summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/libtdeldap.cpp182
-rw-r--r--src/libtdeldap.h9
2 files changed, 190 insertions, 1 deletions
diff --git a/src/libtdeldap.cpp b/src/libtdeldap.cpp
index 34123cd..cbb5b69 100644
--- a/src/libtdeldap.cpp
+++ b/src/libtdeldap.cpp
@@ -26,6 +26,7 @@
#include <tqfile.h>
#include <tqcheckbox.h>
+#include <kapplication.h>
#include <klocale.h>
#include <kmessagebox.h>
@@ -82,6 +83,23 @@ LDAPManager::~LDAPManager() {
unbind(true);
}
+TQString LDAPManager::ldapdnForRealm(TQString realm) {
+ TQStringList domainChunks = TQStringList::split(".", realm.lower());
+ TQString basedc = "dc=" + domainChunks.join(",dc=");
+ return basedc;
+}
+
+TQString LDAPManager::cnFromDn(TQString dn) {
+ int eqpos = dn.find("=")+1;
+ int cmpos = dn.find(",", eqpos);
+ if ((eqpos < 0) || (cmpos < 0)) {
+ return dn;
+ }
+ dn.truncate(cmpos);
+ dn.remove(0, eqpos);
+ return dn;
+}
+
TQString LDAPManager::basedn() {
return m_basedc;
}
@@ -829,6 +847,87 @@ int LDAPManager::updateUserInfo(LDAPUserInfo user) {
}
}
+TQString readFullLineFromPtyProcess(PtyProcess* proc) {
+ TQString result = "";
+ while ((!result.contains("\n")) && (!result.contains(":")) && (!result.contains(">"))) {
+ result = result + TQString(proc->readLine(false));
+ tqApp->processEvents();
+ }
+ return result;
+}
+
+int LDAPManager::setPasswordForUser(LDAPUserInfo user, TQString *errstr) {
+ if (user.new_password == "") {
+ return 0;
+ }
+
+ LDAPCredentials admincreds = currentLDAPCredentials();
+
+ // RAJA FIXME
+ // How to handle GSSAPI auth?
+
+ TQCString command = "kadmin";
+ QCStringList args;
+ if (m_host.startsWith("ldapi://")) {
+ args << TQCString("-l") << TQCString("-r") << TQCString(admincreds.realm.upper());
+ }
+ else {
+ args << TQCString("-p") << TQCString(admincreds.username.lower()+"@"+(admincreds.realm.upper())) << TQCString("-r") << TQCString(admincreds.realm.upper());
+ }
+
+ TQString prompt;
+ PtyProcess kadminProc;
+ kadminProc.exec(command, args);
+ prompt = kadminProc.readLine(true);
+ prompt = prompt.stripWhiteSpace();
+ if (prompt == "kadmin>") {
+ kadminProc.writeLine(TQCString("passwd "+user.name), true);
+ prompt = kadminProc.readLine(true); // Discard our own input
+ prompt = readFullLineFromPtyProcess(&kadminProc);
+ prompt = prompt.stripWhiteSpace();
+ if ((prompt.endsWith(" Password:")) && (prompt.startsWith(TQString(user.name + "@")))) {
+ kadminProc.writeLine(user.new_password, true);
+ prompt = kadminProc.readLine(true); // Discard our own input
+ prompt = kadminProc.readLine(true);
+ prompt = prompt.stripWhiteSpace();
+ if ((prompt.endsWith(" Password:")) && (prompt.startsWith("Verify"))) {
+ kadminProc.writeLine(user.new_password, true);
+ prompt = kadminProc.readLine(true); // Discard our own input
+ prompt = kadminProc.readLine(true);
+ prompt = prompt.stripWhiteSpace();
+ }
+ if (prompt.endsWith(" Password:")) {
+ kadminProc.writeLine(admincreds.password, true);
+ prompt = kadminProc.readLine(true); // Discard our own input
+ prompt = kadminProc.readLine(true);
+ prompt = prompt.stripWhiteSpace();
+ }
+ if (prompt != "kadmin>") {
+ if (errstr) *errstr = prompt;
+ kadminProc.writeLine("quit", true);
+ return 1;
+ }
+
+ // Success!
+ kadminProc.writeLine("quit", true);
+ return 0;
+ }
+ else if (prompt == "kadmin>") {
+ // Success!
+ kadminProc.writeLine("quit", true);
+ return 0;
+ }
+
+ // Failure
+ if (errstr) *errstr = prompt;
+ kadminProc.writeLine("quit", true);
+ return 1;
+ }
+
+ if (errstr) *errstr = "Internal error. Verify that kadmin exists and can be executed.";
+ return 1; // Failure
+}
+
int LDAPManager::updateGroupInfo(LDAPGroupInfo group) {
int retcode;
int i;
@@ -913,7 +1012,7 @@ int LDAPManager::addUserInfo(LDAPUserInfo user) {
}
else {
// Create the base DN entry
- int number_of_parameters = 13; // 13 primary attributes
+ int number_of_parameters = 14; // 14 primary attributes
LDAPMod *mods[number_of_parameters+1];
for (i=0;i<number_of_parameters;i++) {
mods[i] = new LDAPMod;
@@ -1644,6 +1743,45 @@ void LDAPManager::writeCronFiles() {
system(CRON_UPDATE_NSS_COMMAND);
}
+LDAPRealmConfigList LDAPManager::readTDERealmList(KSimpleConfig* config, bool disableAllBonds) {
+ LDAPRealmConfigList realms;
+
+ TQStringList cfgRealms = config->groupList();
+ for (TQStringList::Iterator it(cfgRealms.begin()); it != cfgRealms.end(); ++it) {
+ if ((*it).startsWith("LDAPRealm-")) {
+ config->setGroup(*it);
+ TQString realmName=*it;
+ realmName.remove(0,strlen("LDAPRealm-"));
+ if (!realms.contains(realmName)) {
+ // Read in realm data
+ LDAPRealmConfig realmcfg;
+ realmcfg.name = realmName;
+ if (!disableAllBonds) {
+ realmcfg.bonded = config->readBoolEntry("bonded");
+ }
+ else {
+ realmcfg.bonded = false;
+ }
+ realmcfg.uid_offset = config->readNumEntry("uid_offset");
+ realmcfg.gid_offset = config->readNumEntry("gid_offset");
+ realmcfg.domain_mappings = config->readListEntry("domain_mappings");
+ realmcfg.kdc = config->readEntry("kdc");
+ realmcfg.kdc_port = config->readNumEntry("kdc_port");
+ realmcfg.admin_server = config->readEntry("admin_server");
+ realmcfg.admin_server_port = config->readNumEntry("admin_server_port");
+ realmcfg.pkinit_require_eku = config->readBoolEntry("pkinit_require_eku");
+ realmcfg.pkinit_require_krbtgt_otherName = config->readBoolEntry("pkinit_require_krbtgt_otherName");
+ realmcfg.win2k_pkinit = config->readBoolEntry("win2k_pkinit");
+ realmcfg.win2k_pkinit_require_binding = config->readBoolEntry("win2k_pkinit_require_binding");
+ // Add realm to list
+ realms.insert(realmName, realmcfg);
+ }
+ }
+ }
+
+ return realms;
+}
+
void LDAPManager::writeTDERealmList(LDAPRealmConfigList realms, KSimpleConfig* config) {
LDAPRealmConfigList::Iterator it;
for (it = realms.begin(); it != realms.end(); ++it) {
@@ -1713,6 +1851,48 @@ int LDAPManager::generatePublicKerberosCACertificate(LDAPCertConfig certinfo) {
return 0;
}
+int LDAPManager::generatePublicKerberosCertificate(LDAPCertConfig certinfo, LDAPRealmConfig realmcfg) {
+ TQString command;
+
+ TQString kdc_certfile = KERBEROS_PKI_KDC_FILE;
+ TQString kdc_keyfile = KERBEROS_PKI_KDCKEY_FILE;
+ TQString kdc_reqfile = KERBEROS_PKI_KDCREQ_FILE;
+ kdc_certfile.replace("@@@KDCSERVER@@@", realmcfg.kdc);
+ kdc_keyfile.replace("@@@KDCSERVER@@@", realmcfg.kdc);
+ kdc_reqfile.replace("@@@KDCSERVER@@@", realmcfg.kdc);
+
+ command = TQString("openssl req -new -out %1 -key %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(kdc_reqfile).arg(kdc_keyfile).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(certinfo.commonName).arg(certinfo.emailAddress);
+ system(command);
+ command = TQString("openssl x509 -req -in %1 -CAkey %2 -CA %3 -out %4 -extfile %5 -extensions kdc_cert -CAcreateserial").arg(kdc_reqfile).arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(kdc_certfile).arg(OPENSSL_EXTENSIONS_FILE);
+ system(command);
+ chmod(kdc_certfile.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
+ chown(kdc_certfile.ascii(), 0, 0);
+ unlink(kdc_reqfile.ascii());
+
+ return 0;
+}
+
+int LDAPManager::generatePublicLDAPCertificate(LDAPCertConfig certinfo, LDAPRealmConfig realmcfg, uid_t ldap_uid, gid_t ldap_gid) {
+ TQString command;
+
+ TQString ldap_certfile = LDAP_CERT_FILE;
+ TQString ldap_keyfile = LDAP_CERTKEY_FILE;
+ TQString ldap_reqfile = LDAP_CERTREQ_FILE;
+ ldap_certfile.replace("@@@ADMINSERVER@@@", realmcfg.admin_server);
+ ldap_keyfile.replace("@@@ADMINSERVER@@@", realmcfg.admin_server);
+ ldap_reqfile.replace("@@@ADMINSERVER@@@", realmcfg.admin_server);
+
+ command = TQString("openssl req -new -out %1 -key %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(ldap_reqfile).arg(ldap_keyfile).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(realmcfg.admin_server).arg(certinfo.emailAddress);
+ system(command);
+ command = TQString("openssl x509 -req -in %1 -CAkey %2 -CA %3 -out %4 -CAcreateserial").arg(ldap_reqfile).arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(ldap_certfile);
+ system(command);
+ chmod(ldap_certfile.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
+ chown(ldap_certfile.ascii(), ldap_uid, ldap_gid);
+ unlink(ldap_reqfile.ascii());
+
+ return 0;
+}
+
TQString LDAPManager::getMachineFQDN() {
struct addrinfo hints, *info, *p;
int gai_result;
diff --git a/src/libtdeldap.h b/src/libtdeldap.h
index be3c84a..39ce2b0 100644
--- a/src/libtdeldap.h
+++ b/src/libtdeldap.h
@@ -46,6 +46,8 @@
#define LDAP_CERTKEY_FILE KERBEROS_PKI_PRIVATEDIR "@@@ADMINSERVER@@@.ldap.key"
#define LDAP_CERTREQ_FILE KERBEROS_PKI_PRIVATEDIR "@@@ADMINSERVER@@@.ldap.req"
+#define OPENSSL_EXTENSIONS_FILE TDE_CERTIFICATE_DIR "pki_extensions"
+
#define DEFAULT_IGNORED_USERS_LIST "avahi,avahi-autoipd,backup,bin,colord,daemon,games,gnats,haldaemon,hplip,irc,klog,landscape,libuuid,list,lp,mail,man,messagebus,news,ntp,polkituser,postfix,proxy,pulse,root,rtkit,saned,sshd,statd,sync,sys,syslog,timidity,usbmux,uucp,www-data"
// Values from hdb.asn1
@@ -297,14 +299,21 @@ class LDAPManager : public TQObject {
LDAPTDEBuiltinsInfo getTDEBuiltinMappings(TQString *errstr=0);
int writeSudoersConfFile(TQString *errstr=0);
int getTDECertificate(TQString certificateName, TQString fileName, TQString *errstr=0);
+ int setPasswordForUser(LDAPUserInfo user, TQString *errstr);
static void writeCronFiles();
static TQString getMachineFQDN();
static void writeLDAPConfFile(LDAPRealmConfig realmcfg);
static void writeTDERealmList(LDAPRealmConfigList realms, KSimpleConfig* config);
+ static LDAPRealmConfigList readTDERealmList(KSimpleConfig* config, bool disableAllBonds=false);
static TQDateTime getCertificateExpiration(TQString certfile);
static int generatePublicKerberosCACertificate(LDAPCertConfig certinfo);
+ static int generatePublicKerberosCertificate(LDAPCertConfig certinfo, LDAPRealmConfig realmcfg);
+ static int generatePublicLDAPCertificate(LDAPCertConfig certinfo, LDAPRealmConfig realmcfg, uid_t ldap_uid, gid_t ldap_gid);
+
+ static TQString ldapdnForRealm(TQString realm);
+ static TQString cnFromDn(TQString dn);
private:
LDAPUserInfo parseLDAPUserRecord(LDAPMessage* entry);