diff options
Diffstat (limited to 'src/ldapcontroller.cpp')
| -rw-r--r-- | src/ldapcontroller.cpp | 117 |
1 files changed, 79 insertions, 38 deletions
diff --git a/src/ldapcontroller.cpp b/src/ldapcontroller.cpp index cf85638..3a79467 100644 --- a/src/ldapcontroller.cpp +++ b/src/ldapcontroller.cpp @@ -45,6 +45,7 @@ #include <kprocess.h> #include <tdesu/process.h> #include <libtdeldap.h> +#include <kfiledialog.h> #include "sha1.h" @@ -67,15 +68,6 @@ #define SASL_CONTROL_FILE "/etc/ldap/sasl2/slapd.conf" #define HEIMDAL_ACL_FILE "/etc/heimdal-kdc/kadmind.acl" -#define KERBEROS_PKI_PEM_FILE KERBEROS_PKI_ANCHORDIR "tdeca.pem" -#define KERBEROS_PKI_PEMKEY_FILE KERBEROS_PKI_ANCHORDIR "tdeca.key.pem" -#define KERBEROS_PKI_KDC_FILE KERBEROS_PKI_PUBLICDIR "@@@KDCSERVER@@@.pki.crt" -#define KERBEROS_PKI_KDCKEY_FILE KERBEROS_PKI_PRIVATEDIR "@@@KDCSERVER@@@.pki.key" -#define KERBEROS_PKI_KDCREQ_FILE KERBEROS_PKI_PRIVATEDIR "@@@KDCSERVER@@@.pki.req" - -#define LDAP_CERT_FILE KERBEROS_PKI_PUBLICDIR "@@@ADMINSERVER@@@.ldap.crt" -#define LDAP_CERTKEY_FILE KERBEROS_PKI_PRIVATEDIR "@@@ADMINSERVER@@@.ldap.key" -#define LDAP_CERTREQ_FILE KERBEROS_PKI_PRIVATEDIR "@@@ADMINSERVER@@@.ldap.req" #define OPENSSL_EXTENSIONS_FILE TDE_CERTIFICATE_DIR "pki_extensions" @@ -121,6 +113,9 @@ LDAPController::LDAPController(TQWidget *parent, const char *name, const TQStrin connect(m_base->systemEnableSupport, TQT_SIGNAL(clicked()), this, TQT_SLOT(processLockouts())); connect(m_base->systemRole, TQT_SIGNAL(activated(const TQString&)), this, TQT_SLOT(systemRoleChanged())); + connect(m_base->caRegenerate, TQT_SIGNAL(clicked()), this, TQT_SLOT(btncaRegenerate())); + connect(m_base->caExport, TQT_SIGNAL(clicked()), this, TQT_SLOT(btncaExport())); + m_fqdn = LDAPManager::getMachineFQDN(); // FIXME @@ -170,6 +165,10 @@ void LDAPController::systemRoleChanged() { m_base->systemRole->setCurrentItem(ROLE_WORKSTATION); save(); } + else { + // Wizard completed; commit changes + save(); + } // Something probably changed load(); @@ -221,6 +220,55 @@ void LDAPController::load() { m_certconfig.emailAddress = m_systemconfig->readEntry("emailAddress"); m_systemconfig->setGroup(NULL); + + if (m_base->systemRole->currentItem() == ROLE_REALM_CONTROLLER) { + m_base->groupRealmController->show(); + m_base->groupRealmCertificates->show(); + + m_base->realmName->setText(m_systemconfig->readEntry("DefaultRealm")); + m_base->caExpiryString->setText("Expires " + LDAPManager::getCertificateExpiration(KERBEROS_PKI_PEM_FILE).toString()); + // RAJA FIXME + } + else { + m_base->groupRealmController->hide(); + m_base->groupRealmCertificates->hide(); + } + + processLockouts(); +} + +void LDAPController::btncaRegenerate() { + LDAPManager::generatePublicKerberosCACertificate(m_certconfig); + + TQString realmname = m_systemconfig->readEntry("DefaultRealm").upper(); + LDAPCredentials* credentials = new LDAPCredentials; + credentials->username = ""; + credentials->password = ""; + credentials->realm = realmname; + LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials); + + // Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server + TQString errorstring; + if (uploadKerberosCAFileToLDAP(ldap_mgr, &errorstring) != 0) { + KMessageBox::error(0, i18n("<qt>Unable to upload new certificate to LDAP server!<p>%1</qt>").arg(errorstring), i18n("Internal Failure")); + } + + load(); +} + +void LDAPController::btncaExport() { + KURL src = KERBEROS_PKI_PEM_FILE; + KURL dest = KFileDialog::getSaveURL(TQString::null, "*.pem|PKI Certificate Files (*.pem)", this, i18n("Select a location to save a copy of the certificate...")); + if (!dest.isEmpty()) { + KIO::CopyJob* job = KIO::copy(src, dest, true); + connect(job, TQT_SIGNAL(result(KIO::Job*)), this, TQT_SLOT(slotCertCopyResult(KIO::Job*))); + } +} + +void LDAPController::slotCertCopyResult(KIO::Job* job) { + if (job->error()) { + job->showErrorDialog(this); + } } void LDAPController::defaults() { @@ -246,19 +294,6 @@ void LDAPController::save() { m_systemconfig->sync(); - if (m_base->systemEnableSupport->isChecked()) { -// // Write the Kerberos5 configuration file -// writeKrb5ConfFile(); -// // Write the LDAP configuration file -// writeLDAPConfFile(); -// // Write the NSSwitch configuration file -// writeNSSwitchFile(); -// // Write the PAM configuration files -// writePAMFiles(); -// // Write the cron files -// writeCronFiles(); - } - load(); } @@ -747,10 +782,7 @@ int LDAPController::createRealmCertificates(LDAPCertConfig certinfo, LDAPRealmCo chmod(KERBEROS_PKI_PEMKEY_FILE, S_IRUSR|S_IWUSR); chown(KERBEROS_PKI_PEMKEY_FILE, 0, 0); - command = TQString("openssl req -key %1 -new -x509 -out %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(certinfo.commonName).arg(certinfo.emailAddress); - system(command); - chmod(KERBEROS_PKI_PEM_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); - chown(KERBEROS_PKI_PEM_FILE, 0, 0); + LDAPManager::generatePublicKerberosCACertificate(certinfo); // KDC certificate TQString kdc_certfile = KERBEROS_PKI_KDC_FILE; @@ -796,6 +828,19 @@ int LDAPController::createRealmCertificates(LDAPCertConfig certinfo, LDAPRealmCo return 0; } +int LDAPController::uploadKerberosCAFileToLDAP(LDAPManager* ldap_mgr, TQString* errstr) { + // Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server + TQFile cafile(KERBEROS_PKI_PEM_FILE); + if (cafile.open(IO_ReadOnly)) { + TQByteArray cafiledata = cafile.readAll(); + if (ldap_mgr->writeCertificateFileIntoDirectory(cafiledata, "publicRootCertificate", errstr) != 0) { + return -1; + } + return 0; + } + return -1; +} + int LDAPController::createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig realmconfig, TQString adminUserName, TQString adminGroupName, TQString machineAdminGroupName, TQString standardUserGroupName, const char * adminPassword, TQString rootUserName, const char * rootPassword, TQString adminRealm, LDAPCertConfig certinfo, TQString *errstr) { int ldifSchemaNumber; @@ -1078,8 +1123,8 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME TQStringList domainChunks = TQStringList::split(".", realmconfig.name.lower()); TQString basedcname = "dc=" + domainChunks.join(",dc="); LDAPCredentials* credentials = new LDAPCredentials; - credentials->username = "cn="+rootUserName+","+basedcname; - credentials->password = rootPassword; + credentials->username = ""; + credentials->password = ""; credentials->realm = realmconfig.name.upper(); LDAPManager* ldap_mgr = new LDAPManager(realmconfig.name.upper(), "ldapi://", credentials); if (ldap_mgr->moveKerberosEntries("o=kerberos,cn=kerberos control,ou=master services,ou=core,ou=realm," + basedcname, &errorstring) != 0) { @@ -1091,16 +1136,12 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME } // Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server - TQFile cafile(KERBEROS_PKI_PEM_FILE); - if (cafile.open(IO_ReadOnly)) { - TQByteArray cafiledata = cafile.readAll(); - if (ldap_mgr->writeCertificateFileIntoDirectory(cafiledata, "publicRootCertificate", &errorstring) != 0) { - delete ldap_mgr; - delete credentials; - if (errstr) *errstr = errorstring; - pdialog.closeDialog(); - return -1; - } + if (uploadKerberosCAFileToLDAP(ldap_mgr, &errorstring) != 0) { + delete ldap_mgr; + delete credentials; + if (errstr) *errstr = errorstring; + pdialog.closeDialog(); + return -1; } // Set @@@ADMINUSER@@@ password in kadmin |