summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/ldapcontroller.cpp402
-rw-r--r--src/ldapcontroller.h8
-rw-r--r--src/realmwizard.cpp3
3 files changed, 399 insertions, 14 deletions
diff --git a/src/ldapcontroller.cpp b/src/ldapcontroller.cpp
index 3f553be..3d679a0 100644
--- a/src/ldapcontroller.cpp
+++ b/src/ldapcontroller.cpp
@@ -21,6 +21,7 @@
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
+#include <pwd.h>
#include <tqlayout.h>
@@ -54,6 +55,15 @@
// FIXME
// Connect this to CMake/Automake
#define KDE_CONFDIR "/etc/trinity"
+#define LDAP_KEYTAB_FILE "/etc/ldap/ldap.keytab"
+
+// FIXME
+// This assumes Debian!
+// RedHat would be "/etc/sysconfig/ldap"
+#define LDAP_DEFAULT_FILE "/etc/default/slapd"
+#define HEIMDAL_DEFAULT_FILE "/etc/default/heimdal-kdc"
+#define SASL_DEFAULT_FILE "/etc/default/saslauthd"
+#define SASL_CONTROL_FILE "/etc/ldap/sasl2/slapd.conf"
#define ROLE_WORKSTATION 0
#define ROLE_REALM_CONTROLLER 1
@@ -93,6 +103,11 @@ LDAPController::LDAPController(TQWidget *parent, const char *name, const TQStrin
m_fqdn = getMachineFQDN();
+ // FIXME
+ // This assumes Debian!
+ m_ldapUserName = "openldap";
+ m_ldapGroupName = "openldap";
+
load();
if (getuid() != 0 || !m_systemconfig->checkConfigFilesWritable( true )) {
@@ -230,7 +245,7 @@ void LDAPController::save() {
load();
}
-void replacePlaceholdersInFile(TQString infile, TQString outfile, LDAPRealmConfig realmconfig, TQString adminUserName, TQString adminGroupName, TQString machineAdminGroupName, const char * adminPassword, TQString rootUserName, const char * rootPassword, int ldifSchemaNumber=-1, uid_t userid=-1, gid_t groupid=-1) {
+void replacePlaceholdersInFile(TQString infile, TQString outfile, LDAPRealmConfig realmconfig, TQString adminUserName, TQString adminGroupName, TQString machineAdminGroupName, const char * adminPassword, TQString rootUserName, const char * rootPassword, int ldifSchemaNumber=-1, uid_t userid=-1, gid_t groupid=-1, TQString ldapusername=TQString::null, TQString ldapgroupname=TQString::null) {
SHA1 sha;
sha.process(rootPassword, strlen(rootPassword));
TQString rootpw_hash = sha.base64Hash();
@@ -280,6 +295,9 @@ void replacePlaceholdersInFile(TQString infile, TQString outfile, LDAPRealmConfi
line.replace("@@@REALM_SIMPLE_CP_NAME@@@", simpledcnamecap);
line.replace("@@@REALM_SIMPLE_LC_NAME@@@", simpledcname.lower());
line.replace("@@@TIMESTAMP@@@", timestamp);
+ line.replace("@@@LDAP_KEYTAB_FILE@@@", LDAP_KEYTAB_FILE);
+ line.replace("@@@LDAP_USER_NAME@@@", ldapusername);
+ line.replace("@@@LDAP_GROUP_NAME@@@", ldapgroupname);
if (ldifSchemaNumber >= 0) {
line.replace("@@@LDIFSCHEMANUMBER@@@", TQString("%1").arg(ldifSchemaNumber));
}
@@ -294,18 +312,38 @@ void replacePlaceholdersInFile(TQString infile, TQString outfile, LDAPRealmConfi
}
}
else {
- KMessageBox::error(0, i18n("<qt>Unable to open output schema file %1 for writing</qt>").arg(infile), i18n("Internal Failure"));
+ //KMessageBox::error(0, i18n("<qt>Unable to open output schema file %1 for writing</qt>").arg(outfile), i18n("Internal Failure"));
+ printf("[INTERNAL FAILURE] Unable to open output schema file %s for writing\n\r", outfile.ascii()); fflush(stdout);
}
}
else {
- KMessageBox::error(0, i18n("<qt>Unable to open template schema file %1</qt>").arg(infile), i18n("Internal Failure"));
+ //KMessageBox::error(0, i18n("<qt>Unable to open template schema file %1</qt>").arg(infile), i18n("Internal Failure"));
+ printf("[INTERNAL FAILURE] Unable to open template schema file %s\n\r", infile.ascii()); fflush(stdout);
}
// Keep UI responsive
tqApp->processEvents();
}
-int LDAPController::controlHeimdalServer(sc_command command) {
+int LDAPController::controlSASLServer(sc_command command) {
+ if (command == SC_START) {
+ // FIXME
+ // This assumes Debian!
+ return system("/etc/init.d/saslauthd start");
+ }
+ if (command == SC_STOP) {
+ // FIXME
+ // This assumes Debian!
+ return system("/etc/init.d/saslauthd stop");
+ }
+ if (command == SC_RESTART) {
+ // FIXME
+ // This assumes Debian!
+ return system("/etc/init.d/saslauthd restart");
+ }
+}
+
+int LDAPController::controlHeimdalServer(sc_command command, uid_t userid, gid_t groupid) {
if (command == SC_START) {
// FIXME
// This assumes Debian!
@@ -321,6 +359,22 @@ int LDAPController::controlHeimdalServer(sc_command command) {
// This assumes Debian!
return system("/etc/init.d/heimdal-kdc restart");
}
+ if (command == SC_PURGE) {
+ controlHeimdalServer(SC_STOP);
+ system("rm -f " + TQString(LDAP_KEYTAB_FILE));
+ // FIXME
+ // This assumes Debian
+ system("rm -f /etc/krb5.keytab");
+ system("rm -rf /var/lib/heimdal-kdc/*");
+ }
+ if (command == SC_SETDBPERMS) {
+ if ((userid > 0) && (groupid > 0)) {
+ TQString command;
+ command = TQString("chgrp %1 " + TQString(LDAP_KEYTAB_FILE)).arg(groupid);
+ system(command.ascii());
+ chmod(LDAP_KEYTAB_FILE, S_IRUSR|S_IWUSR|S_IRGRP);
+ }
+ }
}
int LDAPController::controlLDAPServer(sc_command command, uid_t userid, gid_t groupid) {
@@ -344,7 +398,7 @@ int LDAPController::controlLDAPServer(sc_command command, uid_t userid, gid_t gr
// FIXME
// This assumes Debian!
system("rm -rf /var/lib/ldap/*");
- system("rm -rf /etc/ldap/slapd.d/cn=config/cn=schema/*");
+ system("rm -rf /etc/ldap/slapd.d/*");
}
if (command == SC_SETDBPERMS) {
if ((userid > 0) && (groupid > 0)) {
@@ -355,6 +409,10 @@ int LDAPController::controlLDAPServer(sc_command command, uid_t userid, gid_t gr
system(command.ascii());
command = TQString("chgrp -R %1 /var/lib/ldap/*").arg(groupid);
system(command.ascii());
+ command = TQString("chown -R %1 /etc/ldap/slapd.d/*").arg(userid);
+ system(command.ascii());
+ command = TQString("chgrp -R %1 /etc/ldap/slapd.d/*").arg(groupid);
+ system(command.ascii());
}
}
return -2;
@@ -421,6 +479,225 @@ int LDAPController::initializeNewKerberosRealm(TQString realmName, TQString *err
return 1; // Failure
}
+int LDAPController::addHostEntryToKerberosRealm(TQString kerberosHost, TQString *errstr) {
+ TQCString command = "kadmin";
+ QCStringList args;
+ args << TQCString("-l");
+
+ TQString hoststring = "host/"+kerberosHost;
+
+ TQString prompt;
+ PtyProcess kadminProc;
+ kadminProc.exec(command, args);
+ prompt = kadminProc.readLine(true);
+ prompt = prompt.stripWhiteSpace();
+ if (prompt == "kadmin>") {
+ kadminProc.writeLine(TQCString("ext "+hoststring), true);
+ prompt = kadminProc.readLine(true); // Discard our own input
+ prompt = readFullLineFromPtyProcess(&kadminProc);
+ prompt = prompt.stripWhiteSpace();
+ if (prompt.contains("authentication failed")) {
+ if (errstr) *errstr = prompt;
+ kadminProc.writeLine("quit", true);
+ return 1;
+ }
+ else if (prompt.endsWith("Principal does not exist")) {
+ kadminProc.writeLine(TQCString("ank --random-key "+hoststring), true);
+ prompt = kadminProc.readLine(true); // Discard our own input
+ prompt = readFullLineFromPtyProcess(&kadminProc);
+ prompt = prompt.stripWhiteSpace();
+ // Use all defaults
+ while (prompt != "kadmin>") {
+ if (prompt.contains("authentication failed")) {
+ if (errstr) *errstr = prompt;
+ kadminProc.writeLine("quit", true);
+ return 1;
+ }
+ else {
+ // Extract whatever default is in the [brackets] and feed it back to kadmin
+ TQString defaultParam;
+ int leftbracket = prompt.find("[");
+ int rightbracket = prompt.find("]");
+ if ((leftbracket >= 0) && (rightbracket >= 0)) {
+ leftbracket++;
+ defaultParam = prompt.mid(leftbracket, rightbracket-leftbracket);
+ }
+ kadminProc.writeLine(TQCString(defaultParam), true);
+ prompt = kadminProc.readLine(true); // Discard our own input
+ prompt = kadminProc.readLine(true);
+ prompt = prompt.stripWhiteSpace();
+ }
+ }
+ kadminProc.writeLine(TQCString("ext "+hoststring), true);
+ prompt = kadminProc.readLine(true); // Discard our own input
+ prompt = readFullLineFromPtyProcess(&kadminProc);
+ prompt = prompt.stripWhiteSpace();
+ if (prompt != "kadmin>") {
+ if (errstr) *errstr = prompt;
+ kadminProc.writeLine("quit", true);
+ return 1;
+ }
+
+ // Success!
+ kadminProc.writeLine("quit", true);
+ return 0;
+ }
+ else if (prompt == "kadmin>") {
+ // Success!
+ kadminProc.writeLine("quit", true);
+ return 0;
+ }
+
+ // Failure
+ if (errstr) *errstr = prompt;
+ kadminProc.writeLine("quit", true);
+ return 1;
+ }
+
+ if (errstr) *errstr = "Internal error. Verify that kadmin exists and can be executed.";
+ return 1; // Failure
+}
+
+int LDAPController::addLDAPEntryToKerberosRealm(TQString ldapProcessOwnerName, TQString ldapHost, TQString *errstr) {
+ TQCString command = "kadmin";
+ QCStringList args;
+ args << TQCString("-l");
+
+ TQString hoststring = ldapProcessOwnerName+"/"+ldapHost;
+
+ TQString prompt;
+ PtyProcess kadminProc;
+ kadminProc.exec(command, args);
+ prompt = kadminProc.readLine(true);
+ prompt = prompt.stripWhiteSpace();
+ if (prompt == "kadmin>") {
+ kadminProc.writeLine(TQCString("ext --keytab="+TQString(LDAP_KEYTAB_FILE)+" "+hoststring), true);
+ prompt = kadminProc.readLine(true); // Discard our own input
+ prompt = readFullLineFromPtyProcess(&kadminProc);
+ prompt = prompt.stripWhiteSpace();
+ if (prompt.contains("authentication failed")) {
+ if (errstr) *errstr = prompt;
+ kadminProc.writeLine("quit", true);
+ return 1;
+ }
+ else if (prompt.endsWith("Principal does not exist")) {
+ kadminProc.writeLine(TQCString("ank --random-key "+hoststring), true);
+ prompt = kadminProc.readLine(true); // Discard our own input
+ prompt = readFullLineFromPtyProcess(&kadminProc);
+ prompt = prompt.stripWhiteSpace();
+ // Use all defaults
+ while (prompt != "kadmin>") {
+ if (prompt.contains("authentication failed")) {
+ if (errstr) *errstr = prompt;
+ kadminProc.writeLine("quit", true);
+ return 1;
+ }
+ else {
+ // Extract whatever default is in the [brackets] and feed it back to kadmin
+ TQString defaultParam;
+ int leftbracket = prompt.find("[");
+ int rightbracket = prompt.find("]");
+ if ((leftbracket >= 0) && (rightbracket >= 0)) {
+ leftbracket++;
+ defaultParam = prompt.mid(leftbracket, rightbracket-leftbracket);
+ }
+ kadminProc.writeLine(TQCString(defaultParam), true);
+ prompt = kadminProc.readLine(true); // Discard our own input
+ prompt = kadminProc.readLine(true);
+ prompt = prompt.stripWhiteSpace();
+ }
+ }
+ kadminProc.writeLine(TQCString("ext --keytab="+TQString(LDAP_KEYTAB_FILE)+" "+hoststring), true);
+ prompt = kadminProc.readLine(true); // Discard our own input
+ prompt = readFullLineFromPtyProcess(&kadminProc);
+ prompt = prompt.stripWhiteSpace();
+ if (prompt != "kadmin>") {
+ if (errstr) *errstr = prompt;
+ kadminProc.writeLine("quit", true);
+ return 1;
+ }
+
+ // Success!
+ kadminProc.writeLine("quit", true);
+ return 0;
+ }
+ else if (prompt == "kadmin>") {
+ // Success!
+ kadminProc.writeLine("quit", true);
+ return 0;
+ }
+
+ // Failure
+ if (errstr) *errstr = prompt;
+ kadminProc.writeLine("quit", true);
+ return 1;
+ }
+
+ if (errstr) *errstr = "Internal error. Verify that kadmin exists and can be executed.";
+ return 1; // Failure
+}
+
+int LDAPController::setKerberosPasswordForUser(LDAPCredentials user, TQString *errstr) {
+ if (user.password == "") {
+ return 0;
+ }
+
+ TQCString command = "kadmin";
+ QCStringList args;
+ args << TQCString("-l") << TQCString("-r") << TQCString(user.realm.upper());
+
+ TQString prompt;
+ PtyProcess kadminProc;
+ kadminProc.exec(command, args);
+ prompt = kadminProc.readLine(true);
+ prompt = prompt.stripWhiteSpace();
+ if (prompt == "kadmin>") {
+ kadminProc.writeLine(TQCString("passwd "+user.username), true);
+ prompt = kadminProc.readLine(true); // Discard our own input
+ prompt = readFullLineFromPtyProcess(&kadminProc);
+ prompt = prompt.stripWhiteSpace();
+ if (prompt.contains("authentication failed")) {
+ if (errstr) *errstr = prompt;
+ kadminProc.writeLine("quit", true);
+ return 1;
+ }
+ else if ((prompt.endsWith(" Password:")) && (prompt.startsWith(TQString(user.username + "@")))) {
+ kadminProc.writeLine(user.password, true);
+ prompt = kadminProc.readLine(true); // Discard our own input
+ prompt = kadminProc.readLine(true);
+ prompt = prompt.stripWhiteSpace();
+ if ((prompt.endsWith(" Password:")) && (prompt.startsWith("Verify"))) {
+ kadminProc.writeLine(user.password, true);
+ prompt = kadminProc.readLine(true); // Discard our own input
+ prompt = kadminProc.readLine(true);
+ prompt = prompt.stripWhiteSpace();
+ }
+ if (prompt != "kadmin>") {
+ if (errstr) *errstr = prompt;
+ kadminProc.writeLine("quit", true);
+ return 1;
+ }
+
+ // Success!
+ kadminProc.writeLine("quit", true);
+ return 0;
+ }
+ else if (prompt == "kadmin>") {
+ // Success!
+ kadminProc.writeLine("quit", true);
+ return 0;
+ }
+
+ // Failure
+ if (errstr) *errstr = prompt;
+ kadminProc.writeLine("quit", true);
+ return 1;
+ }
+
+ if (errstr) *errstr = "Internal error. Verify that kadmin exists and can be executed.";
+ return 1; // Failure
+}
+
int LDAPController::createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig realmconfig, TQString adminUserName, TQString adminGroupName, TQString machineAdminGroupName, const char * adminPassword, TQString rootUserName, const char * rootPassword, TQString adminRealm, TQString *errstr) {
int ldifSchemaNumber;
@@ -449,6 +726,12 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME
pdialog.setStatusMessage(i18n("Stopping servers..."));
+ // Stop SASL
+ if (controlSASLServer(SC_STOP) != 0) {
+ if (errstr) *errstr = i18n("Unable to stop SASL server");
+ pdialog.closeDialog();
+ return -1;
+ }
// Stop Heimdal
if (controlHeimdalServer(SC_STOP) != 0) {
if (errstr) *errstr = i18n("Unable to stop Kerberos server");
@@ -464,6 +747,7 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME
pdialog.setStatusMessage(i18n("Purging existing LDAP database..."));
tqApp->processEvents();
+ controlHeimdalServer(SC_PURGE);
controlLDAPServer(SC_PURGE);
pdialog.setStatusMessage(i18n("Installing new LDAP schema..."));
@@ -475,24 +759,60 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME
mkdir(TQString(destDir + "ldap/slapd.d/cn=config").ascii(), S_IRUSR|S_IWUSR|S_IXUSR);
mkdir(TQString(destDir + "ldap/slapd.d/cn=config/cn=schema").ascii(), S_IRUSR|S_IWUSR|S_IXUSR);
- replacePlaceholdersInFile(templateDir + "heimdal/heimdal.defaults", destDir + "heimdal.defaults", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword);
+ // Heimdal
+ replacePlaceholdersInFile(templateDir + "heimdal/heimdal.defaults", HEIMDAL_DEFAULT_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword);
replacePlaceholdersInFile(templateDir + "heimdal/kadmind.acl", destDir + "heimdal-kdc/kadmind.acl", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword);
replacePlaceholdersInFile(templateDir + "heimdal/kdc.conf", destDir + "heimdal-kdc/kdc.conf", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword);
replacePlaceholdersInFile(templateDir + "heimdal/krb5.conf", destDir + "krb5.conf", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword);
+// RAJA DEBUG
+// if (system("kstash --random-key") != 0) {
+// if (errstr) *errstr = i18n("Unable to create Kerberos foundational key");
+// pdialog.closeDialog();
+// return -1;
+// }
+
+ // OpenLDAP
replacePlaceholdersInFile(templateDir + "openldap/skel.ldif", configTempDir.name() + "skel.ldif", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword);
// replacePlaceholdersInFile(templateDir + "openldap/ldap/slapd.conf", destDir + "ldap/slapd.conf", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword);
- replacePlaceholdersInFile(templateDir + "openldap/ldap/slapd.defaults", destDir + "ldap/slapd.defaults", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword);
+ replacePlaceholdersInFile(templateDir + "openldap/ldap/slapd.defaults", LDAP_DEFAULT_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, -1, -1, -1, m_ldapUserName, m_ldapGroupName);
+
+ // SASL
+ replacePlaceholdersInFile(templateDir + "sasl/saslauthd.defaults", SASL_DEFAULT_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword);
+ replacePlaceholdersInFile(templateDir + "sasl/slapd.conf", SASL_CONTROL_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword);
+
+ // FIXME
+ // This assumes Debian!
+ // Grant LDAP access to SASL mux pipe
+ system("dpkg-statoverride --remove --quiet /var/run/saslauthd");
+ system(TQString("dpkg-statoverride --add root %1 710 /var/run/saslauthd").arg(m_ldapGroupName).ascii());
+
+ // FIXME
+ // This assumes Debian!
+ system("ln -s /etc/heimdal-kdc/kadmind.acl /var/lib/heimdal-kdc/kadmind.acl");
+ system("ln -s /etc/heimdal-kdc/kdc.conf /var/lib/heimdal-kdc/kdc.conf");
struct stat sb;
uid_t slapd_uid = 0;
gid_t slapd_gid = 0;
- if (stat(destDir + "ldap/slapd.d/cn=config/cn=schema", &sb) == 0) {
- slapd_uid = sb.st_uid;
- slapd_gid = sb.st_gid;
- }
+
+ // Get LDAP user uid/gid
+ struct passwd *pwd;
+ pwd = getpwnam(m_ldapUserName);
+ slapd_uid = pwd->pw_uid;
+ slapd_gid = pwd->pw_gid;
+
+// RAJA FIXME
+// SECURITY
+// The ldapi:/// socket in /var/run/ldap is world readable/writable
+// This means anyone with access to the server running LDAP can dump the KRB5 keys!!!!
// Base database configuration
+ replacePlaceholdersInFile(templateDir + "openldap/ldif/config.ldif", destDir + "ldap/slapd.d/" + TQString("cn=config.ldif"), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, -1, slapd_uid, slapd_gid);
+ replacePlaceholdersInFile(templateDir + "openldap/ldif/schema.ldif", destDir + "ldap/slapd.d/cn=config/" + TQString("cn=schema.ldif"), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, -1, slapd_uid, slapd_gid);
+ ldifSchemaNumber = 0;
+ replacePlaceholdersInFile(templateDir + "openldap/ldif/olcConfig.ldif", destDir + "ldap/slapd.d/cn=config/" + TQString("olcDatabase={%1}config.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
+ replacePlaceholdersInFile(templateDir + "openldap/ldif/moduleConfig.ldif", destDir + "ldap/slapd.d/cn=config/" + TQString("cn=module{%1}.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
ldifSchemaNumber = 1;
replacePlaceholdersInFile(templateDir + "openldap/ldif/olcDatabase.ldif", destDir + "ldap/slapd.d/cn=config/" + TQString("olcDatabase={%1}hdb.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
@@ -565,11 +885,31 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME
TQString errorstring;
if (initializeNewKerberosRealm(realmconfig.name.upper(), &errorstring) != 0) {
- if (errstr) *errstr = i18n("Unable to initialize Kerberos database<p>").append(errorstring);
+ if (errstr) *errstr = i18n("Unable to initialize Kerberos database").append(errorstring);
pdialog.closeDialog();
return -1;
}
+ if (addHostEntryToKerberosRealm(realmconfig.kdc, &errorstring) != 0) {
+ if (errstr) *errstr = i18n("Unable to add KDC server entry to Kerberos database").arg(m_ldapUserName).append(errorstring);
+ pdialog.closeDialog();
+ return -1;
+ }
+
+ if (addLDAPEntryToKerberosRealm(m_ldapUserName, realmconfig.admin_server, &errorstring) != 0) {
+ if (errstr) *errstr = i18n("Unable to add %1 entry to Kerberos database").arg(m_ldapUserName).append(errorstring);
+ pdialog.closeDialog();
+ return -1;
+ }
+
+ if (addLDAPEntryToKerberosRealm("ldap", realmconfig.admin_server, &errorstring) != 0) {
+ if (errstr) *errstr = i18n("Unable to add LDAP entry to Kerberos database").append(errorstring);
+ pdialog.closeDialog();
+ return -1;
+ }
+
+ controlHeimdalServer(SC_SETDBPERMS, slapd_uid, slapd_gid);
+
// Move all those new Heimdal entries to the correct tree/branch
TQStringList domainChunks = TQStringList::split(".", realmconfig.name.lower());
TQString basedcname = "dc=" + domainChunks.join(",dc=");
@@ -588,6 +928,20 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME
delete ldap_mgr;
delete credentials;
+ // Set @@@ADMINUSER@@@ password in kadmin
+ LDAPCredentials adminuser;
+ adminuser.username = adminUserName;
+ adminuser.password = adminPassword;
+ adminuser.realm = realmconfig.name.upper();
+ if (setKerberosPasswordForUser(adminuser, &errorstring) != 0) {
+ if (errstr) *errstr = i18n("Unable to set user password in Kerberos database").append(errorstring);
+ pdialog.closeDialog();
+ return -1;
+ }
+
+ pdialog.setStatusMessage(i18n("Configuring local system..."));
+ tqApp->processEvents();
+
// Write the TDE realm configuration file
LDAPRealmConfigList realms;
realms.insert(realmconfig.name, realmconfig);
@@ -595,9 +949,31 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME
m_systemconfig->writeEntry("DefaultRealm", realmconfig.name);
m_systemconfig->sync();
- pdialog.setStatusMessage(i18n("Configuring local system..."));
LDAPManager::writeLDAPConfFile(realmconfig);
+ pdialog.setStatusMessage(i18n("(Re)starting servers..."));
+ tqApp->processEvents();
+
+ // Restart slapd
+ if (controlLDAPServer(SC_RESTART) != 0) {
+ if (errstr) *errstr = i18n("Unable to restart LDAP server");
+ pdialog.closeDialog();
+ return -1;
+ }
+ // Restart Heimdal
+ if (controlHeimdalServer(SC_RESTART) != 0) {
+ if (errstr) *errstr = i18n("Unable to restart Kerberos server");
+ pdialog.closeDialog();
+ return -1;
+ }
+
+ // Start SASL
+ if (controlSASLServer(SC_START) != 0) {
+ if (errstr) *errstr = i18n("Unable to start SASL server");
+ pdialog.closeDialog();
+ return -1;
+ }
+
// RAJA FIXME
pdialog.closeDialog();
}
diff --git a/src/ldapcontroller.h b/src/ldapcontroller.h
index d831c72..1fad5f8 100644
--- a/src/ldapcontroller.h
+++ b/src/ldapcontroller.h
@@ -69,9 +69,13 @@ class LDAPController: public KCModule
void processLockouts();
private:
- int controlHeimdalServer(sc_command command);
+ int controlSASLServer(sc_command command);
+ int controlHeimdalServer(sc_command command, uid_t userid=-1, gid_t groupid=-1);
int controlLDAPServer(sc_command command, uid_t userid=-1, gid_t groupid=-1);
int initializeNewKerberosRealm(TQString realmName, TQString *errstr);
+ int addLDAPEntryToKerberosRealm(TQString ldapProcessOwnerName, TQString ldapHost, TQString *errstr);
+ int addHostEntryToKerberosRealm(TQString kerberosHost, TQString *errstr);
+ int setKerberosPasswordForUser(LDAPCredentials user, TQString *errstr);
private:
KAboutData *myAboutData;
@@ -81,6 +85,8 @@ class LDAPController: public KCModule
TQString m_fqdn;
int m_prevRole;
+ TQString m_ldapUserName;
+ TQString m_ldapGroupName;
};
#endif // _LDAPCONTROLLER_H_
diff --git a/src/realmwizard.cpp b/src/realmwizard.cpp
index 184fb57..a0f4ced 100644
--- a/src/realmwizard.cpp
+++ b/src/realmwizard.cpp
@@ -94,6 +94,9 @@ RealmWizard::RealmWizard(LDAPController* controller, TQString fqdn, TQWidget *pa
// Other setup
finishpage->ldapAdminRealm->setEnabled(false);
+ // Kerberos won't work unless the DNS suffix matches the realm name
+ realmpage->txtRealmName->setEnabled(false);
+
setFinishEnabled(TQWizard::page(2), true);
setPosition();