diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/libtdeldap.cpp | 182 | ||||
-rw-r--r-- | src/libtdeldap.h | 9 |
2 files changed, 190 insertions, 1 deletions
diff --git a/src/libtdeldap.cpp b/src/libtdeldap.cpp index 34123cd..cbb5b69 100644 --- a/src/libtdeldap.cpp +++ b/src/libtdeldap.cpp @@ -26,6 +26,7 @@ #include <tqfile.h> #include <tqcheckbox.h> +#include <kapplication.h> #include <klocale.h> #include <kmessagebox.h> @@ -82,6 +83,23 @@ LDAPManager::~LDAPManager() { unbind(true); } +TQString LDAPManager::ldapdnForRealm(TQString realm) { + TQStringList domainChunks = TQStringList::split(".", realm.lower()); + TQString basedc = "dc=" + domainChunks.join(",dc="); + return basedc; +} + +TQString LDAPManager::cnFromDn(TQString dn) { + int eqpos = dn.find("=")+1; + int cmpos = dn.find(",", eqpos); + if ((eqpos < 0) || (cmpos < 0)) { + return dn; + } + dn.truncate(cmpos); + dn.remove(0, eqpos); + return dn; +} + TQString LDAPManager::basedn() { return m_basedc; } @@ -829,6 +847,87 @@ int LDAPManager::updateUserInfo(LDAPUserInfo user) { } } +TQString readFullLineFromPtyProcess(PtyProcess* proc) { + TQString result = ""; + while ((!result.contains("\n")) && (!result.contains(":")) && (!result.contains(">"))) { + result = result + TQString(proc->readLine(false)); + tqApp->processEvents(); + } + return result; +} + +int LDAPManager::setPasswordForUser(LDAPUserInfo user, TQString *errstr) { + if (user.new_password == "") { + return 0; + } + + LDAPCredentials admincreds = currentLDAPCredentials(); + + // RAJA FIXME + // How to handle GSSAPI auth? + + TQCString command = "kadmin"; + QCStringList args; + if (m_host.startsWith("ldapi://")) { + args << TQCString("-l") << TQCString("-r") << TQCString(admincreds.realm.upper()); + } + else { + args << TQCString("-p") << TQCString(admincreds.username.lower()+"@"+(admincreds.realm.upper())) << TQCString("-r") << TQCString(admincreds.realm.upper()); + } + + TQString prompt; + PtyProcess kadminProc; + kadminProc.exec(command, args); + prompt = kadminProc.readLine(true); + prompt = prompt.stripWhiteSpace(); + if (prompt == "kadmin>") { + kadminProc.writeLine(TQCString("passwd "+user.name), true); + prompt = kadminProc.readLine(true); // Discard our own input + prompt = readFullLineFromPtyProcess(&kadminProc); + prompt = prompt.stripWhiteSpace(); + if ((prompt.endsWith(" Password:")) && (prompt.startsWith(TQString(user.name + "@")))) { + kadminProc.writeLine(user.new_password, true); + prompt = kadminProc.readLine(true); // Discard our own input + prompt = kadminProc.readLine(true); + prompt = prompt.stripWhiteSpace(); + if ((prompt.endsWith(" Password:")) && (prompt.startsWith("Verify"))) { + kadminProc.writeLine(user.new_password, true); + prompt = kadminProc.readLine(true); // Discard our own input + prompt = kadminProc.readLine(true); + prompt = prompt.stripWhiteSpace(); + } + if (prompt.endsWith(" Password:")) { + kadminProc.writeLine(admincreds.password, true); + prompt = kadminProc.readLine(true); // Discard our own input + prompt = kadminProc.readLine(true); + prompt = prompt.stripWhiteSpace(); + } + if (prompt != "kadmin>") { + if (errstr) *errstr = prompt; + kadminProc.writeLine("quit", true); + return 1; + } + + // Success! + kadminProc.writeLine("quit", true); + return 0; + } + else if (prompt == "kadmin>") { + // Success! + kadminProc.writeLine("quit", true); + return 0; + } + + // Failure + if (errstr) *errstr = prompt; + kadminProc.writeLine("quit", true); + return 1; + } + + if (errstr) *errstr = "Internal error. Verify that kadmin exists and can be executed."; + return 1; // Failure +} + int LDAPManager::updateGroupInfo(LDAPGroupInfo group) { int retcode; int i; @@ -913,7 +1012,7 @@ int LDAPManager::addUserInfo(LDAPUserInfo user) { } else { // Create the base DN entry - int number_of_parameters = 13; // 13 primary attributes + int number_of_parameters = 14; // 14 primary attributes LDAPMod *mods[number_of_parameters+1]; for (i=0;i<number_of_parameters;i++) { mods[i] = new LDAPMod; @@ -1644,6 +1743,45 @@ void LDAPManager::writeCronFiles() { system(CRON_UPDATE_NSS_COMMAND); } +LDAPRealmConfigList LDAPManager::readTDERealmList(KSimpleConfig* config, bool disableAllBonds) { + LDAPRealmConfigList realms; + + TQStringList cfgRealms = config->groupList(); + for (TQStringList::Iterator it(cfgRealms.begin()); it != cfgRealms.end(); ++it) { + if ((*it).startsWith("LDAPRealm-")) { + config->setGroup(*it); + TQString realmName=*it; + realmName.remove(0,strlen("LDAPRealm-")); + if (!realms.contains(realmName)) { + // Read in realm data + LDAPRealmConfig realmcfg; + realmcfg.name = realmName; + if (!disableAllBonds) { + realmcfg.bonded = config->readBoolEntry("bonded"); + } + else { + realmcfg.bonded = false; + } + realmcfg.uid_offset = config->readNumEntry("uid_offset"); + realmcfg.gid_offset = config->readNumEntry("gid_offset"); + realmcfg.domain_mappings = config->readListEntry("domain_mappings"); + realmcfg.kdc = config->readEntry("kdc"); + realmcfg.kdc_port = config->readNumEntry("kdc_port"); + realmcfg.admin_server = config->readEntry("admin_server"); + realmcfg.admin_server_port = config->readNumEntry("admin_server_port"); + realmcfg.pkinit_require_eku = config->readBoolEntry("pkinit_require_eku"); + realmcfg.pkinit_require_krbtgt_otherName = config->readBoolEntry("pkinit_require_krbtgt_otherName"); + realmcfg.win2k_pkinit = config->readBoolEntry("win2k_pkinit"); + realmcfg.win2k_pkinit_require_binding = config->readBoolEntry("win2k_pkinit_require_binding"); + // Add realm to list + realms.insert(realmName, realmcfg); + } + } + } + + return realms; +} + void LDAPManager::writeTDERealmList(LDAPRealmConfigList realms, KSimpleConfig* config) { LDAPRealmConfigList::Iterator it; for (it = realms.begin(); it != realms.end(); ++it) { @@ -1713,6 +1851,48 @@ int LDAPManager::generatePublicKerberosCACertificate(LDAPCertConfig certinfo) { return 0; } +int LDAPManager::generatePublicKerberosCertificate(LDAPCertConfig certinfo, LDAPRealmConfig realmcfg) { + TQString command; + + TQString kdc_certfile = KERBEROS_PKI_KDC_FILE; + TQString kdc_keyfile = KERBEROS_PKI_KDCKEY_FILE; + TQString kdc_reqfile = KERBEROS_PKI_KDCREQ_FILE; + kdc_certfile.replace("@@@KDCSERVER@@@", realmcfg.kdc); + kdc_keyfile.replace("@@@KDCSERVER@@@", realmcfg.kdc); + kdc_reqfile.replace("@@@KDCSERVER@@@", realmcfg.kdc); + + command = TQString("openssl req -new -out %1 -key %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(kdc_reqfile).arg(kdc_keyfile).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(certinfo.commonName).arg(certinfo.emailAddress); + system(command); + command = TQString("openssl x509 -req -in %1 -CAkey %2 -CA %3 -out %4 -extfile %5 -extensions kdc_cert -CAcreateserial").arg(kdc_reqfile).arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(kdc_certfile).arg(OPENSSL_EXTENSIONS_FILE); + system(command); + chmod(kdc_certfile.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); + chown(kdc_certfile.ascii(), 0, 0); + unlink(kdc_reqfile.ascii()); + + return 0; +} + +int LDAPManager::generatePublicLDAPCertificate(LDAPCertConfig certinfo, LDAPRealmConfig realmcfg, uid_t ldap_uid, gid_t ldap_gid) { + TQString command; + + TQString ldap_certfile = LDAP_CERT_FILE; + TQString ldap_keyfile = LDAP_CERTKEY_FILE; + TQString ldap_reqfile = LDAP_CERTREQ_FILE; + ldap_certfile.replace("@@@ADMINSERVER@@@", realmcfg.admin_server); + ldap_keyfile.replace("@@@ADMINSERVER@@@", realmcfg.admin_server); + ldap_reqfile.replace("@@@ADMINSERVER@@@", realmcfg.admin_server); + + command = TQString("openssl req -new -out %1 -key %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(ldap_reqfile).arg(ldap_keyfile).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(realmcfg.admin_server).arg(certinfo.emailAddress); + system(command); + command = TQString("openssl x509 -req -in %1 -CAkey %2 -CA %3 -out %4 -CAcreateserial").arg(ldap_reqfile).arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(ldap_certfile); + system(command); + chmod(ldap_certfile.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); + chown(ldap_certfile.ascii(), ldap_uid, ldap_gid); + unlink(ldap_reqfile.ascii()); + + return 0; +} + TQString LDAPManager::getMachineFQDN() { struct addrinfo hints, *info, *p; int gai_result; diff --git a/src/libtdeldap.h b/src/libtdeldap.h index be3c84a..39ce2b0 100644 --- a/src/libtdeldap.h +++ b/src/libtdeldap.h @@ -46,6 +46,8 @@ #define LDAP_CERTKEY_FILE KERBEROS_PKI_PRIVATEDIR "@@@ADMINSERVER@@@.ldap.key" #define LDAP_CERTREQ_FILE KERBEROS_PKI_PRIVATEDIR "@@@ADMINSERVER@@@.ldap.req" +#define OPENSSL_EXTENSIONS_FILE TDE_CERTIFICATE_DIR "pki_extensions" + #define DEFAULT_IGNORED_USERS_LIST "avahi,avahi-autoipd,backup,bin,colord,daemon,games,gnats,haldaemon,hplip,irc,klog,landscape,libuuid,list,lp,mail,man,messagebus,news,ntp,polkituser,postfix,proxy,pulse,root,rtkit,saned,sshd,statd,sync,sys,syslog,timidity,usbmux,uucp,www-data" // Values from hdb.asn1 @@ -297,14 +299,21 @@ class LDAPManager : public TQObject { LDAPTDEBuiltinsInfo getTDEBuiltinMappings(TQString *errstr=0); int writeSudoersConfFile(TQString *errstr=0); int getTDECertificate(TQString certificateName, TQString fileName, TQString *errstr=0); + int setPasswordForUser(LDAPUserInfo user, TQString *errstr); static void writeCronFiles(); static TQString getMachineFQDN(); static void writeLDAPConfFile(LDAPRealmConfig realmcfg); static void writeTDERealmList(LDAPRealmConfigList realms, KSimpleConfig* config); + static LDAPRealmConfigList readTDERealmList(KSimpleConfig* config, bool disableAllBonds=false); static TQDateTime getCertificateExpiration(TQString certfile); static int generatePublicKerberosCACertificate(LDAPCertConfig certinfo); + static int generatePublicKerberosCertificate(LDAPCertConfig certinfo, LDAPRealmConfig realmcfg); + static int generatePublicLDAPCertificate(LDAPCertConfig certinfo, LDAPRealmConfig realmcfg, uid_t ldap_uid, gid_t ldap_gid); + + static TQString ldapdnForRealm(TQString realm); + static TQString cnFromDn(TQString dn); private: LDAPUserInfo parseLDAPUserRecord(LDAPMessage* entry); |