorstring) != 0) { + if (errstr) *errstr = i18n("Unable to add %1 entry to Kerberos database").arg(m_ldapUserName).append(errorstring); + pdialog.closeDialog(); + return -1; + } + + if (addLDAPEntryToKerberosRealm("ldap", realmconfig.admin_server, &errorstring) != 0) { + if (errstr) *errstr = i18n("Unable to add LDAP entry to Kerberos database").append(errorstring); + pdialog.closeDialog(); + return -1; + } + + controlHeimdalServer(SC_SETDBPERMS, slapd_uid, slapd_gid); + // Move all those new Heimdal entries to the correct tree/branch TQStringList domainChunks = TQStringList::split(".", realmconfig.name.lower()); TQString basedcname = "dc=" + domainChunks.join(",dc="); @@ -588,6 +928,20 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME delete ldap_mgr; delete credentials; + // Set @@@ADMINUSER@@@ password in kadmin + LDAPCredentials adminuser; + adminuser.username = adminUserName; + adminuser.password = adminPassword; + adminuser.realm = realmconfig.name.upper(); + if (setKerberosPasswordForUser(adminuser, &errorstring) != 0) { + if (errstr) *errstr = i18n("Unable to set user password in Kerberos database").append(errorstring); + pdialog.closeDialog(); + return -1; + } + + pdialog.setStatusMessage(i18n("Configuring local system...")); + tqApp->processEvents(); + // Write the TDE realm configuration file LDAPRealmConfigList realms; realms.insert(realmconfig.name, realmconfig); @@ -595,9 +949,31 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME m_systemconfig->writeEntry("DefaultRealm", realmconfig.name); m_systemconfig->sync(); - pdialog.setStatusMessage(i18n("Configuring local system...")); LDAPManager::writeLDAPConfFile(realmconfig); + pdialog.setStatusMessage(i18n("(Re)starting servers...")); + tqApp->processEvents(); + + // Restart slapd + if (controlLDAPServer(SC_RESTART) != 0) { + if (errstr) *errstr = i18n("Unable to restart LDAP server"); + pdialog.closeDialog(); + return -1; + } + // Restart Heimdal + if (controlHeimdalServer(SC_RESTART) != 0) { + if (errstr) *errstr = i18n("Unable to restart Kerberos server"); + pdialog.closeDialog(); + return -1; + } + + // Start SASL + if (controlSASLServer(SC_START) != 0) { + if (errstr) *errstr = i18n("Unable to start SASL server"); + pdialog.closeDialog(); + return -1; + } + // RAJA FIXME pdialog.closeDialog(); } diff --git a/src/ldapcontroller.h b/src/ldapcontroller.h index d831c72..1fad5f8 100644 --- a/src/ldapcontroller.h +++ b/src/ldapcontroller.h @@ -69,9 +69,13 @@ class LDAPController: public KCModule void processLockouts(); private: - int controlHeimdalServer(sc_command command); + int controlSASLServer(sc_command command); + int controlHeimdalServer(sc_command command, uid_t userid=-1, gid_t groupid=-1); int controlLDAPServer(sc_command command, uid_t userid=-1, gid_t groupid=-1); int initializeNewKerberosRealm(TQString realmName, TQString *errstr); + int addLDAPEntryToKerberosRealm(TQString ldapProcessOwnerName, TQString ldapHost, TQString *errstr); + int addHostEntryToKerberosRealm(TQString kerberosHost, TQString *errstr); + int setKerberosPasswordForUser(LDAPCredentials user, TQString *errstr); private: KAboutData *myAboutData; @@ -81,6 +85,8 @@ class LDAPController: public KCModule TQString m_fqdn; int m_prevRole; + TQString m_ldapUserName; + TQString m_ldapGroupName; }; #endif // _LDAPCONTROLLER_H_ diff --git a/src/realmwizard.cpp b/src/realmwizard.cpp index 184fb57..a0f4ced 100644 --- a/src/realmwizard.cpp +++ b/src/realmwizard.cpp @@ -94,6 +94,9 @@ RealmWizard::RealmWizard(LDAPController* controller, TQString fqdn, TQWidget *pa // Other setup finishpage->ldapAdminRealm->setEnabled(false); + // Kerberos won't work unless the DNS suffix matches the realm name + realmpage->txtRealmName->setEnabled(false); + setFinishEnabled(TQWizard::page(2), true); setPosition(); |