diff options
author | Timothy Pearson <[email protected]> | 2012-06-06 13:04:14 -0500 |
---|---|---|
committer | Timothy Pearson <[email protected]> | 2012-06-06 13:04:14 -0500 |
commit | c1419e3a4c17f30aa504d9277a7750ce0a6b6a5a (patch) | |
tree | 20418a065b2b7fcbdb1c3c10f1a1b35ed4a08773 | |
parent | 4ada10136e07c59ea5e5ff2d06b7313cf098432c (diff) | |
download | libtdeldap-c1419e3a4c17f30aa504d9277a7750ce0a6b6a5a.tar.gz libtdeldap-c1419e3a4c17f30aa504d9277a7750ce0a6b6a5a.zip |
Preferentially use TLS when connecting to LDAP server
-rw-r--r-- | src/ldaplogindlgbase.ui | 8 | ||||
-rw-r--r-- | src/libtdeldap.cpp | 78 | ||||
-rw-r--r-- | src/libtdeldap.h | 5 |
3 files changed, 66 insertions, 25 deletions
diff --git a/src/ldaplogindlgbase.ui b/src/ldaplogindlgbase.ui index 43ac9b4..a3e855b 100644 --- a/src/ldaplogindlgbase.ui +++ b/src/ldaplogindlgbase.ui @@ -80,6 +80,14 @@ <cstring>ldapAdminRealm</cstring> </property> </widget> + <widget class="TQCheckBox" row="4" column="0" colspan="3"> + <property name="name"> + <cstring>ldapUseTLS</cstring> + </property> + <property name="text"> + <string>Use LDAP TLS to encrypt this connection (recommended)</string> + </property> + </widget> </grid> </widget> <layoutdefaults spacing="3" margin="6"/> diff --git a/src/libtdeldap.cpp b/src/libtdeldap.cpp index 2bbacf4..47f5057 100644 --- a/src/libtdeldap.cpp +++ b/src/libtdeldap.cpp @@ -19,10 +19,13 @@ ***************************************************************************/ #include <sys/types.h> +#include <sys/stat.h> #include <sys/socket.h> #include <netdb.h> +#include <pwd.h> #include <tqfile.h> +#include <tqcheckbox.h> #include <klocale.h> #include <kmessagebox.h> @@ -44,7 +47,7 @@ // FIXME // Connect this to CMake/Automake #define KDE_CONFDIR "/etc/trinity" -#define LDAP_FILE "/etc/ldap.conf" +#define LDAP_FILE "/etc/ldap/ldap.conf" int requested_ldap_version = LDAP_VERSION3; int requested_ldap_auth_method = LDAP_AUTH_SIMPLE; // Is this safe and secure over an untrusted connection? @@ -91,13 +94,21 @@ TQString ldapLikelyErrorCause(int errcode, int location) { TQString ret; if (location == ERRORCAUSE_LOCATION_BIND) { + if (errcode == LDAP_SERVER_DOWN) { + ret = " * LDAP server down<br> * Invalid LDAP Certificate Authority file on client"; + } if (LDAP_NAME_ERROR(errcode)) { ret = "Unknown user name or incorrect user name format"; } } if (ret != "") { - ret.prepend("<p>" + i18n("Likely cause") + ":<br>"); + if (ret.contains("<br>")) { + ret.prepend("<p>" + i18n("Potential causes") + ":<br>"); + } + else { + ret.prepend("<p>" + i18n("Potential cause") + ":<br>"); + } } return ret; @@ -109,7 +120,31 @@ printf("[RAJA DEBUG 600.0] In LDAPManager::bind(%p)\n\r", errstr); fflush(stdout return 0; } - int use_secure_connection = 0; + bool using_ldapi = false; + if (m_host.startsWith("ldapi://")) { + using_ldapi = true; + } + bool havepass = false; + if (m_creds || using_ldapi) { + havepass = true; + } + else { +printf("[RAJA DEBUG 660.1] using_ldapi: %d\n\r", using_ldapi); fflush(stdout); + LDAPPasswordDialog passdlg(0); + passdlg.m_base->ldapAdminRealm->setEnabled(false); + passdlg.m_base->ldapAdminRealm->insertItem(m_realm); + passdlg.m_base->ldapUseTLS->setChecked(true); + if (passdlg.exec() == TQDialog::Accepted) { + havepass = true; + if (!m_creds) { + m_creds = new LDAPCredentials(); + m_creds->username = passdlg.m_base->ldapAdminUsername->text(); + m_creds->password = passdlg.m_base->ldapAdminPassword->password(); + m_creds->realm = passdlg.m_base->ldapAdminRealm->currentText(); + m_creds->use_tls = passdlg.m_base->ldapUseTLS->isOn(); + } + } + } TQString uri; if (m_host.contains("://")) { @@ -122,7 +157,7 @@ printf("[RAJA DEBUG 600.0] In LDAPManager::bind(%p)\n\r", errstr); fflush(stdout } } else { - if (use_secure_connection == 1) { + if (m_creds->use_tls) { m_port = LDAP_SECURE_PORT; uri = TQString("ldaps://%1:%2").arg(m_host).arg(m_port); } @@ -148,25 +183,6 @@ printf("[RAJA DEBUG 600.1] URI: %s\n\r", uri.ascii()); fflush(stdout); printf("[RAJA DEBUG 660.0]\n\r"); fflush(stdout); TQString errorString; - bool havepass = false; - if (m_creds) { - havepass = true; - } - else { -printf("[RAJA DEBUG 660.1]\n\r"); fflush(stdout); - LDAPPasswordDialog passdlg(0); - passdlg.m_base->ldapAdminRealm->setEnabled(false); - passdlg.m_base->ldapAdminRealm->insertItem(m_realm); - if (passdlg.exec() == TQDialog::Accepted) { - havepass = true; - if (!m_creds) { - m_creds = new LDAPCredentials(); - m_creds->username = passdlg.m_base->ldapAdminUsername->text(); - m_creds->password = passdlg.m_base->ldapAdminPassword->password(); - m_creds->realm = passdlg.m_base->ldapAdminRealm->currentText(); - } - } - } if (havepass == true) { char* mechanism = NULL; struct berval cred; @@ -175,7 +191,7 @@ printf("[RAJA DEBUG 660.1]\n\r"); fflush(stdout); cred.bv_val = pass.data(); cred.bv_len = pass.length(); printf("[RAJA DEBUG 660.2]\n\r"); fflush(stdout); - if (!uri.startsWith("ldapi://")) { + if (!using_ldapi) { if (!ldap_dn.contains(",")) { // Look for a POSIX account with anonymous bind and the specified account name TQString uri; @@ -184,7 +200,7 @@ printf("[RAJA DEBUG 660.2]\n\r"); fflush(stdout); uri = m_host; } else { - if (use_secure_connection == 1) { + if (m_creds->use_tls) { m_port = LDAP_SECURE_PORT; uri = TQString("ldaps://%1:%2").arg(m_host).arg(m_port); } @@ -1398,11 +1414,14 @@ void LDAPManager::writeLDAPConfFile(LDAPRealmConfig realmcfg) { stream << "bind_policy " << m_bindPolicy.lower() << "\n"; stream << "pam_password " << m_passwordHash.lower() << "\n"; stream << "nss_initgroups_ignoreusers " << m_ignoredUsers << "\n"; + stream << "tls_cacert /etc/trinity/ldap/tde-ca/public/argus5.starlink.edu.ldap.crt" << "\n"; } file.close(); } + chmod(LDAP_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); + delete systemconfig; } @@ -1473,6 +1492,15 @@ TQString LDAPManager::getMachineFQDN() { // // =============================================================================================================== +LDAPCredentials::LDAPCredentials() { + // TQStrings are always initialized to TQString::null, so they don't need initialization here... + use_tls = true; +} + +LDAPCredentials::~LDAPCredentials() { + // +} + LDAPUserInfo::LDAPUserInfo() { // TQStrings are always initialized to TQString::null, so they don't need initialization here... informationValid = false; diff --git a/src/libtdeldap.h b/src/libtdeldap.h index 38ae847..bf0106a 100644 --- a/src/libtdeldap.h +++ b/src/libtdeldap.h @@ -66,9 +66,14 @@ typedef TQValueList<gid_t> GroupList; class LDAPCredentials { public: + LDAPCredentials(); + ~LDAPCredentials(); + + public: TQString username; TQCString password; TQString realm; + bool use_tls; }; // PRIVATE |