/*************************************************************************** * Copyright (C) 2012-2015 by Timothy Pearson * * kb9vqf@pearsoncomputing.net * * * * This program is free software; you can redistribute it and/or modify * * it under the terms of the GNU General Public License as published by * * the Free Software Foundation; either version 2 of the License, or * * (at your option) any later version. * * * * This program is distributed in the hope that it will be useful, * * but WITHOUT ANY WARRANTY; without even the implied warranty of * * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * * GNU General Public License for more details. * * * * You should have received a copy of the GNU General Public License * * along with this program; if not, write to the * * Free Software Foundation, Inc., * * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ***************************************************************************/ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include extern "C" { #include #include #include #include #include #include #include // ======================================================================== // Taken from asn1-common.h and slightly modified for C++ compilability // ======================================================================== #define ASN1_MALLOC_ENCODE_HDB(T, B, BL, S, L, R) \ do { \ (BL) = length_##T((S)); \ (B) = (unsigned char*)malloc((BL)); \ if((B) == NULL) { \ (R) = ENOMEM; \ } else { \ (R) = encode_##T(((unsigned char*)(B)) + (BL) - 1, (BL), \ (S), (L)); \ if((R) != 0) { \ free((B)); \ (B) = NULL; \ } \ } \ } while (0) // ======================================================================== } #include "libtdeldap.h" #include "ldaplogindlg.h" #include "ldappasswddlg.h" #define LDAP_INSECURE_PORT 389 #define LDAP_SECURE_PORT 636 #ifndef KDE_CONFDIR #define KDE_CONFDIR "/etc/trinity" #endif #ifndef KRB5_FILE #define KRB5_FILE "/etc/krb5.conf" #endif //#define KRB5_ANK_RANDOM_PASSWORD_LENGTH 1024 #define KRB5_ANK_RANDOM_PASSWORD_LENGTH 512 #define NSSWITCH_FILE "/etc/nsswitch.conf" #define PAMD_DIRECTORY "/etc/pam.d/" #define PAMD_COMMON_ACCOUNT "common-account" #define PAMD_COMMON_AUTH "common-auth" #define PAMD_COMMON_SESSION "common-session" #define PAMD_PKCS11_CONFIG_DIRECTORY "/etc/pam_pkcs11/" #define PAMD_PKCS11_CONFIG_FILE "pam_pkcs11.conf" #define PAMD_PKCS11_CERT_REHASH_COMMAND "pkcs11_make_hash_link" #define LDAP_FILE "/etc/ldap/ldap.conf" #define LDAP_SECONDARY_FILE "/etc/ldap.conf" #define LDAP_TERTIARY_FILE "/etc/libnss-ldap.conf" #define TDELDAP_SUDO_D_FILE "/etc/sudoers.d/tde-realm-admins" #define CRON_UPDATE_NSS_FILE "/etc/cron.daily/upd-local-nss-db" #define CRON_UPDATE_NSS_COMMAND "/usr/sbin/nss_updatedb ldap" #ifndef SYSTEM_CA_STORE_CERT_LOCATION #define SYSTEM_CA_STORE_CERT_LOCATION "/usr/local/share/ca-certificates/" #endif #ifndef SYSTEM_CA_STORE_REGENERATE_COMMAND #define SYSTEM_CA_STORE_REGENERATE_COMMAND "update-ca-certificates" #endif #ifndef CRON_UPDATE_PRIMARY_REALM_CERTIFICATES_OPENLDAP_RELOAD_COMMAND #define CRON_UPDATE_PRIMARY_REALM_CERTIFICATES_OPENLDAP_RELOAD_COMMAND "/etc/init.d/slapd force-reload" #endif int requested_ldap_version = LDAP_VERSION3; char* ldap_user_and_operational_attributes[2] = {"*", "+"}; enum ErrorCauseLocation { ERRORCAUSE_LOCATION_BIND = 0 }; bool fileExists(const char* filename) { struct stat sts; if (stat(filename, &sts) == -1 && errno == ENOENT) { return false; } else { return true; } } static kadm5_ret_t kadm5_get_default_principal_info(krb5_context context, void* handle, krb5_principal princ, kadm5_principal_ent_t def) { kadm5_ret_t ret; krb5_principal def_principal; krb5_const_realm realm = krb5_principal_get_realm(context, princ); ret = krb5_make_principal(context, &def_principal, realm, "default", NULL); if (ret) { return ret; } ret = kadm5_get_principal(handle, def_principal, def, KADM5_PRINCIPAL_NORMAL_MASK); krb5_free_principal(context, def_principal); return ret; } LDAPManager::LDAPManager(TQString realm, TQString host, TQObject *parent, const char *name) : TQObject(parent, name), m_realm(realm), m_host(host), m_port(0), m_creds(0), m_ldap(0), m_krb5admHandle(0), m_krb5admKeytabFilename(0), m_krb5admRealmName(0) { TQStringList domainChunks = TQStringList::split(".", realm.lower()); m_basedc = "dc=" + domainChunks.join(",dc="); } LDAPManager::LDAPManager(TQString realm, TQString host, LDAPCredentials* creds, TQObject *parent, const char *name) : TQObject(parent, name), m_realm(realm), m_host(host), m_port(0), m_creds(creds), m_ldap(0), m_krb5admHandle(0), m_krb5admKeytabFilename(0), m_krb5admRealmName(0) { TQStringList domainChunks = TQStringList::split(".", realm.lower()); m_basedc = "dc=" + domainChunks.join(",dc="); } LDAPManager::~LDAPManager() { unbind(true); } TQString LDAPManager::detailedKAdminErrorMessage(TQString initialMessage) { if (initialMessage.contains("Looping detected inside krb5_get_in_tkt")) { initialMessage.append("

").append(i18n("Potential causes")).append(":
").append(i18n(" * Invalid credentials")).append("
").append(i18n(" * Clock skew between the realm's KDC and this machine")).append("
").append(i18n(" * Inability to negotiate a compatible encryption type with the realm's KDC")).append("
").append(i18n(" * No connectivity to the realm's KDC")); } return initialMessage; } TQString LDAPManager::ldapdnForRealm(TQString realm) { TQStringList domainChunks = TQStringList::split(".", realm.lower()); TQString basedc = "dc=" + domainChunks.join(",dc="); return basedc; } TQString LDAPManager::openssldcForRealm(TQString realm) { TQStringList reversedDomainChunks; TQStringList domainChunks = TQStringList::split(".", realm.lower()); for (TQStringList::Iterator it = domainChunks.begin(); it != domainChunks.end(); it++) { reversedDomainChunks.prepend(*it); } TQString basedc = "DC=" + reversedDomainChunks.join("/DC="); basedc = "/" + basedc; return basedc; } TQString LDAPManager::cnFromDn(TQString dn) { int eqpos = dn.find("=")+1; int cmpos = dn.find(",", eqpos); if ((eqpos < 0) || (cmpos < 0)) { return dn; } dn.truncate(cmpos); dn.remove(0, eqpos); return dn; } TQString LDAPManager::basedn() { return m_basedc; } TQString LDAPManager::realm() { return m_realm; } LDAPCredentials LDAPManager::currentLDAPCredentials(bool inferGSSAPIData) { if (m_creds) { if (inferGSSAPIData) { LDAPCredentials credentials = *m_creds; if ((credentials.username == "") && (credentials.password == "")) { // Probably GSSAPI // Get active ticket principal... KerberosTicketInfoList tickets = LDAPManager::getKerberosTicketList(); TQStringList principalParts = TQStringList::split("@", tickets[0].cachePrincipal, false); credentials.username = principalParts[0]; credentials.realm = principalParts[1]; credentials.use_gssapi = true; } return credentials; } else { return *m_creds; } } else { return LDAPCredentials(); } } TQString ldapLikelyErrorCause(int errcode, int location) { TQString ret; if (location == ERRORCAUSE_LOCATION_BIND) { if (errcode == LDAP_SERVER_DOWN) { ret = " * LDAP server down
* Invalid LDAP Certificate Authority file on client"; } if (LDAP_NAME_ERROR(errcode)) { ret = "Unknown user name or incorrect user name format"; } } if (ret != "") { if (ret.contains("
")) { ret.prepend("

" + i18n("Potential causes") + ":
"); } else { ret.prepend("

" + i18n("Potential cause") + ":
"); } } return ret; } int sasl_bind_interact_callback(LDAP* ld, unsigned flags, void* defaults, void* sasl_interaction_struct) { // FIXME // This currently does nothing and hopes for the best! // sasl_interact* sasl_struct = (sasl_interact*)sasl_interaction_struct; return LDAP_SUCCESS; } int LDAPManager::bind(TQString* errstr) { if (m_ldap) { return 0; } KerberosTicketInfoList m_krbTickets = LDAPManager::getKerberosTicketList(); bool using_ldapi = false; if (m_host.startsWith("ldapi://")) { using_ldapi = true; } bool havepass = false; if (m_creds || using_ldapi) { havepass = true; } else { LDAPPasswordDialog passdlg(0, 0, (m_krbTickets.count() > 0), false); passdlg.m_base->ldapAdminRealm->setEnabled(false); passdlg.m_base->ldapAdminRealm->insertItem(m_realm); passdlg.m_base->ldapUseTLS->setChecked(true); if (passdlg.exec() == TQDialog::Accepted) { havepass = true; if (!m_creds) { m_creds = new LDAPCredentials(); m_creds->username = passdlg.m_base->ldapAdminUsername->text(); m_creds->password = passdlg.m_base->ldapAdminPassword->password(); m_creds->realm = passdlg.m_base->ldapAdminRealm->currentText(); m_creds->use_tls = passdlg.m_base->ldapUseTLS->isOn(); m_creds->use_gssapi = passdlg.use_gssapi; } } else { return -1; } } TQString uri; if (m_host.contains("://")) { uri = m_host; if (!m_creds) { m_creds = new LDAPCredentials(); m_creds->username = ""; m_creds->password = ""; m_creds->realm = m_realm; } } else { if (m_creds->use_tls) { m_port = LDAP_SECURE_PORT; uri = TQString("ldaps://%1:%2").arg(m_host).arg(m_port); } else { m_port = LDAP_INSECURE_PORT; uri = TQString("ldap://%1:%2").arg(m_host).arg(m_port); } } int retcode = ldap_initialize(&m_ldap, uri.ascii()); if (retcode < 0) { if (errstr) *errstr = i18n("Unable to connect to LDAP server %1 on port %2

Reason: [%3] %4%5").arg(m_host).arg(m_port).arg(retcode).arg(ldap_err2string(retcode)).arg(ldapLikelyErrorCause(retcode, ERRORCAUSE_LOCATION_BIND)); else KMessageBox::error(0, i18n("Unable to connect to LDAP server %1 on port %2

Reason: [%3] %4%5").arg(m_host).arg(m_port).arg(retcode).arg(ldap_err2string(retcode)).arg(ldapLikelyErrorCause(retcode, ERRORCAUSE_LOCATION_BIND)), i18n("Unable to connect to server!")); return -1; } retcode = ldap_set_option(m_ldap, LDAP_OPT_PROTOCOL_VERSION, &requested_ldap_version); if (retcode != LDAP_OPT_SUCCESS) { if (errstr) *errstr = i18n("Unable to connect to LDAP server %1 on port %2

Reason: [%3] %4%5").arg(m_host).arg(m_port).arg(retcode).arg(ldap_err2string(retcode)).arg(ldapLikelyErrorCause(retcode, ERRORCAUSE_LOCATION_BIND)); else KMessageBox::error(0, i18n("Unable to connect to LDAP server %1 on port %2

Reason: [%3] %4%5").arg(m_host).arg(m_port).arg(retcode).arg(ldap_err2string(retcode)).arg(ldapLikelyErrorCause(retcode, ERRORCAUSE_LOCATION_BIND)), i18n("Unable to connect to server!")); return -1; } TQString errorString; if (havepass == true) { char* mechanism = NULL; struct berval cred; TQString ldap_dn = m_creds->username; TQCString pass = m_creds->password.utf8(); cred.bv_val = pass.data(); cred.bv_len = pass.length(); if ((!using_ldapi && !m_creds->use_gssapi)) { if (!ldap_dn.contains(",")) { // Look for a POSIX account with anonymous bind and the specified account name TQString uri; LDAP* ldapconn; if (m_host.contains("://")) { uri = m_host; } else { if (m_creds->use_tls) { m_port = LDAP_SECURE_PORT; uri = TQString("ldaps://%1:%2").arg(m_host).arg(m_port); } else { m_port = LDAP_INSECURE_PORT; uri = TQString("ldap://%1:%2").arg(m_host).arg(m_port); } } int retcode = ldap_initialize(&ldapconn, uri.ascii()); if (retcode < 0) { if (errstr) *errstr = i18n("Unable to connect to LDAP server %1 on port %2

Reason: [%3] %4").arg(m_host).arg(m_port).arg(retcode).arg(ldap_err2string(retcode)); else KMessageBox::error(0, i18n("Unable to connect to LDAP server %1 on port %2

Reason: [%3] %4").arg(m_host).arg(m_port).arg(retcode).arg(ldap_err2string(retcode)), i18n("Unable to connect to server!")); return -1; } retcode = ldap_set_option(ldapconn, LDAP_OPT_PROTOCOL_VERSION, &requested_ldap_version); if (retcode != LDAP_OPT_SUCCESS) { if (errstr) *errstr = i18n("Unable to connect to LDAP server %1 on port %2

Reason: [%3] %4").arg(m_host).arg(m_port).arg(retcode).arg(ldap_err2string(retcode)); else KMessageBox::error(0, i18n("Unable to connect to LDAP server %1 on port %2

Reason: [%3] %4").arg(m_host).arg(m_port).arg(retcode).arg(ldap_err2string(retcode)), i18n("Unable to connect to server!")); return -1; } struct berval anoncred; TQCString anonpass = ""; anoncred.bv_val = anonpass.data(); anoncred.bv_len = anonpass.length(); retcode = ldap_sasl_bind_s(ldapconn, "", mechanism, &anoncred, NULL, NULL, NULL); if (retcode == LDAP_SUCCESS ) { // Look for the DN for the specified user LDAPMessage* msg; TQString ldap_base_dn = m_basedc; TQString ldap_filter = TQString("(&(objectclass=posixAccount)(uid=%1))").arg(m_creds->username); retcode = ldap_search_ext_s(ldapconn, ldap_base_dn.ascii(), LDAP_SCOPE_SUBTREE, ldap_filter.ascii(), NULL, 0, NULL, NULL, NULL, 0, &msg); if (retcode != LDAP_SUCCESS) { if (errstr) *errstr = i18n("LDAP search failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)); else KMessageBox::error(0, i18n("LDAP search failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error")); } else { // Iterate through the returned entries char* dn = NULL; LDAPMessage* entry; for(entry = ldap_first_entry(ldapconn, msg); entry != NULL; entry = ldap_next_entry(ldapconn, entry)) { if((dn = ldap_get_dn(ldapconn, entry)) != NULL) { ldap_dn = dn; ldap_memfree(dn); } } } // Clean up ldap_msgfree(msg); // All done! ldap_unbind_ext_s(ldapconn, NULL, NULL); } else { // Clean up ldap_unbind_ext_s(ldapconn, NULL, NULL); } } } if (m_creds->use_gssapi) { #if LDAP_VENDOR_VERSION < 20425 retcode = ldap_sasl_interactive_bind_s(m_ldap, "", "GSSAPI", NULL, NULL, LDAP_SASL_AUTOMATIC, sasl_bind_interact_callback, NULL); #else // LDAP_VENDOR_VERSION const char* rmech = NULL; LDAPMessage* result = NULL; int msgid; retcode = LDAP_SASL_BIND_IN_PROGRESS; while (retcode == LDAP_SASL_BIND_IN_PROGRESS) { retcode = ldap_sasl_interactive_bind(m_ldap, "", "GSSAPI", NULL, NULL, LDAP_SASL_AUTOMATIC, sasl_bind_interact_callback, NULL, result, &rmech, &msgid); ldap_msgfree(result); if (retcode != LDAP_SASL_BIND_IN_PROGRESS) { break; } if ((ldap_result(m_ldap, msgid, LDAP_MSG_ALL, NULL, &result) == -1) || (!result)) { retcode = LDAP_INVALID_CREDENTIALS; } } if (retcode == LDAP_SUCCESS) { if (m_creds->username == "") { char* sasluser; ldap_get_option(m_ldap, LDAP_OPT_X_SASL_USERNAME, &sasluser); if (sasluser) { TQStringList principalParts = TQStringList::split("@", TQString(sasluser), false); m_creds->username = principalParts[0]; m_creds->realm = principalParts[1]; ldap_memfree(sasluser); } } } #endif // LDAP_VENDOR_VERSION } else { retcode = ldap_sasl_bind_s(m_ldap, ldap_dn.ascii(), mechanism, &cred, NULL, NULL, NULL); } if (retcode != LDAP_SUCCESS ) { if (errstr) *errstr = i18n("Unable to connect to LDAP server %1 on port %2

Reason: [%3] %4%5").arg(m_host).arg(m_port).arg(retcode).arg(ldap_err2string(retcode)).arg(ldapLikelyErrorCause(retcode, ERRORCAUSE_LOCATION_BIND)); else KMessageBox::error(0, i18n("Unable to connect to LDAP server %1 on port %2

Reason: [%3] %4%5").arg(m_host).arg(m_port).arg(retcode).arg(ldap_err2string(retcode)).arg(ldapLikelyErrorCause(retcode, ERRORCAUSE_LOCATION_BIND)), i18n("Unable to connect to server!")); return -1; } return 0; } else { return -2; } return -3; } int LDAPManager::unbind(bool force, TQString* errstr) { if (m_krb5admHandle) { unbindKAdmin(); } if (!m_ldap) { return 0; } int retcode = ldap_unbind_ext_s(m_ldap, NULL, NULL); if ((retcode < 0) && (force == false)) { if (errstr) *errstr = i18n("Unable to disconnect from LDAP server %1 on port %2

Reason: [%3] %4").arg(m_host).arg(m_port).arg(retcode).arg(ldap_err2string(retcode)); else KMessageBox::error(0, i18n("Unable to disconnect from LDAP server %1 on port %2

Reason: [%3] %4").arg(m_host).arg(m_port).arg(retcode).arg(ldap_err2string(retcode)), i18n("Unable to disconnect from server!")); return retcode; } else { m_ldap = 0; } return retcode; } LDAPUserInfo LDAPManager::parseLDAPUserRecord(LDAPMessage* entry) { int i; char* dn = NULL; char* attr; struct berval **vals; BerElement* ber; LDAPUserInfo userinfo; if((dn = ldap_get_dn(m_ldap, entry)) != NULL) { userinfo.distinguishedName = dn; TQStringList dnParts = TQStringList::split(",", dn); TQString id = dnParts[0]; if (id.startsWith("uid=")) { id = id.remove(0, 4); userinfo.name = id; } ldap_memfree(dn); } for( attr = ldap_first_attribute(m_ldap, entry, &ber); attr != NULL; attr = ldap_next_attribute(m_ldap, entry, ber)) { if ((vals = ldap_get_values_len(m_ldap, entry, attr)) != NULL) { userinfo.informationValid = true; TQString ldap_field = attr; i=0; if (ldap_field == "creatorsName") { userinfo.creatorsName = vals[i]->bv_val; } else if (ldap_field == "uidNumber") { userinfo.uid = atoi(vals[i]->bv_val); } else if (ldap_field == "loginShell") { userinfo.shell = vals[i]->bv_val; } else if (ldap_field == "homeDirectory") { userinfo.homedir = vals[i]->bv_val; } else if (ldap_field == "gidNumber") { userinfo.primary_gid = atoi(vals[i]->bv_val); } else if (ldap_field == "tdeBuiltinAccount") { userinfo.tde_builtin_account = (TQString(vals[i]->bv_val).upper() == "TRUE")?true:false; } else if (ldap_field == "krb5KDCFlags") { userinfo.status = (LDAPKRB5Flags)(atoi(vals[i]->bv_val)); } else if (ldap_field == "createTimestamp") { // YYYYMMDD000000Z TQString formattedDate = vals[i]->bv_val; formattedDate.insert(4,"-"); formattedDate.insert(7,"-"); formattedDate.insert(10,"T"); formattedDate.insert(13,":"); formattedDate.insert(16,":"); formattedDate.remove(19, 1); userinfo.account_created = TQDateTime::fromString(formattedDate, TQt::ISODate); } else if (ldap_field == "modifyTimestamp") { // YYYYMMDD000000Z TQString formattedDate = vals[i]->bv_val; formattedDate.insert(4,"-"); formattedDate.insert(7,"-"); formattedDate.insert(10,"T"); formattedDate.insert(13,":"); formattedDate.insert(16,":"); formattedDate.remove(19, 1); userinfo.account_modified = TQDateTime::fromString(formattedDate, TQt::ISODate); } // FIXME // These two attributes do not seem to be available with a Heimdal KDC // userinfo.password_last_changed = vals[i]->bv_val; // userinfo.password_expires = vals[i]->bv_val; else if (ldap_field == "krb5PasswordEnd") { // YYYYMMDD000000Z TQString formattedDate = vals[i]->bv_val; formattedDate.insert(4,"-"); formattedDate.insert(7,"-"); formattedDate.insert(10,"T"); formattedDate.insert(13,":"); formattedDate.insert(16,":"); formattedDate.remove(19, 1); userinfo.password_expiration = TQDateTime::fromString(formattedDate, TQt::ISODate); } // FIXME // These six(!) attributes do not seem to be available with a Heimdal KDC // userinfo.password_ages = vals[i]->bv_val; // userinfo.new_password_interval = vals[i]->bv_val; // userinfo.new_password_warn_interval = vals[i]->bv_val; // userinfo.new_password_lockout_delay = vals[i]->bv_val; // userinfo.password_has_minimum_age = vals[i]->bv_val; // userinfo.password_minimum_age = vals[i]->bv_val; else if (ldap_field == "krb5MaxLife") { // units: hours userinfo.maximum_ticket_lifetime = atoi(vals[i]->bv_val); } else if (ldap_field == "cn") { userinfo.commonName = vals[i]->bv_val; } else if (ldap_field == "givenName") { userinfo.givenName = vals[i]->bv_val; } else if (ldap_field == "sn") { userinfo.surName = vals[i]->bv_val; } else if (ldap_field == "initials") { userinfo.initials = vals[i]->bv_val; } else if (ldap_field == "title") { userinfo.title = vals[i]->bv_val; } else if (ldap_field == "mail") { userinfo.email = vals[i]->bv_val; } else if (ldap_field == "description") { userinfo.description = vals[i]->bv_val; } else if (ldap_field == "l") { userinfo.locality = vals[i]->bv_val; } else if (ldap_field == "telephoneNumber") { userinfo.telephoneNumber = vals[i]->bv_val; } else if (ldap_field == "facsimileTelephoneNumber") { userinfo.faxNumber = vals[i]->bv_val; } else if (ldap_field == "homePhone") { userinfo.homePhone = vals[i]->bv_val; } else if (ldap_field == "mobile") { userinfo.mobilePhone = vals[i]->bv_val; } else if (ldap_field == "pager") { userinfo.pagerNumber = vals[i]->bv_val; } else if (ldap_field == "websiteURL") { userinfo.website = vals[i]->bv_val; } else if (ldap_field == "postOfficeBox") { userinfo.poBox = vals[i]->bv_val; } else if (ldap_field == "street") { userinfo.street = vals[i]->bv_val; } else if (ldap_field == "postalAddress") { userinfo.address = vals[i]->bv_val; } else if (ldap_field == "st") { userinfo.state = vals[i]->bv_val; } else if (ldap_field == "postalCode") { userinfo.postcode = vals[i]->bv_val; } else if (ldap_field == "registeredAddress") { userinfo.registeredAddress = vals[i]->bv_val; } else if (ldap_field == "homePostalAddress") { userinfo.homeAddress = vals[i]->bv_val; } else if (ldap_field == "seeAlso") { userinfo.seeAlso = vals[i]->bv_val; } else if (ldap_field == "physicalDeliveryOfficeName") { userinfo.deliveryOffice = vals[i]->bv_val; } else if (ldap_field == "departmentNumber") { userinfo.department = vals[i]->bv_val; } else if (ldap_field == "roomNumber") { userinfo.roomNumber = vals[i]->bv_val; } else if (ldap_field == "employeeType") { userinfo.employeeType = vals[i]->bv_val; } else if (ldap_field == "employeeNumber") { userinfo.employeeNumber = vals[i]->bv_val; } else if (ldap_field == "managerName") { userinfo.manager = vals[i]->bv_val; } else if (ldap_field == "secretaryName") { userinfo.secretary = vals[i]->bv_val; } else if (ldap_field == "internationaliSDNNumber") { userinfo.isdnNumber = vals[i]->bv_val; } else if (ldap_field == "teletexId") { userinfo.teletexID = vals[i]->bv_val; } else if (ldap_field == "telexNumber") { userinfo.telexNumber = vals[i]->bv_val; } else if (ldap_field == "preferredDelivery") { userinfo.preferredDelivery = vals[i]->bv_val; } else if (ldap_field == "destinationIndicator") { userinfo.destinationIndicator = vals[i]->bv_val; } else if (ldap_field == "x121Address") { userinfo.x121Address = vals[i]->bv_val; } else if (ldap_field == "displayName") { userinfo.displayName = vals[i]->bv_val; } else if (ldap_field == "preferredLanguage") { userinfo.preferredLanguage = vals[i]->bv_val; } else if (ldap_field == "locallyUniqueID") { userinfo.uniqueIdentifier = vals[i]->bv_val; } else if (ldap_field == "businessCategory") { userinfo.businessCategory = vals[i]->bv_val; } else if (ldap_field == "carLicense") { userinfo.carLicense = vals[i]->bv_val; } else if (ldap_field == "notes") { userinfo.notes = vals[i]->bv_val; } else if (ldap_field == "pkiCertificate") { int cert_count = ldap_count_values_len(vals); for (i=0; ibv_val, vals[i]->bv_len); TQDataStream stream(ba, IO_ReadOnly); stream.setPrintableData(true); stream >> entry; // Append entry to list userinfo.pkiCertificates.append(entry); } } ldap_value_free_len(vals); } ldap_memfree(attr); } if (ber != NULL) { ber_free(ber, 0); } return userinfo; } LDAPUserInfoList LDAPManager::users(int* mretcode, TQString *errstr) { int retcode; int errcode; LDAPUserInfoList users; if (bind() < 0) { if (mretcode) *mretcode = -1; return LDAPUserInfoList(); } else { LDAPMessage* msg; TQString ldap_base_dn = m_basedc; TQString ldap_filter = "(objectClass=posixAccount)"; retcode = ldap_search_ext_s(m_ldap, ldap_base_dn.ascii(), LDAP_SCOPE_SUBTREE, ldap_filter.ascii(), ldap_user_and_operational_attributes, 0, NULL, NULL, NULL, 0, &msg); if ((retcode != LDAP_SUCCESS) && (retcode != LDAP_SIZELIMIT_EXCEEDED)) { if (errstr) { *errstr = i18n("LDAP search failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)); } else { KMessageBox::error(0, i18n("LDAP search failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error")); } if (mretcode) *mretcode = -1; return LDAPUserInfoList(); } else if (retcode == LDAP_SUCCESS) { // Iterate through the returned entries LDAPMessage* entry; for(entry = ldap_first_entry(m_ldap, msg); entry != NULL; entry = ldap_next_entry(m_ldap, entry)) { users.append(parseLDAPUserRecord(entry)); } // Clean up ldap_msgfree(msg); if (mretcode) *mretcode = 0; return users; } else if (retcode == LDAP_SIZELIMIT_EXCEEDED) { // Try paged access bool morePages = false; unsigned long pageSize = 100; struct berval cookie = {0, NULL}; char pagingCriticality = 'T'; LDAPControl* pageControl = NULL; LDAPControl* serverControls[2] = { NULL, NULL }; LDAPControl** returnedControls = NULL; do { retcode = ldap_create_page_control(m_ldap, pageSize, &cookie, pagingCriticality, &pageControl); if (retcode != LDAP_SUCCESS) { if (errstr) { *errstr = i18n("LDAP search failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)); } else { KMessageBox::error(0, i18n("LDAP search failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error")); } if (mretcode) *mretcode = -1; return LDAPUserInfoList(); } serverControls[0] = pageControl; retcode = ldap_search_ext_s(m_ldap, ldap_base_dn.ascii(), LDAP_SCOPE_SUBTREE, ldap_filter.ascii(), ldap_user_and_operational_attributes, 0, serverControls, NULL, NULL, 0, &msg); if ((retcode != LDAP_SUCCESS) && (retcode != LDAP_PARTIAL_RESULTS)) { if (errstr) { *errstr = i18n("LDAP search failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)); } else { KMessageBox::error(0, i18n("LDAP search failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error")); } if (mretcode) *mretcode = -1; return LDAPUserInfoList(); } retcode = ldap_parse_result(m_ldap, msg, &errcode, NULL, NULL, NULL, &returnedControls, false); if (retcode != LDAP_SUCCESS) { if (errstr) { *errstr = i18n("LDAP search failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)); } else { KMessageBox::error(0, i18n("LDAP search failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error")); } if (mretcode) *mretcode = -1; return LDAPUserInfoList(); } if (cookie.bv_val != NULL) { ber_memfree(cookie.bv_val); cookie.bv_val = NULL; cookie.bv_len = 0; } if (!!returnedControls) { retcode = ldap_parse_pageresponse_control(m_ldap, returnedControls[0], NULL, &cookie); morePages = (cookie.bv_val && (strlen(cookie.bv_val) > 0)); } else { morePages = false; } if (returnedControls != NULL) { ldap_controls_free(returnedControls); returnedControls = NULL; } serverControls[0] = NULL; ldap_control_free(pageControl); pageControl = NULL; // Iterate through the returned entries LDAPMessage* entry; for(entry = ldap_first_entry(m_ldap, msg); entry != NULL; entry = ldap_next_entry(m_ldap, entry)) { users.append(parseLDAPUserRecord(entry)); } // Clean up ldap_msgfree(msg); } while (morePages); if (mretcode) *mretcode = 0; return users; } } return LDAPUserInfoList(); } LDAPUserInfo LDAPManager::getUserByDistinguishedName(TQString dn) { int retcode; LDAPUserInfo userinfo; if (bind() < 0) { return LDAPUserInfo(); } else { LDAPMessage* msg; retcode = ldap_search_ext_s(m_ldap, dn.ascii(), LDAP_SCOPE_SUBTREE, NULL, ldap_user_and_operational_attributes, 0, NULL, NULL, NULL, 0, &msg); if (retcode != LDAP_SUCCESS) { KMessageBox::error(0, i18n("LDAP search failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error")); return LDAPUserInfo(); } // Iterate through the returned entries LDAPMessage* entry; for(entry = ldap_first_entry(m_ldap, msg); entry != NULL; entry = ldap_next_entry(m_ldap, entry)) { userinfo = parseLDAPUserRecord(entry); } // Clean up ldap_msgfree(msg); return userinfo; } return LDAPUserInfo(); } LDAPGroupInfo LDAPManager::getGroupByDistinguishedName(TQString dn, TQString *errstr) { int retcode; LDAPGroupInfo groupinfo; if (bind(errstr) < 0) { return LDAPGroupInfo(); } else { LDAPMessage* msg; retcode = ldap_search_ext_s(m_ldap, dn.ascii(), LDAP_SCOPE_SUBTREE, NULL, ldap_user_and_operational_attributes, 0, NULL, NULL, NULL, 0, &msg); if (retcode != LDAP_SUCCESS) { if (errstr) *errstr = i18n("LDAP search failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)); else KMessageBox::error(0, i18n("LDAP search failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error")); return LDAPGroupInfo(); } // Iterate through the returned entries LDAPMessage* entry; for(entry = ldap_first_entry(m_ldap, msg); entry != NULL; entry = ldap_next_entry(m_ldap, entry)) { groupinfo = parseLDAPGroupRecord(entry); } // Clean up ldap_msgfree(msg); return groupinfo; } return LDAPGroupInfo(); } void create_single_attribute_operation(LDAPMod **mods, int *i, TQString attr, TQString value) { if (value != "") { char **values = (char**)malloc(2*sizeof(char*)); values[0] = strdup(value.ascii()); values[1] = NULL; mods[*i]->mod_op = LDAP_MOD_ADD; mods[*i]->mod_type = strdup(attr.ascii()); mods[*i]->mod_values = values; (*i)++; } } void create_multiple_attributes_operation(LDAPMod **mods, int *i, TQString attr, TQStringList strings) { int j=0; char **values = (char**)malloc((strings.count()+1)*sizeof(char*)); for ( TQStringList::Iterator it = strings.begin(); it != strings.end(); ++it ) { if ((*it) != "") { values[j] = strdup((*it).ascii()); j++; } } values[j] = NULL; mods[*i]->mod_op = LDAP_MOD_ADD; mods[*i]->mod_type = strdup(attr.ascii()); mods[*i]->mod_values = values; (*i)++; } void add_single_attribute_operation(LDAPMod **mods, int *i, TQString attr, TQString value) { if (value != "") { char **values = (char**)malloc(2*sizeof(char*)); values[0] = strdup(value.ascii()); values[1] = NULL; mods[*i]->mod_op = LDAP_MOD_REPLACE; mods[*i]->mod_type = strdup(attr.ascii()); mods[*i]->mod_values = values; (*i)++; } else { char **values = (char**)malloc(sizeof(char*)); values[0] = NULL; mods[*i]->mod_op = LDAP_MOD_REPLACE; mods[*i]->mod_type = strdup(attr.ascii()); mods[*i]->mod_values = values; (*i)++; } } void add_single_binary_attribute_operation(LDAPMod **mods, int *i, TQString attr, TQByteArray &ba) { if (ba.size() > 0) { struct berval **values = (berval**)malloc(2*sizeof(berval*)); values[0] = new berval; values[0]->bv_len = ba.size(); values[0]->bv_val = ba.data(); values[1] = NULL; mods[*i]->mod_op = LDAP_MOD_REPLACE|LDAP_MOD_BVALUES; mods[*i]->mod_type = strdup(attr.ascii()); mods[*i]->mod_bvalues = values; (*i)++; } } void add_multiple_attributes_operation(LDAPMod **mods, int *i, TQString attr, TQStringList strings) { int j=0; char **values = (char**)malloc((strings.count()+1)*sizeof(char*)); for ( TQStringList::Iterator it = strings.begin(); it != strings.end(); ++it ) { if ((*it) != "") { values[j] = strdup((*it).ascii()); j++; } } values[j] = NULL; mods[*i]->mod_op = LDAP_MOD_REPLACE; mods[*i]->mod_type = strdup(attr.ascii()); mods[*i]->mod_values = values; (*i)++; } void add_multiple_binary_attributes_operation(LDAPMod **mods, int *i, TQString attr, TQByteArrayList byteArrays) { int j=0; struct berval **values = (berval**)malloc((byteArrays.count()+1)*sizeof(berval*)); for ( TQByteArrayList::Iterator it = byteArrays.begin(); it != byteArrays.end(); ++it ) { if ((*it).size() > 0) { values[j] = new berval; values[j]->bv_len = (*it).size(); values[j]->bv_val = (*it).data(); j++; } } values[j] = NULL; mods[*i]->mod_op = LDAP_MOD_REPLACE|LDAP_MOD_BVALUES; mods[*i]->mod_type = strdup(attr.ascii()); mods[*i]->mod_bvalues = values; (*i)++; } void delete_single_attribute_operation(LDAPMod **mods, int *i, TQString attr) { mods[*i]->mod_op = LDAP_MOD_DELETE; mods[*i]->mod_type = strdup(attr.ascii()); (*i)++; } void set_up_attribute_operations(LDAPMod **mods, int number_of_parameters) { int i; for (i=0;imod_type = NULL; mods[i]->mod_values = NULL; } mods[number_of_parameters] = NULL; } void clean_up_attribute_operations(int i, LDAPMod **mods, LDAPMod *prevterm, int number_of_parameters) { mods[i] = prevterm; for (i=0;imod_type != NULL) { free(mods[i]->mod_type); } if (mods[i]->mod_values != NULL) { int j = 0; while (mods[i]->mod_values[j] != NULL) { free(mods[i]->mod_values[j]); j++; } free(mods[i]->mod_values); } delete mods[i]; } } int LDAPManager::updateUserInfo(LDAPUserInfo user, TQString *errstr) { int retcode; int i; LDAPUserInfo userinfo; if (bind() < 0) { return -1; } else { // Create certificate ACL extension data TQString pkinit_acl_subject = TQString::null; PKICertificateEntryList::Iterator it; for (it = user.pkiCertificates.begin(); it != user.pkiCertificates.end(); ++it) { PKICertificateEntry certificateData = *it; TQCString ssldata(certificateData.second); ssldata[certificateData.second.size()] = 0; ssldata.replace("-----BEGIN CERTIFICATE-----", ""); ssldata.replace("-----END CERTIFICATE-----", ""); ssldata.replace("\n", ""); KSSLCertificate* cert = KSSLCertificate::fromString(ssldata); if (cert) { bool expired = false; if (TQDateTime::currentDateTime(Qt::UTC) > cert->getQDTNotAfter()) { expired = true; } if ((certificateData.first == PKICertificateStatus::Revoked) || expired) { continue; } else { // NOTE // At this time Heimdal only appears to support one certificate ACL string // Use the last valid certificate subject when creating that string TQStringList reversedSubjectChunks; TQStringList subjectChunks = TQStringList::split("/", cert->getSubject()); for (TQStringList::Iterator it = subjectChunks.begin(); it != subjectChunks.end(); it++) { reversedSubjectChunks.prepend(*it); } pkinit_acl_subject = reversedSubjectChunks.join(","); } } } TQByteArray acl_asn1_data; if (pkinit_acl_subject != "") { #if HDB_INTERFACE_VERSION > 4 krb5_error_code krb5_ret; HDB_extension extended_attributes; memset(&extended_attributes, 0, sizeof(extended_attributes)); extended_attributes.mandatory = true; extended_attributes.data.element = HDB_extension::HDB_extension_data::choice_HDB_extension_data_pkinit_acl; HDB_Ext_PKINIT_acl* pkinit_acl = &extended_attributes.data.u.pkinit_acl; pkinit_acl->val = (HDB_Ext_PKINIT_acl::HDB_Ext_PKINIT_acl_val*)malloc(sizeof(pkinit_acl->val[0])); pkinit_acl->len = 1; pkinit_acl->val->subject = const_cast(pkinit_acl_subject.ascii()); pkinit_acl->val->issuer = NULL; pkinit_acl->val->anchor = NULL; unsigned char *asn1_encoding_buf; size_t initial_size = 0; size_t resultant_size = 0; ASN1_MALLOC_ENCODE_HDB(HDB_extension, asn1_encoding_buf, initial_size, &extended_attributes, &resultant_size, krb5_ret); if (initial_size == resultant_size) { acl_asn1_data.resize(resultant_size); memcpy(acl_asn1_data.data(), asn1_encoding_buf, resultant_size); } free(pkinit_acl->val); free(asn1_encoding_buf); #endif } // Assemble the LDAPMod structure // We will replace any existing attributes with the new values int number_of_parameters = 49; // 49 primary attributes LDAPMod *mods[number_of_parameters+1]; set_up_attribute_operations(mods, number_of_parameters); // Load LDAP modification requests from provided data structure i=0; add_single_attribute_operation(mods, &i, "uidNumber", TQString("%1").arg(user.uid)); add_single_attribute_operation(mods, &i, "loginShell", user.shell); add_single_attribute_operation(mods, &i, "homeDirectory", user.homedir); add_single_attribute_operation(mods, &i, "userPassword", "{SASL}" + user.name + "@" + m_realm.upper()); add_single_attribute_operation(mods, &i, "gidNumber", TQString("%1").arg(user.primary_gid)); add_single_attribute_operation(mods, &i, "krb5KDCFlags", TQString("%1").arg(user.status)); // Default active user is 586 [KRB5_ACTIVE_DEFAULT] and locked out user is 7586 [KRB5_DISABLED_ACCOUNT] // add_single_attribute_operation(mods, &i, "", user.password_expires); // add_single_attribute_operation(mods, &i, "", user.password_expiration); // add_single_attribute_operation(mods, &i, "", user.password_ages); // add_single_attribute_operation(mods, &i, "", user.new_password_interval); // add_single_attribute_operation(mods, &i, "", user.new_password_warn_interval); // add_single_attribute_operation(mods, &i, "", user.new_password_lockout_delay); // add_single_attribute_operation(mods, &i, "", user.password_has_minimum_age); // add_single_attribute_operation(mods, &i, "", user.password_minimum_age); add_single_attribute_operation(mods, &i, "krb5MaxLife", TQString("%1").arg(user.maximum_ticket_lifetime)); add_single_attribute_operation(mods, &i, "cn", user.commonName); add_single_attribute_operation(mods, &i, "givenName", user.givenName); add_single_attribute_operation(mods, &i, "sn", user.surName); add_single_attribute_operation(mods, &i, "initials", user.initials); add_single_attribute_operation(mods, &i, "title", user.title); add_single_attribute_operation(mods, &i, "mail", user.email); add_single_attribute_operation(mods, &i, "description", user.description); add_single_attribute_operation(mods, &i, "l", user.locality); add_single_attribute_operation(mods, &i, "telephoneNumber", user.telephoneNumber); add_single_attribute_operation(mods, &i, "facsimileTelephoneNumber", user.faxNumber); add_single_attribute_operation(mods, &i, "homePhone", user.homePhone); add_single_attribute_operation(mods, &i, "mobile", user.mobilePhone); add_single_attribute_operation(mods, &i, "pager", user.pagerNumber); add_single_attribute_operation(mods, &i, "websiteURL", user.website); add_single_attribute_operation(mods, &i, "postOfficeBox", user.poBox); add_single_attribute_operation(mods, &i, "street", user.street); add_single_attribute_operation(mods, &i, "postalAddress", user.address); add_single_attribute_operation(mods, &i, "st", user.state); add_single_attribute_operation(mods, &i, "postalCode", user.postcode); add_single_attribute_operation(mods, &i, "registeredAddress", user.registeredAddress); add_single_attribute_operation(mods, &i, "homePostalAddress", user.homeAddress); add_single_attribute_operation(mods, &i, "seeAlso", user.seeAlso); add_single_attribute_operation(mods, &i, "physicalDeliveryOfficeName", user.deliveryOffice); add_single_attribute_operation(mods, &i, "departmentNumber", user.department); add_single_attribute_operation(mods, &i, "roomNumber", user.roomNumber); add_single_attribute_operation(mods, &i, "employeeType", user.employeeType); add_single_attribute_operation(mods, &i, "employeeNumber", user.employeeNumber); add_single_attribute_operation(mods, &i, "managerName", user.manager); add_single_attribute_operation(mods, &i, "secretaryName", user.secretary); add_single_attribute_operation(mods, &i, "internationaliSDNNumber", user.isdnNumber); add_single_attribute_operation(mods, &i, "teletexId", user.teletexID); add_single_attribute_operation(mods, &i, "telexNumber", user.telexNumber); add_single_attribute_operation(mods, &i, "preferredDelivery", user.preferredDelivery); add_single_attribute_operation(mods, &i, "destinationIndicator", user.destinationIndicator); add_single_attribute_operation(mods, &i, "x121Address", user.x121Address); add_single_attribute_operation(mods, &i, "displayName", user.displayName); add_single_attribute_operation(mods, &i, "preferredLanguage", user.preferredLanguage); add_single_attribute_operation(mods, &i, "locallyUniqueID", user.uniqueIdentifier); add_single_attribute_operation(mods, &i, "businessCategory", user.businessCategory); add_single_attribute_operation(mods, &i, "carLicense", user.carLicense); add_single_attribute_operation(mods, &i, "notes", user.notes); add_single_binary_attribute_operation(mods, &i, "krb5ExtendedAttributes", acl_asn1_data); LDAPMod *prevterm = mods[i]; mods[i] = NULL; // Perform LDAP update retcode = ldap_modify_ext_s(m_ldap, user.distinguishedName.ascii(), mods, NULL, NULL); // Clean up clean_up_attribute_operations(i, mods, prevterm, number_of_parameters); if (retcode != LDAP_SUCCESS) { if (errstr) { *errstr = i18n("LDAP modification failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)); } else { KMessageBox::error(0, i18n("LDAP modification failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error")); } return -2; } else { return 0; } } } // FIXME // Convert anything relying on this method to the Heimdal C API TQString LDAPManager::readFullLineFromPtyProcess(PtyProcess* proc) { TQString result = ""; while ((!result.contains("\r")) && (!result.contains(">")) && (!((!result.contains("kinit:")) && (!result.contains("ktutil:")) && result.contains(":"))) && (!((!result.contains("kinit:")) && (!result.contains("ktutil:")) && result.contains("\r"))) ) { result = result + TQString(proc->readLine(false)); tqApp->processEvents(); if (!TQFile::exists(TQString("/proc/%1/exe").arg(proc->pid()))) { result.replace("\n", ""); result.replace("\r", ""); if (result == "") { result = "TDE process terminated"; } break; } } result.replace("\n", ""); result.replace("\r", ""); result.replace("\x20\x08", ""); // Backspace + Space. This one caused all kinds of fun with long distinguished names and/or passwords! return result; } int LDAPManager::bindKAdmin(LDAPCredentials *administrativeCredentials, TQString *errstr) { int retcode = 1; kadm5_ret_t krb5adm_ret; kadm5_config_params params; LDAPCredentials admincreds; if (administrativeCredentials) { admincreds = *administrativeCredentials; } else { admincreds = currentLDAPCredentials(); } if (admincreds.use_gssapi) { // FIXME // Heimdal has issues parsing the keytab file, so for now just prompt for password TQString password; int result = KPasswordDialog::getPassword(password, i18n("Enter password for %1").arg(admincreds.username)); if (result == KPasswordDialog::Accepted) { admincreds.password = password.utf8(); admincreds.use_gssapi = false; } } if ((admincreds.username == "") && (admincreds.password == "")) { // Probably GSSAPI // Get active ticket principal... KerberosTicketInfoList tickets = LDAPManager::getKerberosTicketList(); TQStringList principalParts = TQStringList::split("@", tickets[0].cachePrincipal, false); admincreds.username = principalParts[0]; admincreds.realm = principalParts[1]; admincreds.use_gssapi = true; } bool use_local_socket = false; if (m_host.startsWith("ldapi://")) { use_local_socket = true; } TQString ticketFile; LDAPManager::getKerberosTicketList(TQString::null, &ticketFile); memset(¶ms, 0, sizeof(params)); if (!use_local_socket) { params.mask |= KADM5_CONFIG_REALM; if (m_krb5admRealmName) { free(m_krb5admRealmName); } if (admincreds.realm != "") { m_krb5admRealmName = strdup(admincreds.realm.upper().ascii()); } else { TQString defaultRealm; fetchAndReadTDERealmList(&defaultRealm); m_krb5admRealmName = strdup(defaultRealm.ascii()); } params.realm = m_krb5admRealmName; } TQString adminPrincipal = TQString::null; if (admincreds.username != "") { adminPrincipal = admincreds.username.lower() + "@" + admincreds.realm.upper(); } krb5adm_ret = krb5_init_context(&m_krb5admContext); if (krb5adm_ret) { if (errstr) *errstr = i18n("%1

Details:
Failed to execute kadm5_init_krb5_context (code %2)").arg(krb5_get_error_message(m_krb5admContext, krb5adm_ret)).arg(krb5adm_ret); } else { if (use_local_socket) { // Local bind // Read KDC configuration files int temp_ret; char **files; char* config_file; temp_ret = asprintf(&config_file, "%s/kdc.conf", hdb_db_dir(m_krb5admContext)); if (temp_ret == -1) { if (errstr) *errstr = i18n("Out of memory"); } krb5adm_ret = krb5_prepend_config_files_default(config_file, &files); if (krb5adm_ret) { if (errstr) *errstr = i18n("%1

Details:
Failed to execute krb5_prepend_config_files_default (code %2)").arg(krb5_get_error_message(m_krb5admContext, krb5adm_ret)).arg(krb5adm_ret); } krb5adm_ret = krb5_set_config_files(m_krb5admContext, files); krb5_free_config_files(files); if(krb5adm_ret) { if (errstr) *errstr = i18n("%1

Details:
Failed to execute krb5_set_config_files (code %2)").arg(krb5_get_error_message(m_krb5admContext, krb5adm_ret)).arg(krb5adm_ret); } // Bypass password quality checks kadm5_setup_passwd_quality_check(m_krb5admContext, NULL, NULL); krb5adm_ret = kadm5_add_passwd_quality_verifier(m_krb5admContext, NULL); if (krb5adm_ret) { if (errstr) *errstr = i18n("%1

Details:
Failed to execute kadm5_add_passwd_quality_verifier (code %2)").arg(krb5_get_error_message(m_krb5admContext, krb5adm_ret)).arg(krb5adm_ret); } // Initialize context krb5adm_ret = kadm5_s_init_with_password_ctx(m_krb5admContext, KADM5_ADMIN_SERVICE, NULL, KADM5_ADMIN_SERVICE, ¶ms, KADM5_STRUCT_VERSION, KADM5_API_VERSION_2, &m_krb5admHandle); if (krb5adm_ret) { if (errstr) *errstr = i18n("%1

Details:
Failed to execute kadm5_s_init_with_password_ctx (code %2)").arg(krb5_get_error_message(m_krb5admContext, krb5adm_ret)).arg(krb5adm_ret); } } else if (admincreds.use_gssapi) { // Keytab authentication / bind if (m_krb5admKeytabFilename) { free(m_krb5admKeytabFilename); } m_krb5admKeytabFilename = strdup(ticketFile.ascii()); krb5adm_ret = kadm5_init_with_skey_ctx(m_krb5admContext, KADM5_ADMIN_SERVICE, m_krb5admKeytabFilename, KADM5_ADMIN_SERVICE, ¶ms, KADM5_STRUCT_VERSION, KADM5_API_VERSION_2, &m_krb5admHandle); if (krb5adm_ret) { if (errstr) *errstr = i18n("%1

Details:
Failed to execute kadm5_init_with_skey (code %2)").arg(krb5_get_error_message(m_krb5admContext, krb5adm_ret)).arg(krb5adm_ret); } } else { // Password authentication / bind krb5adm_ret = kadm5_init_with_password_ctx(m_krb5admContext, adminPrincipal.ascii(), admincreds.password.utf8().data(), KADM5_ADMIN_SERVICE, ¶ms, KADM5_STRUCT_VERSION, KADM5_API_VERSION_2, &m_krb5admHandle); if (krb5adm_ret) { if (errstr) *errstr = i18n("%1

Details:
Failed to execute kadm5_init_with_password (code %2)").arg(krb5_get_error_message(m_krb5admContext, krb5adm_ret)).arg(krb5adm_ret); } } if (!krb5adm_ret) { // Success! retcode = 0; } } return retcode; } int LDAPManager::unbindKAdmin(TQString *errstr) { if (m_krb5admKeytabFilename) { free(m_krb5admKeytabFilename); m_krb5admKeytabFilename = NULL; } if (m_krb5admRealmName) { free(m_krb5admRealmName); m_krb5admRealmName = NULL; } kadm5_destroy(m_krb5admHandle); krb5_free_context(m_krb5admContext); m_krb5admHandle = NULL; return 0; } int LDAPManager::setPasswordForUser(LDAPUserInfo user, TQString *errstr) { if (user.new_password == "") { return 0; } int retcode; kadm5_ret_t krb5adm_ret; bool kadmin_unbind_needed = false; if (m_krb5admHandle) { retcode = 0; } else { retcode = bindKAdmin(NULL, errstr); kadmin_unbind_needed = true; } if (retcode == 0) { retcode = 1; krb5_principal user_kadm5_principal = NULL; krb5adm_ret = krb5_parse_name(m_krb5admContext, user.name.ascii(), &user_kadm5_principal); if (krb5adm_ret) { if (errstr) *errstr = i18n("%1

Details:
Failed to execute krb5_parse_name for user '%2' (code %3)").arg(krb5_get_error_message(m_krb5admContext, krb5adm_ret)).arg(user.name).arg(krb5adm_ret); } else { krb5adm_ret = kadm5_chpass_principal(m_krb5admHandle, user_kadm5_principal, user.new_password.utf8().data()); if (krb5adm_ret) { if (errstr) *errstr = i18n("%1

Details:
Failed to execute kadm5_chpass_principal for user '%2' (code %3)").arg(krb5_get_error_message(m_krb5admContext, krb5adm_ret)).arg(user.name).arg(krb5adm_ret); } else { // Success! retcode = 0; } // Clean up krb5_free_principal(m_krb5admContext, user_kadm5_principal); } if (kadmin_unbind_needed) { unbindKAdmin(); unbind(true); // Using kadmin can disrupt our LDAP connection } } return retcode; } TQString klistDateTimeToRFCDateTime(TQString datetime) { // HACK HACK HACK // FIXME TQString ret; TQString command = TQString("date -R -d \"%1\"").arg(datetime); FILE *output = popen(command.ascii(), "r"); TQFile f; f.open(IO_ReadOnly, output); TQTextStream stream(&f); ret = stream.readLine(); f.close(); pclose(output); return ret; } #define KLIST_CREDENTIALS_CACHE_STRING "Credentials cache: " #define KLIST_PRINCIPAL_STRING "Principal: " #define KLIST_CACHE_VERSION_STRING "Cache version: " #define KLIST_SERVER_STRING "Server: " #define KLIST_CLIENT_STRING "Client: " #define KLIST_ENCTYPE_STRING "Ticket etype: " #define KLIST_TICKET_LENGTH_STRING "Ticket length: " #define KLIST_AUTHTIME_STRING "Auth time: " #define KLIST_STARTTIME_STRING "Start time: " #define KLIST_STOPTIME_STRING "End time: " #define KLIST_FLAGS_STRING "Ticket flags: " #define KLIST_ADDRESSES_STRING "Ticket flags: " #define KLIST_NO_TICKET_FILE "klist: No ticket file: " #define KLIST_KVNO_STRING "kvno" #define KLIST_ADDRESSLESS_STRING "addressless" #define KLIST_KRB5_TICKET_RESERVED "reserved" #define KLIST_KRB5_TICKET_FORWARDABLE "forwardable" #define KLIST_KRB5_TICKET_FORWARDED "forwarded" #define KLIST_KRB5_TICKET_PROXIABLE "proxiable" #define KLIST_KRB5_TICKET_PROXY "proxy" #define KLIST_KRB5_TICKET_MAY_POSTDATE "may-postdate" #define KLIST_KRB5_TICKET_POSTDATED "postdated" #define KLIST_KRB5_TICKET_INVALID "invalid" #define KLIST_KRB5_TICKET_RENEWABLE "renewable" #define KLIST_KRB5_TICKET_INITIAL "initial" #define KLIST_KRB5_TICKET_PREAUTHENT "pre-authent" #define KLIST_KRB5_TICKET_HW_AUTHENT "hw-authent" #define KLIST_KRB5_TICKET_TRANSIT_CHECKED "transited-policy-checked" #define KLIST_KRB5_TICKET_OK_AS_DELEGATE "ok-as-delegate" #define KLIST_KRB5_TICKET_ANONYMOUS "anonymous" #define KLIST_KRB5_TICKET_ENC_PA_REP "enc-pa-rep" KerberosTicketInfoList LDAPManager::getKerberosTicketList(TQString cache, TQString *cacheFileName) { KerberosTicketInfo ticket; KerberosTicketInfoList list; TQString global_ccache; TQString global_principal; TQString global_cachevers; TQString line; FILE *output; if (cache != "") { output = popen((TQString("klist --cache=%1 -v 2>&1").arg(cache)).ascii(), "r"); } else { output = popen("klist -v 2>&1", "r"); } TQFile f; f.open(IO_ReadOnly, output); TQTextStream stream(&f); while ( !stream.atEnd() ) { line = stream.readLine(); line = line.stripWhiteSpace(); if (line == "") { if (ticket.informationValid) { ticket.cacheURL = global_ccache; ticket.cachePrincipal = global_principal; ticket.cacheVersion = global_cachevers.toInt(); list.append(ticket); } ticket = KerberosTicketInfo(); } else if (line.startsWith(KLIST_NO_TICKET_FILE)) { line.remove(0, strlen(KLIST_NO_TICKET_FILE)); line.prepend("FILE:"); if (cacheFileName) *cacheFileName = line; } else if (line.startsWith(KLIST_CREDENTIALS_CACHE_STRING)) { line.remove(0, strlen(KLIST_CREDENTIALS_CACHE_STRING)); global_ccache = line; if (cacheFileName) *cacheFileName = line; } else if (line.startsWith(KLIST_PRINCIPAL_STRING)) { line.remove(0, strlen(KLIST_PRINCIPAL_STRING)); global_principal = line; } else if (line.startsWith(KLIST_CACHE_VERSION_STRING)) { line.remove(0, strlen(KLIST_CACHE_VERSION_STRING)); global_cachevers = line; } else if (line.startsWith(KLIST_SERVER_STRING)) { line.remove(0, strlen(KLIST_SERVER_STRING)); ticket.serverPrincipal = line; ticket.informationValid = true; } else if (line.startsWith(KLIST_CLIENT_STRING)) { line.remove(0, strlen(KLIST_CLIENT_STRING)); ticket.clientPrincipal = line; ticket.informationValid = true; } else if (line.startsWith(KLIST_ENCTYPE_STRING)) { line.remove(0, strlen(KLIST_ENCTYPE_STRING)); TQString kvno = line; int commaloc = line.find(","); kvno.remove(0, commaloc+1); kvno.replace(KLIST_KVNO_STRING, ""); kvno = kvno.stripWhiteSpace(); line.truncate(commaloc); ticket.encryptionType = line; ticket.keyVersionNumber = kvno.toInt(); ticket.informationValid = true; } else if (line.startsWith(KLIST_TICKET_LENGTH_STRING)) { line.remove(0, strlen(KLIST_TICKET_LENGTH_STRING)); ticket.ticketSize = line.toInt(); ticket.informationValid = true; } else if (line.startsWith(KLIST_AUTHTIME_STRING)) { line.remove(0, strlen(KLIST_AUTHTIME_STRING)); line.replace("(expired)", ""); line = line.simplifyWhiteSpace(); line = klistDateTimeToRFCDateTime(line); ticket.authenticationTime.setTime_t(KRFCDate::parseDate(line)); ticket.informationValid = true; } else if (line.startsWith(KLIST_STARTTIME_STRING)) { line.remove(0, strlen(KLIST_STARTTIME_STRING)); line.replace("(expired)", ""); line = line.simplifyWhiteSpace(); line = klistDateTimeToRFCDateTime(line); ticket.validStartTime.setTime_t(KRFCDate::parseDate(line)); ticket.informationValid = true; } else if (line.startsWith(KLIST_STOPTIME_STRING)) { line.remove(0, strlen(KLIST_STOPTIME_STRING)); line.replace("(expired)", ""); line = line.simplifyWhiteSpace(); line = klistDateTimeToRFCDateTime(line); ticket.validEndTime.setTime_t(KRFCDate::parseDate(line)); ticket.informationValid = true; } else if (line.startsWith(KLIST_FLAGS_STRING)) { line.remove(0, strlen(KLIST_FLAGS_STRING)); TQStringList flags = TQStringList::split(",", line, FALSE); for (TQStringList::Iterator it = flags.begin(); it != flags.end(); ++it) { if ((*it) == KLIST_KRB5_TICKET_RESERVED) { ticket.flags = ticket.flags | KRB5_TICKET_RESERVED; } else if ((*it) == KLIST_KRB5_TICKET_FORWARDABLE) { ticket.flags = ticket.flags | KRB5_TICKET_FORWARDABLE; } else if ((*it) == KLIST_KRB5_TICKET_FORWARDED) { ticket.flags = ticket.flags | KRB5_TICKET_FORWARDED; } else if ((*it) == KLIST_KRB5_TICKET_PROXIABLE) { ticket.flags = ticket.flags | KRB5_TICKET_PROXIABLE; } else if ((*it) == KLIST_KRB5_TICKET_PROXY) { ticket.flags = ticket.flags | KRB5_TICKET_PROXY; } else if ((*it) == KLIST_KRB5_TICKET_MAY_POSTDATE) { ticket.flags = ticket.flags | KRB5_TICKET_MAY_POSTDATE; } else if ((*it) == KLIST_KRB5_TICKET_POSTDATED) { ticket.flags = ticket.flags | KRB5_TICKET_POSTDATED; } else if ((*it) == KLIST_KRB5_TICKET_INVALID) { ticket.flags = ticket.flags | KRB5_TICKET_INVALID; } else if ((*it) == KLIST_KRB5_TICKET_RENEWABLE) { ticket.flags = ticket.flags | KRB5_TICKET_RENEWABLE; } else if ((*it) == KLIST_KRB5_TICKET_INITIAL) { ticket.flags = ticket.flags | KRB5_TICKET_INITIAL; } else if ((*it) == KLIST_KRB5_TICKET_PREAUTHENT) { ticket.flags = ticket.flags | KRB5_TICKET_PREAUTHENT; } else if ((*it) == KLIST_KRB5_TICKET_HW_AUTHENT) { ticket.flags = ticket.flags | KRB5_TICKET_HW_AUTHENT; } else if ((*it) == KLIST_KRB5_TICKET_TRANSIT_CHECKED) { ticket.flags = ticket.flags | KRB5_TICKET_TRANSIT_CHECKED; } else if ((*it) == KLIST_KRB5_TICKET_OK_AS_DELEGATE) { ticket.flags = ticket.flags | KRB5_TICKET_OK_AS_DELEGATE; } else if ((*it) == KLIST_KRB5_TICKET_ANONYMOUS) { ticket.flags = ticket.flags | KRB5_TICKET_ANONYMOUS; } else if ((*it) == KLIST_KRB5_TICKET_ENC_PA_REP) { ticket.flags = ticket.flags | KRB5_TICKET_ENC_PA_REP; } } ticket.informationValid = true; } else if (line.startsWith(KLIST_ADDRESSES_STRING)) { line.remove(0, strlen(KLIST_ADDRESSES_STRING)); if (line != KLIST_ADDRESSLESS_STRING) { // FIXME // What is the separator? ticket.addresses = TQStringList(line); } ticket.informationValid = true; } } f.close(); pclose(output); return list; } LDAPRealmConfigList LDAPManager::fetchAndReadTDERealmList(TQString *defaultRealm) { KSimpleConfig* systemconfig = new KSimpleConfig( TQString::fromLatin1( KDE_CONFDIR "/ldap/ldapconfigrc" )); systemconfig->setGroup(NULL); if (defaultRealm != NULL) { *defaultRealm = systemconfig->readEntry("DefaultRealm", TQString::null); } LDAPRealmConfigList realms = LDAPManager::readTDERealmList(systemconfig, false); delete systemconfig; return realms; } int LDAPManager::getKerberosPassword(LDAPCredentials &creds, TQString prompt, bool requestServicePrincipal, bool allowSmartCard, TQWidget* parent) { int i; TQString defaultRealm; LDAPRealmConfigList realms = fetchAndReadTDERealmList(&defaultRealm); if (creds.realm != "") { defaultRealm = creds.realm; } LDAPPasswordDialog passdlg(parent, 0, false, allowSmartCard); passdlg.m_base->ldapAdminRealm->setEnabled(true); LDAPRealmConfigList::Iterator it; i=0; for (it = realms.begin(); it != realms.end(); ++it) { passdlg.m_base->ldapAdminRealm->insertItem((*it).name); if ((*it).name == defaultRealm) { passdlg.m_base->ldapAdminRealm->setCurrentItem(i); } i++; } passdlg.m_base->passprompt->setText(prompt); passdlg.m_base->ldapUseTLS->hide(); if (requestServicePrincipal) { passdlg.m_base->kerberosOtherInfoString->show(); passdlg.m_base->kerberosServicePrincipal->show(); } if (creds.username != "") { passdlg.m_base->ldapAdminUsername->setText(creds.username); passdlg.m_base->ldapAdminPassword->setFocus(); } const int ret = passdlg.exec(); if (ret == KDialog::Accepted) { creds.username = passdlg.m_base->ldapAdminUsername->text(); creds.password = passdlg.m_base->ldapAdminPassword->password(); creds.realm = passdlg.m_base->ldapAdminRealm->currentText(); creds.service = passdlg.m_base->kerberosServicePrincipal->text(); creds.use_tls = passdlg.m_base->ldapUseTLS->isOn(); creds.use_gssapi = false; if (allowSmartCard) { creds.use_smartcard = passdlg.use_smartcard; } else { creds.use_smartcard = false; } } return ret; } int LDAPManager::obtainKerberosTicket(LDAPCredentials creds, TQString principal, TQString *errstr) { TQCString command = "kinit"; QCStringList args; if (creds.use_smartcard) { // Get PKCS#11 slot number from the LDAP configuration file KSimpleConfig* systemconfig = new KSimpleConfig( TQString::fromLatin1( KDE_CONFDIR "/ldap/ldapconfigrc" )); systemconfig->setGroup(NULL); int pkcs11_login_card_slot = systemconfig->readNumEntry("PKCS11LoginCardSlot", 0); delete systemconfig; TQString pkcsProviderString = "PKCS11:" + TDECryptographicCardDevice::pkcsProviderLibrary(); if (pkcs11_login_card_slot != 0) { pkcsProviderString.append(TQString(",slot=%1").arg(pkcs11_login_card_slot)); } args << TQCString("-C") << TQCString(pkcsProviderString); // Find certificate on card and set credentials to match TDEGenericDevice *hwdevice; TDEHardwareDevices *hwdevices = TDEGlobal::hardwareDevices(); TDEGenericHardwareList cardReaderList = hwdevices->listByDeviceClass(TDEGenericDeviceType::CryptographicCard); for (hwdevice = cardReaderList.first(); hwdevice; hwdevice = cardReaderList.next()) { TDECryptographicCardDevice* cdevice = static_cast(hwdevice); TQString username = TQString::null; TQString realm = TQString::null; X509CertificatePtrList certList = cdevice->cardX509Certificates(); if (certList.count() > 0) { TQStringList::Iterator it; KSSLCertificate* card_cert = NULL; card_cert = KSSLCertificate::fromX509(certList[0]); TQStringList cert_subject_parts = TQStringList::split("/", card_cert->getSubject(), false); TQStringList reversed_cert_subject_parts; for (it = cert_subject_parts.begin(); it != cert_subject_parts.end(); it++) { reversed_cert_subject_parts.prepend(*it); } for (it = reversed_cert_subject_parts.begin(); it != reversed_cert_subject_parts.end(); ++it ) { TQString lcpart = (*it).lower(); if (lcpart.startsWith("cn=")) { username = lcpart.right(lcpart.length() - strlen("cn=")); } else if (lcpart.startsWith("dc=")) { realm.append(lcpart.right(lcpart.length() - strlen("dc=")) + "."); } } if (realm.endsWith(".")) { realm.truncate(realm.length() - 1); } delete card_cert; } if (username != "") { creds.username = username; creds.realm = realm; break; } } } if (principal == "") { args << TQCString(creds.username + "@" + creds.realm.upper()); } else { args << TQCString("-S") << TQCString(principal) << TQCString(creds.username + "@" + creds.realm.upper()); } TQString prompt; PtyProcess kinitProc; kinitProc.exec(command, args); prompt = readFullLineFromPtyProcess(&kinitProc); prompt = prompt.stripWhiteSpace(); while (prompt.endsWith(" Password:") || (creds.use_smartcard && prompt.contains("PIN"))) { if (creds.use_smartcard) { TQString password; int result = KPasswordDialog::getPassword(password, prompt); if (result == KPasswordDialog::Accepted) { creds.password = password; } else { return 0; } } kinitProc.enableLocalEcho(false); kinitProc.writeLine(creds.password.utf8(), true); do { // Discard our own input prompt = readFullLineFromPtyProcess(&kinitProc); printf("(kinit) '%s'\n", prompt.ascii()); } while (prompt == ""); prompt = prompt.stripWhiteSpace(); } if ((prompt != "") && (prompt != "TDE process terminated")) { if (errstr) *errstr = detailedKAdminErrorMessage(prompt); return 1; } // Success! return 0; } int LDAPManager::obtainKerberosServiceTicket(TQString principal, TQString *errstr) { TQString ret; TQString command = TQString("kgetcred \"%1\"").arg(principal); FILE *output = popen(command.ascii(), "r"); TQFile f; f.open(IO_ReadOnly, output); TQTextStream stream(&f); ret = stream.readLine(); f.close(); pclose(output); if (ret != "") { if (errstr) *errstr = detailedKAdminErrorMessage(ret); return -1; } return 0; } int LDAPManager::destroyKerberosTicket(TQString principal, TQString *errstr) { TQString ret; TQString command = TQString("kdestroy --credential=\"%1\"").arg(principal); FILE *output = popen(command.ascii(), "r"); TQFile f; f.open(IO_ReadOnly, output); TQTextStream stream(&f); ret = stream.readLine(); f.close(); pclose(output); if (ret != "") { if (errstr) *errstr = detailedKAdminErrorMessage(ret); return -1; } return 0; } int LDAPManager::updateGroupInfo(LDAPGroupInfo group, TQString *errstr) { int retcode; int i; LDAPGroupInfo groupinfo; if (bind() < 0) { return -1; } else { // Assemble the LDAPMod structure // We will replace any existing attributes with the new values int number_of_parameters = 3; // 3 primary attributes LDAPMod *mods[number_of_parameters+1]; set_up_attribute_operations(mods, number_of_parameters); // Load LDAP modification requests from provided data structure i=0; add_single_attribute_operation(mods, &i, "gidNumber", TQString("%1").arg(group.gid)); TQStringList completeGroupList = group.userlist; TQString placeholderGroup = "cn=placeholder," + m_basedc; if (!completeGroupList.contains(placeholderGroup)) { completeGroupList.prepend(placeholderGroup); } add_multiple_attributes_operation(mods, &i, "member", completeGroupList); // Also populate memberUid attribute from the above list (minus the cn=,dc=... stuff, i.e. just the username) TQStringList posixGroupList; for ( TQStringList::Iterator it = group.userlist.begin(); it != group.userlist.end(); ++it ) { TQString plainUserName = *it; int eqpos = plainUserName.find("=")+1; int cmpos = plainUserName.find(",", eqpos); plainUserName.truncate(cmpos); plainUserName.remove(0, eqpos); posixGroupList.append(plainUserName); } add_multiple_attributes_operation(mods, &i, "memberUid", posixGroupList); LDAPMod *prevterm = mods[i]; mods[i] = NULL; // Perform LDAP update retcode = ldap_modify_ext_s(m_ldap, group.distinguishedName.ascii(), mods, NULL, NULL); // Clean up clean_up_attribute_operations(i, mods, prevterm, number_of_parameters); if (retcode != LDAP_SUCCESS) { if (errstr) { *errstr = i18n("LDAP modification failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)); } else { KMessageBox::error(0, i18n("LDAP modification failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error")); } return -2; } else { return 0; } } } // FIXME int LDAPManager::updateMachineInfo(LDAPMachineInfo group, TQString *errstr) { if (errstr) *errstr = i18n("Not implemented yet!"); return -1; } // FIXME int LDAPManager::updateServiceInfo(LDAPServiceInfo group, TQString *errstr) { if (errstr) *errstr = i18n("Not implemented yet!"); return -1; } int LDAPManager::addUserInfo(LDAPUserInfo user, TQString *errstr) { int retcode; int i; LDAPUserInfo userinfo; if (bind() < 0) { return -1; } else { // Create the base DN entry int number_of_parameters = 14; // 14 primary attributes LDAPMod *mods[number_of_parameters+1]; set_up_attribute_operations(mods, number_of_parameters); // Load initial required LDAP object attributes i=0; create_single_attribute_operation(mods, &i, "uidNumber", TQString("%1").arg(user.uid)); create_single_attribute_operation(mods, &i, "gidNumber", TQString("%1").arg(user.primary_gid)); create_multiple_attributes_operation(mods, &i, "objectClass", TQStringList::split(" ", "inetOrgPerson krb5Realm krb5Principal krb5KDCEntry emsUser posixAccount tdeExtendedUserData tdeAccountObject")); create_single_attribute_operation(mods, &i, "uid", user.name); create_single_attribute_operation(mods, &i, "cn", user.commonName); create_single_attribute_operation(mods, &i, "sn", user.surName); create_single_attribute_operation(mods, &i, "homeDirectory", user.homedir); create_single_attribute_operation(mods, &i, "userPassword", "{SASL}" + user.name + "@" + m_realm.upper()); // Kerberos create_single_attribute_operation(mods, &i, "krb5KeyVersionNumber", "1"); create_single_attribute_operation(mods, &i, "krb5PrincipalName", TQString(user.name.lower()) + "@" + m_realm.upper()); create_single_attribute_operation(mods, &i, "krb5RealmName", m_realm.upper()); // Zivios specific create_single_attribute_operation(mods, &i, "emsdescription", "None"); create_single_attribute_operation(mods, &i, "emsprimarygroupdn", "None"); create_single_attribute_operation(mods, &i, "emstype", "UserEntry"); LDAPMod *prevterm = mods[i]; mods[i] = NULL; // Add new object retcode = ldap_add_ext_s(m_ldap, user.distinguishedName.ascii(), mods, NULL, NULL); // Clean up clean_up_attribute_operations(i, mods, prevterm, number_of_parameters); if (retcode != LDAP_SUCCESS) { if (errstr) { *errstr = i18n("LDAP addition failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)); } else { KMessageBox::error(0, i18n("LDAP addition failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error")); } return -2; } else { return updateUserInfo(user); } } } int LDAPManager::addGroupInfo(LDAPGroupInfo group, TQString *errstr) { int retcode; int i; LDAPGroupInfo groupinfo; if (bind() < 0) { return -1; } else { // Create the base DN entry int number_of_parameters = 6; // 6 primary attributes LDAPMod *mods[number_of_parameters+1]; set_up_attribute_operations(mods, number_of_parameters); TQString placeholderGroup = "cn=placeholder," + m_basedc; // Load initial required LDAP object attributes i=0; create_single_attribute_operation(mods, &i, "gidNumber", TQString("%1").arg(group.gid)); create_multiple_attributes_operation(mods, &i, "objectClass", TQStringList::split(" ", "emsGroup groupOfNames posixGroup")); create_single_attribute_operation(mods, &i, "cn", group.name); create_multiple_attributes_operation(mods, &i, "member", TQStringList(placeholderGroup)); // Zivios specific create_single_attribute_operation(mods, &i, "emsdescription", "None"); create_single_attribute_operation(mods, &i, "emstype", "GroupEntry"); LDAPMod *prevterm = mods[i]; mods[i] = NULL; // Add new object retcode = ldap_add_ext_s(m_ldap, group.distinguishedName.ascii(), mods, NULL, NULL); // Clean up clean_up_attribute_operations(i, mods, prevterm, number_of_parameters); if (retcode != LDAP_SUCCESS) { if (errstr) { *errstr = i18n("LDAP addition failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)); } else { KMessageBox::error(0, i18n("LDAP addition failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error")); } return -2; } else { return updateGroupInfo(group); } } } int LDAPManager::kAdminAddNewPrincipal(TQString principalName, TQString newPassword, TQString *errstr) { int retcode; kadm5_ret_t krb5adm_ret; int i; char* password = NULL; bool kadmin_unbind_needed = false; if (m_krb5admHandle) { retcode = 0; } else { retcode = bindKAdmin(NULL, errstr); kadmin_unbind_needed = true; } if (retcode == 0) { retcode = 1; bool generate_password; if (newPassword == "") { generate_password = true; } else { generate_password = false; password = strdup(newPassword.ascii()); } // Construct and add new principal record kadm5_principal_ent_rec principal_record; kadm5_principal_ent_rec default_record; kadm5_principal_ent_rec *default_entry = NULL; krb5_principal principal_entry = NULL; int mask = 0; memset(&principal_record, 0, sizeof(principal_record)); krb5adm_ret = krb5_parse_name(m_krb5admContext, principalName.ascii(), &principal_entry); if (krb5adm_ret) { if (errstr) *errstr = i18n("%1

Details:
Failed to execute krb5_parse_name (code %2)").arg(krb5_get_error_message(m_krb5admContext, krb5adm_ret)).arg(krb5adm_ret); } principal_record.principal = principal_entry; mask |= KADM5_PRINCIPAL; default_entry = &default_record; krb5adm_ret = kadm5_get_default_principal_info(m_krb5admContext, m_krb5admHandle, principal_entry, default_entry); if (krb5adm_ret) { default_entry = NULL; if (errstr) *errstr = i18n("%1

Details:
Failed to execute kadm5_get_default_principal_info (code %2)").arg(krb5_get_error_message(m_krb5admContext, krb5adm_ret)).arg(krb5adm_ret); } else { // Use defaults principal_record.max_life = default_entry->max_life; principal_record.max_renewable_life = default_entry->max_renewable_life; principal_record.princ_expire_time = default_entry->princ_expire_time; principal_record.pw_expiration = default_entry->pw_expiration; principal_record.attributes = default_entry->attributes & ~KRB5_KDB_DISALLOW_ALL_TIX; principal_record.policy = strdup(default_entry->policy); if (generate_password) { const char charset[] = "@$%&*()-+=:,/<>?0123456789" "ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz"; const size_t max_index = (sizeof(charset) - 2); TQFile randomNode("/dev/urandom"); if (randomNode.open(IO_ReadOnly)) { password = (char*)malloc(sizeof(char) * KRB5_ANK_RANDOM_PASSWORD_LENGTH); if (password) { if (randomNode.readBlock(password, KRB5_ANK_RANDOM_PASSWORD_LENGTH) < KRB5_ANK_RANDOM_PASSWORD_LENGTH) { free(password); password = NULL; } else { for (i = 0; i < KRB5_ANK_RANDOM_PASSWORD_LENGTH - 1; i++) { while ((unsigned char)password[i] > max_index) { password[i] -= max_index; } password[i] = charset[(int)password[i]]; } password[i] = 0; } } randomNode.close(); } if (password) { principal_record.attributes |= KRB5_KDB_DISALLOW_ALL_TIX; mask |= KADM5_ATTRIBUTES; } else { if (errstr) *errstr = i18n("Unable to generate random password"); } } if (password) { krb5adm_ret = kadm5_create_principal(m_krb5admHandle, &principal_record, mask, password); if (krb5adm_ret) { if (errstr) *errstr = i18n("%1

Details:
Failed to execute kadm5_create_principal (code %2)").arg(krb5_get_error_message(m_krb5admContext, krb5adm_ret)).arg(krb5adm_ret); } else { if (generate_password) { krb5_keyblock *new_keys; int key_count; krb5adm_ret = kadm5_randkey_principal(m_krb5admHandle, principal_entry, &new_keys, &key_count); if (krb5adm_ret) { key_count = 0; } for (i = 0; i < key_count; i++) { krb5_free_keyblock_contents(m_krb5admContext, &new_keys[i]); } if (key_count > 0) { free(new_keys); } kadm5_get_principal(m_krb5admHandle, principal_entry, &principal_record, KADM5_PRINCIPAL | KADM5_KVNO | KADM5_ATTRIBUTES); krb5_free_principal(m_krb5admContext, principal_entry); principal_entry = principal_record.principal; principal_record.attributes &= (~KRB5_KDB_DISALLOW_ALL_TIX); principal_record.kvno = 1; krb5adm_ret = kadm5_modify_principal(m_krb5admHandle, &principal_record, KADM5_ATTRIBUTES | KADM5_KVNO); if (krb5adm_ret) { if (errstr) *errstr = i18n("%1

Details:
Failed to execute kadm5_modify_principal (code %2)").arg(krb5_get_error_message(m_krb5admContext, krb5adm_ret)).arg(krb5adm_ret); } else { retcode = 0; } } else { retcode = 0; } } } } kadm5_free_principal_ent(m_krb5admHandle, &principal_record); if (default_entry) { kadm5_free_principal_ent(m_krb5admHandle, default_entry); } if (password) { free(password); } if (kadmin_unbind_needed) { unbindKAdmin(); unbind(true); // Using kadmin can disrupt our LDAP connection } } return retcode; } int LDAPManager::kAdminDeletePrincipal(TQString principalName, TQString *errstr) { int retcode; kadm5_ret_t krb5adm_ret; bool kadmin_unbind_needed = false; if (m_krb5admHandle) { retcode = 0; } else { retcode = bindKAdmin(NULL, errstr); kadmin_unbind_needed = true; } if (retcode == 0) { retcode = 1; krb5_principal principal_entry = NULL; krb5adm_ret = krb5_parse_name(m_krb5admContext, principalName.ascii(), &principal_entry); if (krb5adm_ret) { if (errstr) *errstr = i18n("%1

Details:
Failed to execute krb5_parse_name for principal '%2' (code %3)").arg(krb5_get_error_message(m_krb5admContext, krb5adm_ret)).arg(principalName).arg(krb5adm_ret); } else { krb5adm_ret = kadm5_delete_principal(m_krb5admHandle, principal_entry); if (krb5adm_ret) { if (errstr) *errstr = i18n("%1

Details:
Failed to execute kadm5_delete_principal for principal '%2' (code %3)").arg(krb5_get_error_message(m_krb5admContext, krb5adm_ret)).arg(principalName).arg(krb5adm_ret); } else { // Success! retcode = 0; } // Clean up krb5_free_principal(m_krb5admContext, principal_entry); } if (kadmin_unbind_needed) { unbindKAdmin(); unbind(true); // Using kadmin can disrupt our LDAP connection } } return retcode; } int LDAPManager::addMachineInfo(LDAPMachineInfo machine, TQString *errstr) { LDAPCredentials admincreds = currentLDAPCredentials(true); TQString hoststring = "host/" + machine.name + "." + admincreds.realm.lower(); return kAdminAddNewPrincipal(hoststring, machine.newPassword, errstr); } int LDAPManager::addServiceInfo(LDAPServiceInfo service, TQString *errstr) { TQString hoststring = service.name + "/" + service.machine; return kAdminAddNewPrincipal(hoststring, TQString::null, errstr); } int LDAPManager::deleteUserInfo(LDAPUserInfo user, TQString *errstr) { int retcode; LDAPUserInfo userinfo; if (bind() < 0) { return -1; } else { // Remove the user from all member groups LDAPGroupInfoList groupInfoList = groups(&retcode); LDAPGroupInfoList::Iterator it; for (it = groupInfoList.begin(); it != groupInfoList.end(); ++it) { LDAPGroupInfo group = *it; if (group.userlist.contains(user.distinguishedName)) { group.userlist.remove(user.distinguishedName); retcode = updateGroupInfo(group, errstr); if (retcode != 0) { return retcode; } } } // Delete the base DN entry retcode = ldap_delete_ext_s(m_ldap, user.distinguishedName.ascii(), NULL, NULL); if (retcode != LDAP_SUCCESS) { if (errstr) { *errstr = i18n("LDAP deletion failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)); } else { KMessageBox::error(0, i18n("LDAP deletion failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error")); } return -2; } else { return 0; } } } int LDAPManager::deleteGroupInfo(LDAPGroupInfo group, TQString *errstr) { int retcode; LDAPGroupInfo groupinfo; if (bind() < 0) { return -1; } else { // Delete the base DN entry retcode = ldap_delete_ext_s(m_ldap, group.distinguishedName.ascii(), NULL, NULL); if (retcode != LDAP_SUCCESS) { if (errstr) { *errstr = i18n("LDAP deletion failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)); } else { KMessageBox::error(0, i18n("LDAP deletion failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error")); } return -2; } else { return 0; } } } int LDAPManager::deleteMachineInfo(LDAPMachineInfo machine, TQString *errstr) { int retcode; LDAPMachineInfo machineinfo; if (bind() < 0) { return -1; } else { // Delete the base DN entry retcode = ldap_delete_ext_s(m_ldap, machine.distinguishedName.ascii(), NULL, NULL); if (retcode != LDAP_SUCCESS) { if (errstr) { *errstr = i18n("LDAP deletion failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)); } else { KMessageBox::error(0, i18n("LDAP deletion failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error")); } return -2; } else { return 0; } } } int LDAPManager::deleteServiceInfo(LDAPServiceInfo service, TQString *errstr) { int retcode; LDAPServiceInfo serviceinfo; if (bind() < 0) { return -1; } else { // Delete the base DN entry retcode = ldap_delete_ext_s(m_ldap, service.distinguishedName.ascii(), NULL, NULL); if (retcode != LDAP_SUCCESS) { if (errstr) { *errstr = i18n("LDAP deletion failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)); } else { KMessageBox::error(0, i18n("LDAP deletion failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error")); } return -2; } else { return 0; } } } LDAPGroupInfo LDAPManager::parseLDAPGroupRecord(LDAPMessage* entry) { char* dn = NULL; char* attr; struct berval **vals; BerElement* ber; int i; LDAPGroupInfo groupinfo; if((dn = ldap_get_dn(m_ldap, entry)) != NULL) { groupinfo.distinguishedName = dn; TQStringList dnParts = TQStringList::split(",", dn); TQString id = dnParts[0]; if (id.startsWith("cn=")) { id = id.remove(0, 3); groupinfo.name = id; } ldap_memfree(dn); } for( attr = ldap_first_attribute(m_ldap, entry, &ber); attr != NULL; attr = ldap_next_attribute(m_ldap, entry, ber)) { if ((vals = ldap_get_values_len(m_ldap, entry, attr)) != NULL) { groupinfo.informationValid = true; TQString ldap_field = attr; i=0; if (ldap_field == "creatorsName") { groupinfo.creatorsName = vals[i]->bv_val; } else if (ldap_field == "member") { TQStringList members; for(i = 0; vals[i] != NULL; i++) { TQString userdn = vals[i]->bv_val; if (userdn.startsWith("cn=placeholder,dc=")) { continue; } members.append(userdn); } groupinfo.userlist = members; } else if (ldap_field == "gidNumber") { groupinfo.gid = atoi(vals[i]->bv_val); } else if (ldap_field == "tdeBuiltinAccount") { groupinfo.tde_builtin_account = (TQString(vals[i]->bv_val).upper() == "TRUE")?true:false; } ldap_value_free_len(vals); } ldap_memfree(attr); } if (ber != NULL) { ber_free(ber, 0); } return groupinfo; } LDAPMachineInfo LDAPManager::parseLDAPMachineRecord(LDAPMessage* entry) { char* dn = NULL; char* attr; struct berval **vals; BerElement* ber; int i; LDAPMachineInfo machineinfo; if((dn = ldap_get_dn(m_ldap, entry)) != NULL) { machineinfo.distinguishedName = dn; TQStringList dnParts = TQStringList::split(",", dn); TQString id = dnParts[0]; if (id.startsWith("krb5PrincipalName=host/")) { id = id.remove(0, 23); id.replace("@"+m_realm, ""); machineinfo.name = id; } ldap_memfree(dn); } for( attr = ldap_first_attribute(m_ldap, entry, &ber); attr != NULL; attr = ldap_next_attribute(m_ldap, entry, ber)) { if ((vals = ldap_get_values_len(m_ldap, entry, attr)) != NULL) { machineinfo.informationValid = true; TQString ldap_field = attr; i=0; if (ldap_field == "creatorsName") { machineinfo.creatorsName = vals[i]->bv_val; } else if (ldap_field == "tdeBuiltinAccount") { machineinfo.tde_builtin_account = (TQString(vals[i]->bv_val).upper() == "TRUE")?true:false; } else if (ldap_field == "krb5KDCFlags") { machineinfo.status = (LDAPKRB5Flags)(atoi(vals[i]->bv_val)); } ldap_value_free_len(vals); } ldap_memfree(attr); } if (ber != NULL) { ber_free(ber, 0); } return machineinfo; } LDAPServiceInfo LDAPManager::parseLDAPMachineServiceRecord(LDAPMessage* entry) { char* dn = NULL; char* attr; struct berval **vals; BerElement* ber; int i; LDAPServiceInfo machineserviceinfo; if((dn = ldap_get_dn(m_ldap, entry)) != NULL) { machineserviceinfo.distinguishedName = dn; TQStringList dnParts = TQStringList::split(",", dn); TQString id = dnParts[0]; dnParts = TQStringList::split("/", id); id = dnParts[0]; dnParts = TQStringList::split("=", id); machineserviceinfo.name = dnParts[1]; ldap_memfree(dn); } for( attr = ldap_first_attribute(m_ldap, entry, &ber); attr != NULL; attr = ldap_next_attribute(m_ldap, entry, ber)) { if ((vals = ldap_get_values_len(m_ldap, entry, attr)) != NULL) { machineserviceinfo.informationValid = true; TQString ldap_field = attr; i=0; if (ldap_field == "creatorsName") { machineserviceinfo.creatorsName = vals[i]->bv_val; } else if (ldap_field == "tdeBuiltinAccount") { machineserviceinfo.tde_builtin_account = (TQString(vals[i]->bv_val).upper() == "TRUE")?true:false; } else if (ldap_field == "krb5KDCFlags") { machineserviceinfo.status = (LDAPKRB5Flags)(atoi(vals[i]->bv_val)); } ldap_value_free_len(vals); } ldap_memfree(attr); } if (ber != NULL) { ber_free(ber, 0); } return machineserviceinfo; } LDAPGroupInfoList LDAPManager::groups(int* mretcode, TQString *errstr) { int retcode; int errcode; LDAPGroupInfoList groups; if (bind() < 0) { if (mretcode) *mretcode = -1; return LDAPGroupInfoList(); } else { LDAPMessage* msg; TQString ldap_base_dn = m_basedc; TQString ldap_filter = "(objectClass=posixGroup)"; retcode = ldap_search_ext_s(m_ldap, ldap_base_dn.ascii(), LDAP_SCOPE_SUBTREE, ldap_filter.ascii(), ldap_user_and_operational_attributes, 0, NULL, NULL, NULL, 0, &msg); if ((retcode != LDAP_SUCCESS) && (retcode != LDAP_SIZELIMIT_EXCEEDED)) { if (errstr) { *errstr = i18n("LDAP search failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)); } else { KMessageBox::error(0, i18n("LDAP search failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error")); } if (mretcode) *mretcode = -1; return LDAPGroupInfoList(); } else if (retcode == LDAP_SUCCESS) { // Iterate through the returned entries LDAPMessage* entry; for(entry = ldap_first_entry(m_ldap, msg); entry != NULL; entry = ldap_next_entry(m_ldap, entry)) { groups.append(parseLDAPGroupRecord(entry)); } // Clean up ldap_msgfree(msg); if (mretcode) *mretcode = 0; return groups; } else if (retcode == LDAP_SIZELIMIT_EXCEEDED) { // Try paged access bool morePages = false; unsigned long pageSize = 100; struct berval cookie = {0, NULL}; char pagingCriticality = 'T'; LDAPControl* pageControl = NULL; LDAPControl* serverControls[2] = { NULL, NULL }; LDAPControl** returnedControls = NULL; do { retcode = ldap_create_page_control(m_ldap, pageSize, &cookie, pagingCriticality, &pageControl); if (retcode != LDAP_SUCCESS) { if (errstr) { *errstr = i18n("LDAP search failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)); } else { KMessageBox::error(0, i18n("LDAP search failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error")); } if (mretcode) *mretcode = -1; return LDAPGroupInfoList(); } serverControls[0] = pageControl; retcode = ldap_search_ext_s(m_ldap, ldap_base_dn.ascii(), LDAP_SCOPE_SUBTREE, ldap_filter.ascii(), ldap_user_and_operational_attributes, 0, serverControls, NULL, NULL, 0, &msg); if ((retcode != LDAP_SUCCESS) && (retcode != LDAP_PARTIAL_RESULTS)) { if (errstr) { *errstr = i18n("LDAP search failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)); } else { KMessageBox::error(0, i18n("LDAP search failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error")); } if (mretcode) *mretcode = -1; return LDAPGroupInfoList(); } retcode = ldap_parse_result(m_ldap, msg, &errcode, NULL, NULL, NULL, &returnedControls, false); if (retcode != LDAP_SUCCESS) { if (errstr) { *errstr = i18n("LDAP search failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)); } else { KMessageBox::error(0, i18n("LDAP search failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error")); } if (mretcode) *mretcode = -1; return LDAPGroupInfoList(); } if (cookie.bv_val != NULL) { ber_memfree(cookie.bv_val); cookie.bv_val = NULL; cookie.bv_len = 0; } if (!!returnedControls) { retcode = ldap_parse_pageresponse_control(m_ldap, returnedControls[0], NULL, &cookie); morePages = (cookie.bv_val && (strlen(cookie.bv_val) > 0)); } else { morePages = false; } if (returnedControls != NULL) { ldap_controls_free(returnedControls); returnedControls = NULL; } serverControls[0] = NULL; ldap_control_free(pageControl); pageControl = NULL; // Iterate through the returned entries LDAPMessage* entry; for(entry = ldap_first_entry(m_ldap, msg); entry != NULL; entry = ldap_next_entry(m_ldap, entry)) { groups.append(parseLDAPGroupRecord(entry)); } // Clean up ldap_msgfree(msg); } while (morePages); if (mretcode) *mretcode = 0; return groups; } } return LDAPGroupInfoList(); } LDAPMachineInfoList LDAPManager::machines(int* mretcode, TQString *errstr) { int retcode; int errcode; LDAPMachineInfoList machines; if (bind() < 0) { if (mretcode) *mretcode = -1; return LDAPMachineInfoList(); } else { LDAPMessage* msg; TQString ldap_base_dn = m_basedc; TQString ldap_filter = "(&(objectClass=krb5Principal)(uid=host/*))"; retcode = ldap_search_ext_s(m_ldap, ldap_base_dn.ascii(), LDAP_SCOPE_SUBTREE, ldap_filter.ascii(), ldap_user_and_operational_attributes, 0, NULL, NULL, NULL, 0, &msg); if ((retcode != LDAP_SUCCESS) && (retcode != LDAP_SIZELIMIT_EXCEEDED)) { if (errstr) { *errstr = i18n("LDAP search failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)); } else { KMessageBox::error(0, i18n("LDAP search failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error")); } if (mretcode) *mretcode = -1; return LDAPMachineInfoList(); } else if (retcode == LDAP_SUCCESS) { // Iterate through the returned entries LDAPMessage* entry; for(entry = ldap_first_entry(m_ldap, msg); entry != NULL; entry = ldap_next_entry(m_ldap, entry)) { machines.append(parseLDAPMachineRecord(entry)); } // Clean up ldap_msgfree(msg); if (mretcode) *mretcode = 0; return machines; } else if (retcode == LDAP_SIZELIMIT_EXCEEDED) { // Try paged access bool morePages = false; unsigned long pageSize = 100; struct berval cookie = {0, NULL}; char pagingCriticality = 'T'; LDAPControl* pageControl = NULL; LDAPControl* serverControls[2] = { NULL, NULL }; LDAPControl** returnedControls = NULL; do { retcode = ldap_create_page_control(m_ldap, pageSize, &cookie, pagingCriticality, &pageControl); if (retcode != LDAP_SUCCESS) { if (errstr) { *errstr = i18n("LDAP search failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)); } else { KMessageBox::error(0, i18n("LDAP search failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error")); } if (mretcode) *mretcode = -1; return LDAPMachineInfoList(); } serverControls[0] = pageControl; retcode = ldap_search_ext_s(m_ldap, ldap_base_dn.ascii(), LDAP_SCOPE_SUBTREE, ldap_filter.ascii(), ldap_user_and_operational_attributes, 0, serverControls, NULL, NULL, 0, &msg); if ((retcode != LDAP_SUCCESS) && (retcode != LDAP_PARTIAL_RESULTS)) { if (errstr) { *errstr = i18n("LDAP search failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)); } else { KMessageBox::error(0, i18n("LDAP search failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error")); } if (mretcode) *mretcode = -1; return LDAPMachineInfoList(); } retcode = ldap_parse_result(m_ldap, msg, &errcode, NULL, NULL, NULL, &returnedControls, false); if (retcode != LDAP_SUCCESS) { if (errstr) { *errstr = i18n("LDAP search failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)); } else { KMessageBox::error(0, i18n("LDAP search failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error")); } if (mretcode) *mretcode = -1; return LDAPMachineInfoList(); } if (cookie.bv_val != NULL) { ber_memfree(cookie.bv_val); cookie.bv_val = NULL; cookie.bv_len = 0; } if (!!returnedControls) { retcode = ldap_parse_pageresponse_control(m_ldap, returnedControls[0], NULL, &cookie); morePages = (cookie.bv_val && (strlen(cookie.bv_val) > 0)); } else { morePages = false; } if (returnedControls != NULL) { ldap_controls_free(returnedControls); returnedControls = NULL; } serverControls[0] = NULL; ldap_control_free(pageControl); pageControl = NULL; // Iterate through the returned entries LDAPMessage* entry; for(entry = ldap_first_entry(m_ldap, msg); entry != NULL; entry = ldap_next_entry(m_ldap, entry)) { machines.append(parseLDAPMachineRecord(entry)); } // Clean up ldap_msgfree(msg); } while (morePages); if (mretcode) *mretcode = 0; return machines; } } return LDAPMachineInfoList(); } LDAPServiceInfoList LDAPManager::services(int* mretcode, TQString *errstr) { LDAPServiceInfoList services; if (bind() < 0) { if (mretcode) *mretcode = -1; return LDAPServiceInfoList(); } else { int machineSearchRet; LDAPMachineInfoList machineList = machines(&machineSearchRet, errstr); if (machineSearchRet != 0) { if (mretcode) *mretcode = -1; return LDAPServiceInfoList(); } LDAPMachineInfoList::Iterator it; for (it = machineList.begin(); it != machineList.end(); ++it) { LDAPMachineInfo machine = *it; LDAPServiceInfoList thisMachineServiceList = machineServices(machine.distinguishedName); LDAPServiceInfoList::Iterator it2; for (it2 = thisMachineServiceList.begin(); it2 != thisMachineServiceList.end(); ++it2) { services.append(*it2); } } if (mretcode) *mretcode = 0; return services; } return LDAPServiceInfoList(); } LDAPServiceInfoList LDAPManager::machineServices(TQString machine_dn, int* mretcode) { int retcode; LDAPServiceInfoList services; if (bind() < 0) { if (mretcode) *mretcode = -1; return LDAPServiceInfoList(); } else { LDAPMessage* msg; TQString ldap_base_dn = m_basedc; TQStringList machinednParts = TQStringList::split(",", machine_dn); TQString machine_name = machinednParts[0]; if (machine_name.startsWith("krb5PrincipalName=host/")) { machine_name = machine_name.remove(0, 23); machine_name.replace("@"+m_realm, ""); } TQString ldap_filter = TQString("(&(objectClass=krb5Principal)(uid=*/%1))").arg(machine_name); retcode = ldap_search_ext_s(m_ldap, ldap_base_dn.ascii(), LDAP_SCOPE_SUBTREE, ldap_filter.ascii(), ldap_user_and_operational_attributes, 0, NULL, NULL, NULL, 0, &msg); if (retcode != LDAP_SUCCESS) { KMessageBox::error(0, i18n("LDAP search failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error")); if (mretcode) *mretcode = -1; return LDAPServiceInfoList(); } // Iterate through the returned entries LDAPMessage* entry; for(entry = ldap_first_entry(m_ldap, msg); entry != NULL; entry = ldap_next_entry(m_ldap, entry)) { LDAPServiceInfo sinfo = parseLDAPMachineServiceRecord(entry); sinfo.machine_dn = machine_dn; sinfo.machine = machine_name; if (sinfo.name != "host") { services.append(sinfo); } } // Clean up ldap_msgfree(msg); if (mretcode) *mretcode = 0; return services; } return LDAPServiceInfoList(); } int LDAPManager::exportKeytabForPrincipal(TQString principal, TQString fileName, TQString *errstr) { int retcode; kadm5_ret_t krb5adm_ret; int i; bool kadmin_unbind_needed = false; if (m_krb5admHandle) { retcode = 0; } else { retcode = bindKAdmin(NULL, errstr); kadmin_unbind_needed = true; } if (retcode == 0) { retcode = 1; krb5_keytab keytab; if (fileName == "") { krb5adm_ret = krb5_kt_default(m_krb5admContext, &keytab); } else { krb5adm_ret = krb5_kt_resolve(m_krb5admContext, fileName.ascii(), &keytab); } if (krb5adm_ret) { if (errstr) *errstr = i18n("%1

Details:
Failed to open keytab file '%2' (code %3)").arg(krb5_get_error_message(m_krb5admContext, krb5adm_ret)).arg(fileName).arg(krb5adm_ret); } else { kadm5_principal_ent_rec principal_record; krb5_principal principal_entry = NULL; memset(&principal_record, 0, sizeof(principal_record)); krb5adm_ret = krb5_parse_name(m_krb5admContext, principal.ascii(), &principal_entry); if (krb5adm_ret) { if (errstr) *errstr = i18n("%1

Details:
Failed to execute krb5_parse_name (code %2)").arg(krb5_get_error_message(m_krb5admContext, krb5adm_ret)).arg(krb5adm_ret); } else { principal_record.principal = principal_entry; krb5adm_ret = kadm5_get_principal(m_krb5admHandle, principal_entry, &principal_record, KADM5_PRINCIPAL | KADM5_KVNO | KADM5_KEY_DATA); if (krb5adm_ret) { if (errstr) *errstr = i18n("%1

Details:
Failed to execute kadm5_get_principal (code %2)").arg(krb5_get_error_message(m_krb5admContext, krb5adm_ret)).arg(krb5adm_ret); retcode = 2; } else { if (principal_record.n_key_data == 0) { if (errstr) *errstr = i18n("No keys found!

If this principal is known to have valid keys, please check your access permissions and try again"); retcode = 2; } else { // Extract keys krb5_keytab_entry *keys = NULL; keys = (krb5_keytab_entry*)calloc(sizeof(*keys), principal_record.n_key_data); if (keys == NULL) { if (errstr) *errstr = i18n("Out of memory"); } else { int key_count = 0; for (i = 0; i < principal_record.n_key_data; i++) { krb5_key_data *kd = &principal_record.key_data[i]; keys[i].principal = principal_record.principal; keys[i].vno = kd->key_data_kvno; keys[i].keyblock.keytype = kd->key_data_type[0]; keys[i].keyblock.keyvalue.length = kd->key_data_length[0]; keys[i].keyblock.keyvalue.data = kd->key_data_contents[0]; keys[i].timestamp = time(NULL); key_count++; } if (key_count < 1) { if (errstr) *errstr = i18n("No keys found!

If this principal is known to have valid keys, please check your access permissions and try again"); } else { for (i = 0; i < key_count; i++) { krb5adm_ret = krb5_kt_add_entry(m_krb5admContext, keytab, &keys[i]); if (krb5adm_ret) { if (errstr) *errstr = i18n("%1

Details:
Failed to execute krb5_kt_add_entry (code %2)").arg(krb5_get_error_message(m_krb5admContext, krb5adm_ret)).arg(krb5adm_ret); } } if (!krb5adm_ret) { // Success! retcode = 0; } } } free(keys); } kadm5_free_principal_ent(m_krb5admHandle, &principal_record); } } krb5_kt_close(m_krb5admContext, keytab); } if (kadmin_unbind_needed) { unbindKAdmin(); unbind(true); // Using kadmin can disrupt our LDAP connection } } return retcode; } int LDAPManager::deleteKeytabEntriesForPrincipal(TQString principal, TQString fileName, TQString *errstr) { int retcode; kadm5_ret_t krb5adm_ret; bool kadmin_unbind_needed = false; if (m_krb5admHandle) { retcode = 0; } else { retcode = bindKAdmin(NULL, errstr); kadmin_unbind_needed = true; } if (retcode == 0) { retcode = 1; krb5_keytab keytab; if (fileName == "") { krb5adm_ret = krb5_kt_default(m_krb5admContext, &keytab); } else { krb5adm_ret = krb5_kt_resolve(m_krb5admContext, fileName.ascii(), &keytab); } if (krb5adm_ret) { if (errstr) *errstr = i18n("%1

Details:
Failed to open keytab file '%2' (code %3)").arg(krb5_get_error_message(m_krb5admContext, krb5adm_ret)).arg(fileName).arg(krb5adm_ret); } else { krb5_principal principal_entry = NULL; krb5adm_ret = krb5_parse_name(m_krb5admContext, principal.ascii(), &principal_entry); if (krb5adm_ret) { if (errstr) *errstr = i18n("%1

Details:
Failed to execute krb5_parse_name (code %2)").arg(krb5_get_error_message(m_krb5admContext, krb5adm_ret)).arg(krb5adm_ret); } else { krb5_keytab_entry keytab_entry; keytab_entry.principal = principal_entry; keytab_entry.keyblock.keytype = 0; keytab_entry.vno = 0; krb5adm_ret = krb5_kt_remove_entry(m_krb5admContext, keytab, &keytab_entry); if (krb5adm_ret) { if (errstr) *errstr = i18n("%1

Details:
Failed to execute krb5_kt_remove_entry (code %2)").arg(krb5_get_error_message(m_krb5admContext, krb5adm_ret)).arg(krb5adm_ret); } else { // Success! retcode = 0; } } krb5_kt_close(m_krb5admContext, keytab); } if (kadmin_unbind_needed) { unbindKAdmin(); unbind(true); // Using kadmin can disrupt our LDAP connection } } return retcode; } int LDAPManager::writeCertificateFileIntoDirectory(TQByteArray cert, TQString attr, TQString* errstr) { int retcode; int i; if (bind() < 0) { return -1; } else { // Assemble the LDAPMod structure // We will replace any existing attributes with the new values int number_of_parameters = 1; // 1 primary attribute LDAPMod *mods[number_of_parameters+1]; set_up_attribute_operations(mods, number_of_parameters); // Load LDAP modification requests from provided data structure i=0; add_single_binary_attribute_operation(mods, &i, attr, cert); LDAPMod *prevterm = mods[i]; mods[i] = NULL; // Perform LDAP update retcode = ldap_modify_ext_s(m_ldap, TQString("cn=certificate store,o=tde,cn=tde realm data,ou=master services,ou=core,ou=realm,%1").arg(m_basedc).ascii(), mods, NULL, NULL); // Clean up clean_up_attribute_operations(i, mods, prevterm, number_of_parameters); if (retcode != LDAP_SUCCESS) { if (errstr) *errstr = i18n("LDAP certificate upload failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)); else KMessageBox::error(0, i18n("LDAP certificate upload failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error")); return -2; } else { return 0; } } } int LDAPManager::writePKICertificateFilesIntoDirectory(LDAPUserInfo user, TQString attr, TQString* errstr) { int retcode; int i; if (bind() < 0) { return -1; } else { // Assemble the LDAPMod structure // We will replace any existing attributes with the new values int number_of_parameters = 1; // 1 primary attribute LDAPMod *mods[number_of_parameters+1]; set_up_attribute_operations(mods, number_of_parameters); // Assemble list of serialized data structures TQStringList serializedCertificateList; PKICertificateEntryList::Iterator it; for (it = user.pkiCertificates.begin(); it != user.pkiCertificates.end(); ++it) { PKICertificateEntry certificateData = *it; // Serialize data TQByteArray ba; { TQDataStream stream(ba, IO_WriteOnly); stream.setPrintableData(true); stream << certificateData; } ba.resize(ba.size()+1); ba[ba.size()-1] = 0; serializedCertificateList.append(TQString(ba)); } // Load LDAP modification requests from provided data structure i=0; add_multiple_attributes_operation(mods, &i, attr, serializedCertificateList); LDAPMod *prevterm = mods[i]; mods[i] = NULL; // Perform LDAP update retcode = ldap_modify_ext_s(m_ldap, user.distinguishedName.ascii(), mods, NULL, NULL); // Clean up clean_up_attribute_operations(i, mods, prevterm, number_of_parameters); if (retcode != LDAP_SUCCESS) { if (errstr) { *errstr = i18n("LDAP modification failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)); } else { KMessageBox::error(0, i18n("LDAP modification failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error")); } return -2; } else { return 0; } } } TQString LDAPManager::getRealmCAMaster(TQString* errstr) { int retcode; TQString realmCAMaster; TQString dn = TQString("cn=certificate store,o=tde,cn=tde realm data,ou=master services,ou=core,ou=realm,%1").arg(m_basedc); if (bind(errstr) < 0) { return TQString(); } else { LDAPMessage* msg; retcode = ldap_search_ext_s(m_ldap, dn.ascii(), LDAP_SCOPE_SUBTREE, NULL, ldap_user_and_operational_attributes, 0, NULL, NULL, NULL, 0, &msg); if (retcode != LDAP_SUCCESS) { if (errstr) *errstr = i18n("LDAP search failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)); else KMessageBox::error(0, i18n("LDAP search failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error")); return TQString(); } // Iterate through the returned entries LDAPMessage* entry; for(entry = ldap_first_entry(m_ldap, msg); entry != NULL; entry = ldap_next_entry(m_ldap, entry)) { TQString result; if (parseLDAPTDEStringAttribute(entry, "publicRootCertificateOriginServer", result)) { realmCAMaster = result; } } // Clean up ldap_msgfree(msg); return realmCAMaster; } } int LDAPManager::setRealmCAMaster(TQString masterFQDN, TQString* errstr) { int retcode; int i; if (bind() < 0) { return -1; } else { // Assemble the LDAPMod structure // We will replace any existing attributes with the new values int number_of_parameters = 1; // 1 primary attribute LDAPMod *mods[number_of_parameters+1]; set_up_attribute_operations(mods, number_of_parameters); // Load LDAP modification requests from provided data structure i=0; add_single_attribute_operation(mods, &i, "publicRootCertificateOriginServer", masterFQDN); LDAPMod *prevterm = mods[i]; mods[i] = NULL; // Perform LDAP update retcode = ldap_modify_ext_s(m_ldap, TQString("cn=certificate store,o=tde,cn=tde realm data,ou=master services,ou=core,ou=realm,%1").arg(m_basedc).ascii(), mods, NULL, NULL); // Clean up clean_up_attribute_operations(i, mods, prevterm, number_of_parameters); if (retcode != LDAP_SUCCESS) { if (errstr) *errstr = i18n("LDAP CA master modification failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)); else KMessageBox::error(0, i18n("LDAP CA master modification failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error")); return -2; } else { return 0; } } } int LDAPManager::getLdapCertificateStoreAttribute(TQString attribute, TQString* value, TQString* errstr) { int retcode; int returncode; LDAPTDEBuiltinsInfo builtininfo; TQString dn = TQString("cn=certificate store,o=tde,cn=tde realm data,ou=master services,ou=core,ou=realm,%1").arg(m_basedc); if (!value) { if (errstr) *errstr = i18n("Invalid string handle passed by host application"); return -1; } if (bind(errstr) < 0) { return -1; } else { LDAPMessage* msg; retcode = ldap_search_ext_s(m_ldap, dn.ascii(), LDAP_SCOPE_SUBTREE, NULL, ldap_user_and_operational_attributes, 0, NULL, NULL, NULL, 0, &msg); if (retcode != LDAP_SUCCESS) { if (errstr) *errstr = i18n("LDAP search failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)); else KMessageBox::error(0, i18n("LDAP search failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error")); return -1; } returncode = -2; // Iterate through the returned entries LDAPMessage* entry; for(entry = ldap_first_entry(m_ldap, msg); entry != NULL; entry = ldap_next_entry(m_ldap, entry)) { char* attr; struct berval **vals; BerElement* ber; int i; LDAPTDEBuiltinsInfo builtininfo; for( attr = ldap_first_attribute(m_ldap, entry, &ber); attr != NULL; attr = ldap_next_attribute(m_ldap, entry, ber)) { if ((vals = ldap_get_values_len(m_ldap, entry, attr)) != NULL) { builtininfo.informationValid = true; TQString ldap_field = attr; i=0; if (ldap_field == attribute) { *value = vals[i]->bv_val; returncode = 0; } ldap_value_free_len(vals); } ldap_memfree(attr); } if (returncode != 0) { // Resource not found if (errstr) *errstr = i18n("Resource \"%s\" not found in LDAP certificate store").arg(attribute); } if (ber != NULL) { ber_free(ber, 0); } } // Clean up ldap_msgfree(msg); return returncode; } return -1; } int LDAPManager::setLdapCertificateStoreAttribute(TQString attribute, TQString value, TQString* errstr) { int retcode; int i; if (bind() < 0) { return -1; } else { // Assemble the LDAPMod structure // We will replace any existing attributes with the new values int number_of_parameters = 1; // 1 primary attribute LDAPMod *mods[number_of_parameters+1]; set_up_attribute_operations(mods, number_of_parameters); // Load LDAP modification requests from provided data structure i=0; add_single_attribute_operation(mods, &i, attribute, value); LDAPMod *prevterm = mods[i]; mods[i] = NULL; // Perform LDAP update retcode = ldap_modify_ext_s(m_ldap, TQString("cn=certificate store,o=tde,cn=tde realm data,ou=master services,ou=core,ou=realm,%1").arg(m_basedc).ascii(), mods, NULL, NULL); // Clean up clean_up_attribute_operations(i, mods, prevterm, number_of_parameters); if (retcode != LDAP_SUCCESS) { if (errstr) *errstr = i18n("LDAP certificate store attribute modification failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)); else KMessageBox::error(0, i18n("LDAP certificate store attribute modification failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error")); return -2; } else { return 0; } } } // Special method, used when creating a new Kerberos realm int LDAPManager::moveKerberosEntries(TQString newSuffix, TQString* errstr) { int retcode; if (bind(errstr) < 0) { return -1; } else { LDAPMessage* msg; TQString ldap_base_dn = m_basedc; TQString ldap_filter = "(&(objectClass=krb5Principal)(!(objectClass=posixAccount)))"; retcode = ldap_search_ext_s(m_ldap, ldap_base_dn.ascii(), LDAP_SCOPE_SUBTREE, ldap_filter.ascii(), ldap_user_and_operational_attributes, 0, NULL, NULL, NULL, 0, &msg); if (retcode != LDAP_SUCCESS) { KMessageBox::error(0, i18n("LDAP search failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error")); return -1; } // Iterate through the returned entries LDAPMessage* entry; for(entry = ldap_first_entry(m_ldap, msg); entry != NULL; entry = ldap_next_entry(m_ldap, entry)) { char* dn = NULL; LDAPMachineInfo machineinfo; if((dn = ldap_get_dn(m_ldap, entry)) != NULL) { TQStringList dnParts = TQStringList::split(",", dn); TQString id = dnParts[0]; retcode = ldap_rename_s(m_ldap, dn, id, newSuffix, 0, NULL, NULL); if (retcode != LDAP_SUCCESS) { if (errstr) *errstr = i18n("LDAP rename failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)); return -1; } } } // Clean up ldap_msgfree(msg); return 0; } return -1; } int LDAPManager::writeLDAPConfFile(LDAPRealmConfig realmcfg, LDAPMachineRole machineRole, TQString *errstr) { KSimpleConfig* systemconfig; TQString m_defaultRealm; int m_ldapVersion; int m_ldapTimeout; TQString m_bindPolicy; int m_ldapBindTimeout; TQString m_passwordHash; TQString m_ignoredUsers; TQString command; systemconfig = new KSimpleConfig( TQString::fromLatin1( KDE_CONFDIR "/ldap/ldapconfigrc" )); systemconfig->setGroup(NULL); m_defaultRealm = systemconfig->readEntry("DefaultRealm", TQString::null); m_ldapVersion = systemconfig->readNumEntry("ConnectionLDAPVersion", 3); m_ldapTimeout = systemconfig->readNumEntry("ConnectionLDAPTimeout", 2); m_bindPolicy = systemconfig->readEntry("ConnectionBindPolicy", "soft"); m_ldapBindTimeout = systemconfig->readNumEntry("ConnectionBindTimeout", 2); m_passwordHash = systemconfig->readEntry("ConnectionPasswordHash", "exop"); m_ignoredUsers = systemconfig->readEntry("ConnectionIgnoredUsers", DEFAULT_IGNORED_USERS_LIST); TQFile file(LDAP_FILE); if (file.open(IO_WriteOnly)) { TQTextStream stream( &file ); stream << "# This file was automatically generated by TDE\n"; stream << "# All changes will be lost!\n"; stream << "\n"; if (realmcfg.bonded) { stream << "host " << realmcfg.admin_server << "\n"; TQStringList domainChunks = TQStringList::split(".", realmcfg.name.lower()); stream << "base dc=" << domainChunks.join(",dc=") << "\n"; stream << "ldap_version " << m_ldapVersion << "\n"; stream << "timelimit " << m_ldapTimeout << "\n"; stream << "bind_timelimit " << m_ldapBindTimeout << "\n"; stream << "bind_policy " << m_bindPolicy.lower() << "\n"; stream << "pam_password " << m_passwordHash.lower() << "\n"; stream << "nss_initgroups_ignoreusers " << m_ignoredUsers << "\n"; if (machineRole == ROLE_WORKSTATION) { stream << "tls_cacert " << KERBEROS_PKI_PUBLICDIR << realmcfg.admin_server << ".ldap.crt\n"; } else { stream << "tls_cacert " << KERBEROS_PKI_PEM_FILE << "\n"; } } file.close(); } if (chmod(LDAP_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH) < 0) { if (errstr) *errstr = TQString("Unable to change permissions of \"%1\"").arg(LDAP_FILE); return -1; } // Create symbolic link to secondary LDAP configuration file if (fileExists(LDAP_SECONDARY_FILE)) { if (unlink(LDAP_SECONDARY_FILE) < 0) { if (errstr) *errstr = TQString("Unable to unlink \"%1\"").arg(LDAP_SECONDARY_FILE); return -1; } } command = TQString("ln -s %1 %2").arg(LDAP_FILE).arg(LDAP_SECONDARY_FILE); if (system(command) < 0) { if (errstr) *errstr = TQString("Execution of \"%s\" failed").arg(command.ascii()); return -1; } // Create symbolic link to tertiary LDAP configuration file if (fileExists(LDAP_TERTIARY_FILE)) { if (unlink(LDAP_TERTIARY_FILE) < 0) { if (errstr) *errstr = TQString("Unable to unlink \"%1\"").arg(LDAP_TERTIARY_FILE); return -1; } } command = TQString("ln -s %1 %2").arg(LDAP_FILE).arg(LDAP_TERTIARY_FILE); if (system(command) < 0) { if (errstr) *errstr = TQString("Execution of \"%s\" failed").arg(command.ascii()); return -1; } delete systemconfig; return 0; } LDAPTDEBuiltinsInfo LDAPManager::parseLDAPTDEBuiltinsRecord(LDAPMessage* entry) { char* dn = NULL; char* attr; struct berval **vals; BerElement* ber; int i; LDAPTDEBuiltinsInfo builtininfo; if((dn = ldap_get_dn(m_ldap, entry)) != NULL) { ldap_memfree(dn); } for( attr = ldap_first_attribute(m_ldap, entry, &ber); attr != NULL; attr = ldap_next_attribute(m_ldap, entry, ber)) { if ((vals = ldap_get_values_len(m_ldap, entry, attr)) != NULL) { builtininfo.informationValid = true; TQString ldap_field = attr; i=0; if (ldap_field == "builtinRealmAdminAccount") { builtininfo.builtinRealmAdminAccount = vals[i]->bv_val; } else if (ldap_field == "builtinRealmAdminGroup") { builtininfo.builtinRealmAdminGroup = vals[i]->bv_val; } else if (ldap_field == "builtinMachineAdminGroup") { builtininfo.builtinMachineAdminGroup = vals[i]->bv_val; } else if (ldap_field == "builtinStandardUserGroup") { builtininfo.builtinStandardUserGroup = vals[i]->bv_val; } ldap_value_free_len(vals); } ldap_memfree(attr); } if (ber != NULL) { ber_free(ber, 0); } return builtininfo; } bool LDAPManager::parseLDAPTDEStringAttribute(LDAPMessage* entry, TQString attribute, TQString& retval) { char* dn = NULL; char* attr; struct berval **vals; BerElement* ber; int i; bool found = false; LDAPTDEBuiltinsInfo builtininfo; if((dn = ldap_get_dn(m_ldap, entry)) != NULL) { ldap_memfree(dn); } for( attr = ldap_first_attribute(m_ldap, entry, &ber); attr != NULL; attr = ldap_next_attribute(m_ldap, entry, ber)) { if ((vals = ldap_get_values_len(m_ldap, entry, attr)) != NULL) { builtininfo.informationValid = true; TQString ldap_field = attr; i=0; if (ldap_field == attribute) { retval = TQString(vals[i]->bv_val); found = true; } ldap_value_free_len(vals); } ldap_memfree(attr); } if (ber != NULL) { ber_free(ber, 0); } return found; } LDAPMasterReplicationInfo LDAPManager::parseLDAPMasterReplicationRecord(LDAPMasterReplicationInfo replicationinfo, LDAPMessage* entry) { char* dn = NULL; char* attr; struct berval **vals; BerElement* ber; int i; if((dn = ldap_get_dn(m_ldap, entry)) != NULL) { ldap_memfree(dn); } for( attr = ldap_first_attribute(m_ldap, entry, &ber); attr != NULL; attr = ldap_next_attribute(m_ldap, entry, ber)) { if ((vals = ldap_get_values_len(m_ldap, entry, attr)) != NULL) { TQString ldap_field = attr; if (ldap_field == "olcServerID") { i=0; while (vals[i] != NULL) { TQStringList serverIDMapping = TQStringList::split(" ", TQString(vals[i]->bv_val), FALSE); LDAPMasterReplicationMapping mapping; mapping.id = serverIDMapping[0].toInt(); mapping.fqdn = serverIDMapping[1]; mapping.fqdn.replace("ldap:", ""); mapping.fqdn.replace("ldaps:", ""); mapping.fqdn.replace("/", ""); replicationinfo.serverIDs.append(mapping); i++; } replicationinfo.informationValid = true; } else if (ldap_field == "olcMirrorMode") { i=0; TQString mirrorModeEnabled(vals[i]->bv_val); if (mirrorModeEnabled == "TRUE") { replicationinfo.enabled = true; } else { replicationinfo.enabled = false; } } ldap_value_free_len(vals); } ldap_memfree(attr); } if (ber != NULL) { ber_free(ber, 0); } return replicationinfo; } TQString LDAPManager::parseLDAPSyncProvOverlayConfigRecord(LDAPMessage* entry) { char* dn = NULL; char* attr; struct berval **vals; BerElement* ber; int i; TQString syncProvEntry; if((dn = ldap_get_dn(m_ldap, entry)) != NULL) { ldap_memfree(dn); } for( attr = ldap_first_attribute(m_ldap, entry, &ber); attr != NULL; attr = ldap_next_attribute(m_ldap, entry, ber)) { if ((vals = ldap_get_values_len(m_ldap, entry, attr)) != NULL) { TQString ldap_field = attr; if (ldap_field == "olcOverlay") { i=0; while (vals[i] != NULL) { TQString value(vals[i]->bv_val); if (value.endsWith("}syncprov")) { syncProvEntry = value; } i++; } } ldap_value_free_len(vals); } ldap_memfree(attr); } if (ber != NULL) { ber_free(ber, 0); } return syncProvEntry; } LDAPTDEBuiltinsInfo LDAPManager::getTDEBuiltinMappings(TQString *errstr) { int retcode; LDAPTDEBuiltinsInfo builtininfo; TQString dn = TQString("cn=builtin mappings,o=tde,cn=tde realm data,ou=master services,ou=core,ou=realm,%1").arg(m_basedc); if (bind(errstr) < 0) { return LDAPTDEBuiltinsInfo(); } else { LDAPMessage* msg; retcode = ldap_search_ext_s(m_ldap, dn.ascii(), LDAP_SCOPE_SUBTREE, NULL, ldap_user_and_operational_attributes, 0, NULL, NULL, NULL, 0, &msg); if (retcode != LDAP_SUCCESS) { if (errstr) *errstr = i18n("LDAP search failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)); else KMessageBox::error(0, i18n("LDAP search failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error")); return LDAPTDEBuiltinsInfo(); } // Iterate through the returned entries LDAPMessage* entry; for(entry = ldap_first_entry(m_ldap, msg); entry != NULL; entry = ldap_next_entry(m_ldap, entry)) { builtininfo = parseLDAPTDEBuiltinsRecord(entry); } // Clean up ldap_msgfree(msg); return builtininfo; } return LDAPTDEBuiltinsInfo(); } LDAPMasterReplicationInfo LDAPManager::getLDAPMasterReplicationSettings(TQString *errstr) { int retcode; LDAPMasterReplicationInfo replicationinfo; if (bind(errstr) < 0) { return LDAPMasterReplicationInfo(); } else { // Check cn=config settings LDAPMessage* msg; retcode = ldap_search_ext_s(m_ldap, "cn=config", LDAP_SCOPE_SUBTREE, NULL, ldap_user_and_operational_attributes, 0, NULL, NULL, NULL, 0, &msg); if (retcode != LDAP_SUCCESS) { if (errstr) *errstr = i18n("LDAP search failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)); else KMessageBox::error(0, i18n("LDAP search failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error")); return LDAPMasterReplicationInfo(); } // Iterate through the returned entries LDAPMessage* entry; for(entry = ldap_first_entry(m_ldap, msg); entry != NULL; entry = ldap_next_entry(m_ldap, entry)) { LDAPMasterReplicationInfo potentialReplicationInfo; potentialReplicationInfo = parseLDAPMasterReplicationRecord(LDAPMasterReplicationInfo(), entry); if (potentialReplicationInfo.informationValid) { replicationinfo = potentialReplicationInfo; } } // Clean up ldap_msgfree(msg); // Set OpenLDAP defaults replicationinfo.enabled = false; // Check olcDatabase 0 configuration settings retcode = ldap_search_ext_s(m_ldap, "olcDatabase={0}config,cn=config", LDAP_SCOPE_SUBTREE, NULL, ldap_user_and_operational_attributes, 0, NULL, NULL, NULL, 0, &msg); if (retcode != LDAP_SUCCESS) { if (errstr) *errstr = i18n("LDAP search failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)); else KMessageBox::error(0, i18n("LDAP search failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error")); return LDAPMasterReplicationInfo(); } // Iterate through the returned entries for(entry = ldap_first_entry(m_ldap, msg); entry != NULL; entry = ldap_next_entry(m_ldap, entry)) { replicationinfo = parseLDAPMasterReplicationRecord(replicationinfo, entry); } // Clean up ldap_msgfree(msg); return replicationinfo; } return LDAPMasterReplicationInfo(); } int LDAPManager::setLDAPMasterReplicationSettings(LDAPMasterReplicationInfo replicationinfo, TQString *errstr) { int retcode; int i; if (bind(errstr) < 0) { return -1; } else { if (replicationinfo.enabled) { if (!errstr && (replicationinfo.syncDN == "")) { replicationinfo.syncDN = "cn=admin," + m_basedc; } if (!errstr && replicationinfo.syncPassword.isNull()) { LDAPPasswordDialog passdlg(0, 0, false, false); passdlg.m_base->ldapAdminRealm->setEnabled(false); passdlg.m_base->ldapAdminRealm->insertItem(m_realm); passdlg.m_base->ldapUseTLS->hide(); passdlg.m_base->ldapAdminUsername->setEnabled(false); passdlg.m_base->ldapAdminUsername->setText(replicationinfo.syncDN); if (passdlg.exec() == TQDialog::Accepted) { replicationinfo.syncPassword = passdlg.m_base->ldapAdminPassword->password(); } } if ((replicationinfo.syncDN == "") || (replicationinfo.syncPassword.isNull())) { if (errstr) *errstr = i18n("LDAP modification failure

Reason: Invalid multi-master synchronization credentials provided"); else KMessageBox::error(0, i18n("LDAP modification failure

Reason: Invalid multi-master synchronization credentials provided"), i18n("User Error")); return -1; } // Test credentials before continuing LDAPCredentials* credentials = new LDAPCredentials; credentials->username = replicationinfo.syncDN; credentials->password = replicationinfo.syncPassword; credentials->realm = m_realm; LDAPManager* ldap_mgr = new LDAPManager(m_realm, "ldapi://", credentials); TQString errorstring; if (ldap_mgr->bind(&errorstring) != 0) { delete ldap_mgr; if (errstr) *errstr = i18n("LDAP modification failure

Reason: Invalid multi-master synchronization credentials provided"); else KMessageBox::error(0, i18n("LDAP modification failure

Reason: Invalid multi-master synchronization credentials provided"), i18n("User Error")); return -1; } delete ldap_mgr; } if (replicationinfo.serverIDs.count() <= 0) { replicationinfo.enabled = false; } if (replicationinfo.serverIDs.count() > 0) { // Assemble the LDAPMod structure // We will replace any existing attributes with the new values int number_of_parameters = 1; // 1 primary attribute LDAPMod *mods[number_of_parameters+1]; set_up_attribute_operations(mods, number_of_parameters); // Load LDAP modification requests from provided data structure i=0; TQStringList serverMappingList; LDAPMasterReplicationMap::iterator it; for (it = replicationinfo.serverIDs.begin(); it != replicationinfo.serverIDs.end(); ++it) { serverMappingList.append(TQString("%1 ldaps://%2/").arg((*it).id).arg((*it).fqdn)); } add_multiple_attributes_operation(mods, &i, "olcServerID", serverMappingList); LDAPMod *prevterm = mods[i]; mods[i] = NULL; // Perform LDAP update retcode = ldap_modify_ext_s(m_ldap, "cn=config", mods, NULL, NULL); // Clean up clean_up_attribute_operations(i, mods, prevterm, number_of_parameters); if (retcode == LDAP_NO_SUCH_ATTRIBUTE) { // Add new object instead // Assemble the LDAPMod structure // We will replace any existing attributes with the new values int number_of_parameters = 1; // 1 primary attribute LDAPMod *mods[number_of_parameters+1]; set_up_attribute_operations(mods, number_of_parameters); // Load LDAP modification requests from provided data structure i=0; TQStringList serverMappingList; LDAPMasterReplicationMap::iterator it; for (it = replicationinfo.serverIDs.begin(); it != replicationinfo.serverIDs.end(); ++it) { serverMappingList.append(TQString("%1 ldaps://%2/").arg((*it).id).arg((*it).fqdn)); } create_multiple_attributes_operation(mods, &i, "olcServerID", serverMappingList); LDAPMod *prevterm = mods[i]; mods[i] = NULL; // Perform LDAP update retcode = ldap_add_ext_s(m_ldap, "cn=config", mods, NULL, NULL); // Clean up clean_up_attribute_operations(i, mods, prevterm, number_of_parameters); } if (retcode != LDAP_SUCCESS) { if (errstr) *errstr = i18n("LDAP modification failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)); else KMessageBox::error(0, i18n("LDAP modification failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error")); return -2; } } else { // Delete the olcServerID entry // Assemble the LDAPMod structure int number_of_parameters = 1; // 1 primary attribute LDAPMod *mods[number_of_parameters+1]; set_up_attribute_operations(mods, number_of_parameters); // Load LDAP delete request i=0; delete_single_attribute_operation(mods, &i, "olcServerID"); LDAPMod *prevterm = mods[i]; mods[i] = NULL; // Perform LDAP update retcode = ldap_modify_ext_s(m_ldap, "cn=config", mods, NULL, NULL); // Clean up clean_up_attribute_operations(i, mods, prevterm, number_of_parameters); if ((retcode != LDAP_SUCCESS) && (retcode != LDAP_NO_SUCH_ATTRIBUTE)) { if (errstr) *errstr = i18n("LDAP modification failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)); else KMessageBox::error(0, i18n("LDAP modification failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error")); return -2; } } { if (replicationinfo.enabled) { // Config Database { // Assemble the LDAPMod structure // We will replace any existing attributes with the new values int number_of_parameters = 2; // 2 primary attributes LDAPMod *mods[number_of_parameters+1]; set_up_attribute_operations(mods, number_of_parameters); // Load LDAP modification requests from provided data structure i=0; TQStringList syncReplServerList; LDAPMasterReplicationMap::iterator it; int rid = 1; for (it = replicationinfo.serverIDs.begin(); it != replicationinfo.serverIDs.end(); ++it) { TQString ridString; TQString serverSyncReplString; TQString databaseDN; ridString.sprintf("%03d", rid); databaseDN = "cn=config"; serverSyncReplString = TQString("rid=%1 provider=ldaps://%2/ binddn=\"%3\" bindmethod=simple credentials=\"%4\" searchbase=\"%5\" filter=\"%6\" type=refreshAndPersist scope=\"sub\" attrs=\"*,+\" schemachecking=off retry=\"%7\" timeout=%8 tls_reqcert=%9").arg(ridString).arg((*it).fqdn).arg(replicationinfo.syncDN).arg(replicationinfo.syncPassword).arg(databaseDN).arg((replicationinfo.replicate_olcGlobal)?"(objectClass=*)":"(&(objectclass=*)(!(objectclass=olcGlobal)))").arg(replicationinfo.retryMethod).arg(replicationinfo.timeout).arg((replicationinfo.ignore_ssl_failure)?"never":"demand"); if (replicationinfo.certificateFile != "") { serverSyncReplString.append(TQString(" tls_cert=\"%1\"").arg(replicationinfo.certificateFile)); } if (replicationinfo.caCertificateFile != "") { serverSyncReplString.append(TQString(" tls_cacert=\"%1\"").arg(replicationinfo.caCertificateFile)); } syncReplServerList.append(serverSyncReplString); rid++; } add_multiple_attributes_operation(mods, &i, "olcSyncRepl", syncReplServerList); add_single_attribute_operation(mods, &i, "olcMirrorMode", "TRUE"); LDAPMod *prevterm = mods[i]; mods[i] = NULL; // Perform LDAP update retcode = ldap_modify_ext_s(m_ldap, "olcDatabase={0}config,cn=config", mods, NULL, NULL); // Clean up clean_up_attribute_operations(i, mods, prevterm, number_of_parameters); if (retcode != LDAP_SUCCESS) { if (errstr) *errstr = i18n("LDAP modification failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)); else KMessageBox::error(0, i18n("LDAP modification failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error")); return -2; } } // Main Database { // Assemble the LDAPMod structure // We will replace any existing attributes with the new values int number_of_parameters = 2; // 2 primary attributes LDAPMod *mods[number_of_parameters+1]; set_up_attribute_operations(mods, number_of_parameters); // Load LDAP modification requests from provided data structure i=0; TQStringList syncReplServerList; LDAPMasterReplicationMap::iterator it; int rid = 1; for (it = replicationinfo.serverIDs.begin(); it != replicationinfo.serverIDs.end(); ++it) { TQString ridString; TQString serverSyncReplString; TQString databaseDN; ridString.sprintf("%03d", rid); databaseDN = m_basedc; serverSyncReplString = TQString("rid=%1 provider=ldaps://%2/ binddn=\"%3\" bindmethod=simple credentials=\"%4\" searchbase=\"%5\" filter=\"%6\" type=refreshAndPersist scope=\"sub\" attrs=\"*,+\" schemachecking=off retry=\"%7\" timeout=%8 tls_reqcert=%9").arg(ridString).arg((*it).fqdn).arg(replicationinfo.syncDN).arg(replicationinfo.syncPassword).arg(databaseDN).arg((replicationinfo.replicate_olcGlobal)?"(objectClass=*)":"(&(objectclass=*)(!(objectclass=olcGlobal)))").arg(replicationinfo.retryMethod).arg(replicationinfo.timeout).arg((replicationinfo.ignore_ssl_failure)?"never":"demand"); if (replicationinfo.certificateFile != "") { serverSyncReplString.append(TQString(" tls_cert=\"%1\"").arg(replicationinfo.certificateFile)); } if (replicationinfo.caCertificateFile != "") { serverSyncReplString.append(TQString(" tls_cacert=\"%1\"").arg(replicationinfo.caCertificateFile)); } syncReplServerList.append(serverSyncReplString); rid++; } add_multiple_attributes_operation(mods, &i, "olcSyncRepl", syncReplServerList); add_single_attribute_operation(mods, &i, "olcMirrorMode", "TRUE"); LDAPMod *prevterm = mods[i]; mods[i] = NULL; // Perform LDAP update retcode = ldap_modify_ext_s(m_ldap, "olcDatabase={1}hdb,cn=config", mods, NULL, NULL); // Clean up clean_up_attribute_operations(i, mods, prevterm, number_of_parameters); if (retcode != LDAP_SUCCESS) { if (errstr) *errstr = i18n("LDAP modification failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)); else KMessageBox::error(0, i18n("LDAP modification failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error")); return -2; } } } else { // Delete the olcSyncRepl and olcMirrorMode entries // Main Database { // Assemble the LDAPMod structure int number_of_parameters = 2; // 2 primary attributes LDAPMod *mods[number_of_parameters+1]; set_up_attribute_operations(mods, number_of_parameters); // Load LDAP delete request i=0; delete_single_attribute_operation(mods, &i, "olcSyncRepl"); delete_single_attribute_operation(mods, &i, "olcMirrorMode"); LDAPMod *prevterm = mods[i]; mods[i] = NULL; // Perform LDAP update retcode = ldap_modify_ext_s(m_ldap, "olcDatabase={1}hdb,cn=config", mods, NULL, NULL); // Clean up clean_up_attribute_operations(i, mods, prevterm, number_of_parameters); if ((retcode != LDAP_SUCCESS) && (retcode != LDAP_NO_SUCH_ATTRIBUTE)) { if (errstr) *errstr = i18n("LDAP modification failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)); else KMessageBox::error(0, i18n("LDAP modification failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error")); return -2; } } // Config Database { // Assemble the LDAPMod structure int number_of_parameters = 2; // 2 primary attributes LDAPMod *mods[number_of_parameters+1]; set_up_attribute_operations(mods, number_of_parameters); // Load LDAP delete request i=0; delete_single_attribute_operation(mods, &i, "olcSyncRepl"); delete_single_attribute_operation(mods, &i, "olcMirrorMode"); LDAPMod *prevterm = mods[i]; mods[i] = NULL; // Perform LDAP update retcode = ldap_modify_ext_s(m_ldap, "olcDatabase={0}config,cn=config", mods, NULL, NULL); // Clean up clean_up_attribute_operations(i, mods, prevterm, number_of_parameters); if ((retcode != LDAP_SUCCESS) && (retcode != LDAP_NO_SUCH_ATTRIBUTE)) { if (errstr) *errstr = i18n("LDAP modification failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)); else KMessageBox::error(0, i18n("LDAP modification failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error")); return -2; } } } // Get current active replication settings TQString* readOnlyErrorString = NULL; LDAPMasterReplicationInfo currentReplicationInfo = getLDAPMasterReplicationSettings(readOnlyErrorString); if (readOnlyErrorString) { // Uh oh if (errstr) *errstr = *readOnlyErrorString; else KMessageBox::error(0, *readOnlyErrorString, i18n("LDAP Error")); return -2; } if (replicationinfo.enabled) { // Set up replication // NOTE: The syncprov module itself is already loaded by the stock TDE LDAP configuration // Check to see if the syncprov overlay entries already exist bool haveOlcOverlaySyncProv = false; LDAPMessage* msg; retcode = ldap_search_ext_s(m_ldap, "olcDatabase={0}config,cn=config", LDAP_SCOPE_SUBTREE, NULL, ldap_user_and_operational_attributes, 0, NULL, NULL, NULL, 0, &msg); if (retcode != LDAP_SUCCESS) { if (errstr) *errstr = i18n("LDAP search failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)); else KMessageBox::error(0, i18n("LDAP search failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error")); return -2; } // Iterate through the returned entries LDAPMessage* entry; for(entry = ldap_first_entry(m_ldap, msg); entry != NULL; entry = ldap_next_entry(m_ldap, entry)) { if (parseLDAPSyncProvOverlayConfigRecord(entry) != "") { haveOlcOverlaySyncProv = true; } } // Clean up ldap_msgfree(msg); if (!haveOlcOverlaySyncProv) { // Create the base DN entry int number_of_parameters = 1; // 1 primary attribute LDAPMod *mods[number_of_parameters+1]; set_up_attribute_operations(mods, number_of_parameters); // Load initial required LDAP object attributes i=0; TQStringList objectClassList; objectClassList.append("olcOverlayConfig"); objectClassList.append("olcSyncProvConfig"); create_multiple_attributes_operation(mods, &i, "objectClass", objectClassList); LDAPMod *prevterm = mods[i]; mods[i] = NULL; // Add new object retcode = ldap_add_ext_s(m_ldap, "olcOverlay=syncprov,olcDatabase={0}config,cn=config", mods, NULL, NULL); // Clean up clean_up_attribute_operations(i, mods, prevterm, number_of_parameters); if (retcode != LDAP_SUCCESS) { if (errstr) { *errstr = i18n("LDAP overlay configuration failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)); } else { KMessageBox::error(0, i18n("LDAP overlay configuration failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error")); } return -2; } } haveOlcOverlaySyncProv = false; retcode = ldap_search_ext_s(m_ldap, "olcDatabase={1}hdb,cn=config", LDAP_SCOPE_SUBTREE, NULL, ldap_user_and_operational_attributes, 0, NULL, NULL, NULL, 0, &msg); if (retcode != LDAP_SUCCESS) { if (errstr) *errstr = i18n("LDAP search failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)); else KMessageBox::error(0, i18n("LDAP search failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error")); return -2; } // Iterate through the returned entries for(entry = ldap_first_entry(m_ldap, msg); entry != NULL; entry = ldap_next_entry(m_ldap, entry)) { if (parseLDAPSyncProvOverlayConfigRecord(entry) != "") { haveOlcOverlaySyncProv = true; } } // Clean up ldap_msgfree(msg); if (!haveOlcOverlaySyncProv) { // Create the base DN entry int number_of_parameters = 1; // 1 primary attribute LDAPMod *mods[number_of_parameters+1]; set_up_attribute_operations(mods, number_of_parameters); // Load initial required LDAP object attributes i=0; TQStringList objectClassList; objectClassList.append("olcOverlayConfig"); objectClassList.append("olcSyncProvConfig"); create_multiple_attributes_operation(mods, &i, "objectClass", objectClassList); LDAPMod *prevterm = mods[i]; mods[i] = NULL; // Add new object retcode = ldap_add_ext_s(m_ldap, "olcOverlay=syncprov,olcDatabase={1}hdb,cn=config", mods, NULL, NULL); // Clean up clean_up_attribute_operations(i, mods, prevterm, number_of_parameters); if (retcode != LDAP_SUCCESS) { if (errstr) { *errstr = i18n("LDAP overlay configuration failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)); } else { KMessageBox::error(0, i18n("LDAP overlay configuration failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error")); } return -2; } } } else { // FIXME // OpenLDAP does not support removing overlays from the cn=config interface (i.e., once they are enabled above, they stay unless manually deleted from the config files) // See http://www.openldap.org/lists/openldap-software/200811/msg00103.html // If it were possible, the code would look something like this: // retcode = ldap_delete_ext_s(m_ldap, olcOverlaySyncProvAttr + ",olcDatabase={0}config,cn=config", NULL, NULL); // retcode = ldap_delete_ext_s(m_ldap, olcOverlaySyncProvAttr + ",olcDatabase={1}hdb,cn=config", NULL, NULL); } return 0; } } return -1; } int LDAPManager::getTDECertificate(TQString certificateName, TQByteArray *certificate, TQString *errstr) { int retcode; int returncode; LDAPTDEBuiltinsInfo builtininfo; TQString dn = TQString("cn=certificate store,o=tde,cn=tde realm data,ou=master services,ou=core,ou=realm,%1").arg(m_basedc); if (!certificate) { if (errstr) *errstr = i18n("Invalid certificate handle passed by host application"); return -1; } if (bind(errstr) < 0) { return -1; } else { LDAPMessage* msg; retcode = ldap_search_ext_s(m_ldap, dn.ascii(), LDAP_SCOPE_SUBTREE, NULL, ldap_user_and_operational_attributes, 0, NULL, NULL, NULL, 0, &msg); if (retcode != LDAP_SUCCESS) { if (errstr) *errstr = i18n("LDAP search failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)); else KMessageBox::error(0, i18n("LDAP search failure

Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error")); return -1; } returncode = -2; // Iterate through the returned entries LDAPMessage* entry; for(entry = ldap_first_entry(m_ldap, msg); entry != NULL; entry = ldap_next_entry(m_ldap, entry)) { char* attr; struct berval **vals; BerElement* ber; int i; LDAPTDEBuiltinsInfo builtininfo; for( attr = ldap_first_attribute(m_ldap, entry, &ber); attr != NULL; attr = ldap_next_attribute(m_ldap, entry, ber)) { if ((vals = ldap_get_values_len(m_ldap, entry, attr)) != NULL) { builtininfo.informationValid = true; TQString ldap_field = attr; i=0; if (ldap_field == certificateName) { certificate->duplicate(vals[i]->bv_val, vals[i]->bv_len); returncode = 0; } ldap_value_free_len(vals); } ldap_memfree(attr); } if (returncode != 0) { // Resource not found if (errstr) *errstr = i18n("Resource \"%1\" not found in LDAP database").arg(certificateName); } if (ber != NULL) { ber_free(ber, 0); } } // Clean up ldap_msgfree(msg); return returncode; } return -1; } int LDAPManager::getTDECertificate(TQString certificateName, TQFile *fileHandle, TQString *errstr) { int returncode; if (!fileHandle) { if (errstr) *errstr = i18n("Invalid file handle passed by host application"); return -1; } TQByteArray ba; returncode = getTDECertificate(certificateName, &ba, errstr); if (returncode == 0) { if (fileHandle->isOpen()) { printf("[WARNING] File \"%s\" was already open, closing...\n", TQFile::encodeName(fileHandle->name()).data()); fileHandle->close(); } if (fileHandle->open(IO_WriteOnly)) { fileHandle->writeBlock(ba); fileHandle->close(); if (chmod(TQFile::encodeName(fileHandle->name()).data(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH) < 0) { if (errstr) *errstr = i18n("Unable to change permissions of \"%1\"").arg(TQFile::encodeName(fileHandle->name()).data()); return -1; } else { return 0; } } else { if (errstr) *errstr = i18n("Unable to open file \"%1\" for writing").arg(TQFile::encodeName(fileHandle->name()).data()); return -1; } } return returncode; } int LDAPManager::getTDECertificate(TQString certificateName, TQString fileName, TQString *errstr) { TQFile file(fileName); return getTDECertificate(certificateName, &file, errstr); } int LDAPManager::writeSudoersConfFile(TQString *errstr) { LDAPTDEBuiltinsInfo tdebuiltins = getTDEBuiltinMappings(errstr); if (!tdebuiltins.informationValid) { if (errstr) *errstr = i18n("Unable to read builtin TDE user/group mappings"); return -1; } TQString localadmingroup = tdebuiltins.builtinMachineAdminGroup; int eqpos = localadmingroup.find("=")+1; int cmpos = localadmingroup.find(",", eqpos); localadmingroup.truncate(cmpos); localadmingroup.remove(0, eqpos); TQFile file(TDELDAP_SUDO_D_FILE); if (file.open(IO_WriteOnly)) { TQTextStream stream( &file ); stream << "# This file was automatically generated by TDE\n"; stream << "# All changes will be lost!\n"; stream << "\n"; stream << "# Realm local machine administrators\n"; stream << "%" << localadmingroup << " ALL=NOPASSWD: ALL" << "\n"; file.close(); } if (chown(TDELDAP_SUDO_D_FILE, 0, 0) < 0) { printf("ERROR: Unable to change owner of \"%s\"\n", TDELDAP_SUDO_D_FILE); return -1; } if (chmod(TDELDAP_SUDO_D_FILE, S_IRUSR|S_IRGRP) < 0) { printf("ERROR: Unable to change permissions of \"%s\"\n", TDELDAP_SUDO_D_FILE); return -1; } return 0; } int LDAPManager::writeClientCronFiles(TQString *errstr) { TQFile file(CRON_UPDATE_NSS_FILE); if (file.open(IO_WriteOnly)) { TQTextStream stream( &file ); stream << "#!/bin/sh" << "\n"; stream << "\n"; stream << "# This file was automatically generated by TDE\n"; stream << "# All changes will be lost!\n"; stream << "\n"; stream << CRON_UPDATE_NSS_COMMAND << "\n"; file.close(); if (chmod(CRON_UPDATE_NSS_FILE, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH) < 0) { if (errstr) *errstr = TQString("Unable to change permissions of \"%1\"").arg(CRON_UPDATE_NSS_FILE); return -1; } } else { if (errstr) *errstr = TQString("Unable to write file \"%1\"").arg(CRON_UPDATE_NSS_FILE); return -1; } if (system(CRON_UPDATE_NSS_COMMAND) < 0) { if (errstr) *errstr = TQString("Execution of \"%s\" failed").arg(CRON_UPDATE_NSS_COMMAND); return -1; } return 0; } int LDAPManager::writePrimaryRealmCertificateUpdateCronFile(TQString *errstr) { TQFile file(CRON_UPDATE_PRIMARY_REALM_CERTIFICATES_FILE); if (file.open(IO_WriteOnly)) { TQTextStream stream( &file ); stream << "#!/bin/sh" << "\n"; stream << "\n"; stream << "# This file was automatically generated by TDE\n"; stream << "# All changes will be lost!\n"; stream << "\n"; stream << CRON_UPDATE_PRIMARY_REALM_CERTIFICATES_COMMAND << "\n"; stream << CRON_UPDATE_PRIMARY_REALM_CERTIFICATES_OPENLDAP_RELOAD_COMMAND << "\n"; file.close(); if (chmod(CRON_UPDATE_PRIMARY_REALM_CERTIFICATES_FILE, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH) < 0) { if (errstr) *errstr = TQString("Unable to change permissions of \"%1\"").arg(CRON_UPDATE_PRIMARY_REALM_CERTIFICATES_FILE); return -1; } } else { if (errstr) *errstr = TQString("Unable to write file \"%1\"").arg(CRON_UPDATE_PRIMARY_REALM_CERTIFICATES_FILE); return -1; } if (system(CRON_UPDATE_PRIMARY_REALM_CERTIFICATES_COMMAND) < 0) { if (errstr) *errstr = TQString("Execution of \"%s\" failed").arg(CRON_UPDATE_PRIMARY_REALM_CERTIFICATES_COMMAND); return -1; } return 0; } int LDAPManager::installCACertificateInHostCAStore(TQString *errstr) { TQString command; if (!TQDir(SYSTEM_CA_STORE_CERT_LOCATION "ldap-trinity").exists()) { command = TQString("ln -s %1 %2").arg(KERBEROS_PKI_PUBLICDIR).arg(SYSTEM_CA_STORE_CERT_LOCATION "ldap-trinity"); if (system(command) < 0) { if (errstr) *errstr = TQString("Execution of \"%s\" failed").arg(command); return -1; } if (system(SYSTEM_CA_STORE_REGENERATE_COMMAND) < 0) { if (errstr) *errstr = TQString("Execution of \"%s\" failed").arg(SYSTEM_CA_STORE_REGENERATE_COMMAND); return -1; } } return 0; } int LDAPManager::retrieveAndInstallCaCrl(LDAPManager* manager, TQString *errstr) { int retcode = 0; LDAPManager* ldap_mgr = manager; KSimpleConfig* systemconfig = new KSimpleConfig( TQString::fromLatin1( KDE_CONFDIR "/ldap/ldapconfigrc" )); LDAPRealmConfigList realms = LDAPManager::readTDERealmList(systemconfig, false); if (!ldap_mgr) { // Get default settings TQString defaultRealm = systemconfig->readEntry("DefaultRealm"); if (defaultRealm == "") { delete systemconfig; return 0; } // Bind anonymously to LDAP LDAPCredentials* credentials = new LDAPCredentials; credentials->username = ""; credentials->password = ""; credentials->realm = defaultRealm.upper(); credentials->use_tls = true; ldap_mgr = new LDAPManager(defaultRealm.upper(), TQString("ldaps://%1").arg(realms[defaultRealm].admin_server).ascii(), credentials); } // Get and install the CA root CRL from LDAP mkdir(TDE_CERTIFICATE_DIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH); mkdir(KERBEROS_PKI_PUBLICDIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH); if (ldap_mgr->getTDECertificate("publicRootCertificateRevocationList", KERBEROS_PKI_PUBLICDIR + realms[ldap_mgr->realm()].admin_server + ".ldap.crl", errstr) != 0) { retcode = -1; } if (!manager) { delete ldap_mgr; } delete systemconfig; return retcode; } LDAPRealmConfigList LDAPManager::readTDERealmList(KSimpleConfig* config, bool disableAllBonds) { LDAPRealmConfigList realms; TQStringList cfgRealms = config->groupList(); for (TQStringList::Iterator it(cfgRealms.begin()); it != cfgRealms.end(); ++it) { if ((*it).startsWith("LDAPRealm-")) { config->setGroup(*it); TQString realmName=*it; realmName.remove(0,strlen("LDAPRealm-")); if (!realms.contains(realmName)) { // Read in realm data LDAPRealmConfig realmcfg; realmcfg.name = realmName; if (!disableAllBonds) { realmcfg.bonded = config->readBoolEntry("bonded"); } else { realmcfg.bonded = false; } realmcfg.uid_offset = config->readNumEntry("uid_offset"); realmcfg.gid_offset = config->readNumEntry("gid_offset"); realmcfg.domain_mappings = config->readListEntry("domain_mappings"); realmcfg.kdc = config->readEntry("kdc"); realmcfg.kdc_port = config->readNumEntry("kdc_port"); realmcfg.admin_server = config->readEntry("admin_server"); realmcfg.admin_server_port = config->readNumEntry("admin_server_port"); realmcfg.pkinit_require_eku = config->readBoolEntry("pkinit_require_eku"); realmcfg.pkinit_require_krbtgt_otherName = config->readBoolEntry("pkinit_require_krbtgt_otherName"); realmcfg.win2k_pkinit = config->readBoolEntry("win2k_pkinit"); realmcfg.win2k_pkinit_require_binding = config->readBoolEntry("win2k_pkinit_require_binding"); // Add realm to list realms.insert(realmName, realmcfg); } } } return realms; } int LDAPManager::writeTDERealmList(LDAPRealmConfigList realms, KSimpleConfig* config, TQString *errstr) { Q_UNUSED(errstr) LDAPRealmConfigList::Iterator it; for (it = realms.begin(); it != realms.end(); ++it) { LDAPRealmConfig realmcfg = it.data(); TQString configRealmName = realmcfg.name; configRealmName.prepend("LDAPRealm-"); config->setGroup(configRealmName); // Save realm settings config->writeEntry("bonded", realmcfg.bonded); config->writeEntry("uid_offset", realmcfg.uid_offset); config->writeEntry("gid_offset", realmcfg.gid_offset); config->writeEntry("domain_mappings", realmcfg.domain_mappings); config->writeEntry("kdc", realmcfg.kdc); config->writeEntry("kdc_port", realmcfg.kdc_port); config->writeEntry("admin_server", realmcfg.admin_server); config->writeEntry("admin_server_port", realmcfg.admin_server_port); config->writeEntry("pkinit_require_eku", realmcfg.pkinit_require_eku); config->writeEntry("pkinit_require_krbtgt_otherName", realmcfg.pkinit_require_krbtgt_otherName); config->writeEntry("win2k_pkinit", realmcfg.win2k_pkinit); config->writeEntry("win2k_pkinit_require_binding", realmcfg.win2k_pkinit_require_binding); } // Delete any realms that do not exist in the realms database TQStringList cfgRealms = config->groupList(); for (TQStringList::Iterator it(cfgRealms.begin()); it != cfgRealms.end(); ++it) { if ((*it).startsWith("LDAPRealm-")) { config->setGroup(*it); TQString realmName=*it; realmName.remove(0,strlen("LDAPRealm-")); if (!realms.contains(realmName)) { config->deleteGroup(*it); } } } return 0; } TQDateTime LDAPManager::getCertificateExpiration(TQByteArray certfileContents) { TQDateTime ret; KSSLCertificate* cert = NULL; TQCString ssldata(certfileContents); if (certfileContents.size() > 0) { ssldata[certfileContents.size()] = 0; ssldata.replace("\n", ""); if (ssldata.contains("-----BEGIN CERTIFICATE-----")) { ssldata.replace("-----BEGIN CERTIFICATE-----", ""); ssldata.replace("-----END CERTIFICATE-----", ""); cert = KSSLCertificate::fromString(ssldata); if (cert) { ret = cert->getQDTNotAfter(); delete cert; } } else if (ssldata.contains("-----BEGIN X509 CRL-----")) { ssldata.replace("-----BEGIN X509 CRL-----", ""); ssldata.replace("-----END X509 CRL-----", ""); cert = KSSLCertificate::crlFromString(ssldata); if (cert) { ret = cert->getQDTNextUpdate(); delete cert; } } } return ret; } TQDateTime LDAPManager::getCertificateExpiration(TQString certfile) { TQDateTime ret; TQFile file(certfile); if (file.open(IO_ReadOnly)) { TQByteArray ba = file.readAll(); file.close(); ret = getCertificateExpiration(ba); } return ret; } int LDAPManager::generatePublicKerberosCACertificate(LDAPCertConfig certinfo, LDAPRealmConfig realmcfg) { TQString errstr; TQString command; TQString subject; if (writeOpenSSLConfigurationFile(realmcfg, &errstr) != 0) { printf("ERROR: Unable to generate OpenSSL configuration file! Details: '%s'\n", errstr.ascii()); return -1; } subject = TQString("/C=%1/ST=%2/L=%3/O=%4/OU=%5/CN=%6/emailAddress=%7").arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(certinfo.commonName).arg(certinfo.emailAddress); command = TQString("openssl req -days %1 -key \"%2\" -new -x509 -out \"%3\" -config \"%4\" -subj \"%5\"").arg(certinfo.caExpiryDays).arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(OPENSSL_EXTENSIONS_FILE).arg(subject); if (system(command) < 0) { printf("ERROR: Execution of \"%s\" failed!\n", command.ascii()); return -1; } if (chmod(KERBEROS_PKI_PEM_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH) < 0) { printf("ERROR: Unable to change permissions of \"%s\"\n", KERBEROS_PKI_PEM_FILE); return -1; } if (chown(KERBEROS_PKI_PEM_FILE, 0, 0) < 0) { printf("ERROR: Unable to change owner of \"%s\"\n", KERBEROS_PKI_PEM_FILE); return -1; } return 0; } int LDAPManager::generatePublicKerberosCertificate(LDAPCertConfig certinfo, LDAPRealmConfig realmcfg) { TQString errstr; TQString command; TQString subject; if (writeOpenSSLConfigurationFile(realmcfg, &errstr) != 0) { printf("ERROR: Unable to generate OpenSSL configuration file! Details: '%s'\n", errstr.ascii()); return -1; } TQString kdc_certfile = KERBEROS_PKI_KDC_FILE; TQString kdc_keyfile = KERBEROS_PKI_KDCKEY_FILE; TQString kdc_reqfile = KERBEROS_PKI_KDCREQ_FILE; kdc_certfile.replace("@@@KDCSERVER@@@", realmcfg.name.lower()); kdc_keyfile.replace("@@@KDCSERVER@@@", realmcfg.name.lower()); kdc_reqfile.replace("@@@KDCSERVER@@@", realmcfg.name.lower()); TQString common_name = TQString::null; if (realmcfg.kdc != "") { common_name = TQString("/CN=%1").arg(realmcfg.kdc); } subject = TQString("/C=%1/ST=%2/L=%3/O=%4/OU=%5%6%7").arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(openssldcForRealm(realmcfg.name)).arg(common_name); command = TQString("openssl req -days %1 -new -out \"%2\" -key \"%3\" -config \"%4\" -subj \"%5\"").arg(certinfo.kerberosExpiryDays).arg(kdc_reqfile).arg(kdc_keyfile).arg(OPENSSL_EXTENSIONS_FILE).arg(subject); if (system(command) < 0) { printf("ERROR: Execution of \"%s\" failed!\n", command.ascii()); return -1; } command = TQString("openssl x509 -req -days %1 -in \"%2\" -CAkey \"%3\" -CA \"%4\" -out \"%5\" -extfile \"%6\" -extensions pkinit_kdc_cert -CAcreateserial").arg(certinfo.kerberosExpiryDays).arg(kdc_reqfile).arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(kdc_certfile).arg(OPENSSL_EXTENSIONS_FILE); if (system(command) < 0) { printf("ERROR: Execution of \"%s\" failed!\n", command.ascii()); return -1; } if (chmod(kdc_certfile.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH) < 0) { printf("ERROR: Unable to change permissions of \"%s\"\n", kdc_certfile.ascii()); return -1; } if (chown(kdc_certfile.ascii(), 0, 0) < 0) { printf("ERROR: Unable to change owner of \"%s\"\n", kdc_certfile.ascii()); return -1; } if (fileExists(kdc_reqfile.ascii())) { if (unlink(kdc_reqfile.ascii()) < 0) { printf("ERROR: Unable to unlink \"%s\"\n", kdc_reqfile.ascii()); return -1; } } return 0; } int LDAPManager::generatePublicLDAPCertificate(LDAPCertConfig certinfo, LDAPRealmConfig realmcfg, uid_t ldap_uid, gid_t ldap_gid) { TQString errstr; TQString command; TQString subject; if (writeOpenSSLConfigurationFile(realmcfg, &errstr) != 0) { printf("ERROR: Unable to generate OpenSSL configuration file! Details: '%s'\n", errstr.ascii()); return -1; } TQString ldap_certfile = LDAP_CERT_FILE; TQString ldap_keyfile = LDAP_CERTKEY_FILE; TQString ldap_reqfile = LDAP_CERTREQ_FILE; ldap_certfile.replace("@@@ADMINSERVER@@@", realmcfg.name.lower()); ldap_keyfile.replace("@@@ADMINSERVER@@@", realmcfg.name.lower()); ldap_reqfile.replace("@@@ADMINSERVER@@@", realmcfg.name.lower()); TQString common_name = TQString::null; if (realmcfg.kdc != "") { common_name = TQString("/CN=%1").arg(realmcfg.kdc); } subject = TQString("/C=%1/ST=%2/L=%3/O=%4/OU=%5%6%7").arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(openssldcForRealm(realmcfg.name)).arg(common_name); command = TQString("openssl req -days %1 -new -out \"%2\" -key \"%3\" -config \"%4\" -subj \"%5\"").arg(certinfo.ldapExpiryDays).arg(ldap_reqfile).arg(ldap_keyfile).arg(OPENSSL_EXTENSIONS_FILE).arg(subject); if (system(command) < 0) { printf("ERROR: Execution of \"%s\" failed!\n", command.ascii()); return -1; } command = TQString("openssl x509 -req -days %1 -in \"%2\" -CAkey \"%3\" -CA \"%4\" -out \"%5\" -CAcreateserial").arg(certinfo.ldapExpiryDays).arg(ldap_reqfile).arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(ldap_certfile); if (system(command) < 0) { printf("ERROR: Execution of \"%s\" failed!\n", command.ascii()); return -1; } if (chmod(ldap_certfile.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH) < 0) { printf("ERROR: Unable to change permissions of \"%s\"\n", ldap_certfile.ascii()); return -1; } if (chown(ldap_certfile.ascii(), ldap_uid, ldap_gid) < 0) { printf("ERROR: Unable to change owner of \"%s\"\n", ldap_certfile.ascii()); return -1; } if (fileExists(ldap_reqfile.ascii())) { if (unlink(ldap_reqfile.ascii()) < 0) { printf("ERROR: Unable to unlink \"%s\"\n", ldap_reqfile.ascii()); return -1; } } return 0; } int LDAPManager::generateClientCertificatePair(int expirydays, LDAPUserInfo user, LDAPRealmConfig realmcfg, TQString signingPrivateKeyFile, TQString privateKeyFile, TQString publicCertFile, int clientKeyBitLength, TQString autoLoginPIN, TQString *errstr) { int ret; ret = generateClientCertificatePrivateKey(privateKeyFile, clientKeyBitLength, errstr); if (ret == 0) { ret = generateClientCertificatePublicCertificate(expirydays, user, realmcfg, signingPrivateKeyFile, privateKeyFile, publicCertFile, autoLoginPIN, errstr); } return ret; } int LDAPManager::generateClientCertificatePrivateKey(TQString privateKeyFile, int clientKeyBitLength, TQString *errstr) { TQString command; TQString subject; TQString client_keyfile = privateKeyFile; TQString client_reqfile = privateKeyFile + ".req"; TQString client_cfgfile = privateKeyFile + ".cfg"; // Create private key command = TQString("openssl genrsa -out \"%1\" %2").arg(client_keyfile).arg(clientKeyBitLength); if (system(command) < 0) { if (errstr) *errstr = TQString("Execution of \"%s\" failed").arg(command); return -1; } // Secure keyfile if (chmod(client_keyfile.ascii(), S_IRUSR|S_IWUSR) < 0) { if (errstr) *errstr = TQString("Unable to change permissions of \"%1\"").arg(client_keyfile); return -1; } if (chown(client_keyfile.ascii(), 0, 0) < 0) { printf("[WARNING] Unable to change owner of \"%s\"\n", client_keyfile.ascii()); } // Clean up if (fileExists(client_cfgfile.ascii())) { if (unlink(client_cfgfile.ascii()) < 0) { if (errstr) *errstr = TQString("Unable to unlink \"%1\"").arg(client_cfgfile); return -1; } } return 0; } int LDAPManager::generateClientCertificatePublicCertificate(int expirydays, LDAPUserInfo user, LDAPRealmConfig realmcfg, TQString signingPrivateKeyFile, TQString privateKeyFile, TQString publicCertFile, TQString autoLoginPIN, TQString *errstr) { TQString command; TQString subject; TQString client_certfile = publicCertFile; TQString client_keyfile = privateKeyFile; TQString client_reqfile = privateKeyFile + ".req"; TQString client_cfgfile = privateKeyFile + ".cfg"; // The public certificate location varies based on the machine role // Prefer the bonded realm's certificate if available TQString signing_public_certfile = KERBEROS_PKI_PUBLICDIR + realmcfg.admin_server + ".ldap.crt"; if (!TQFile(signing_public_certfile).exists()) { signing_public_certfile = KERBEROS_PKI_PEM_FILE; } if (writeOpenSSLConfigurationFile(realmcfg, user, client_cfgfile, TQString::null, TQString::null, TQString::null, autoLoginPIN, errstr) != 0) { return -1; } TQString common_name = TQString::null; if (user.name != "") { // TODO // Determine if uid or CN is the best identifier // common_name = TQString("/uid=%1").arg(user.name); common_name = TQString("/CN=%1").arg(user.name); } subject = TQString("%1%2").arg(openssldcForRealm(realmcfg.name)).arg(common_name); command = TQString("openssl req -days %1 -new -out \"%2\" -key \"%3\" -config \"%4\" -subj \"%5\"").arg(expirydays).arg(client_reqfile).arg(client_keyfile).arg(client_cfgfile).arg(subject); if (system(command) < 0) { if (errstr) *errstr = TQString("Execution of \"%s\" failed").arg(command); return -1; } command = TQString("openssl x509 -req -days %1 -in \"%2\" -CAkey \"%3\" -CA \"%4\" -out \"%5\" -extfile \"%6\" -extensions pkinit_client_cert -CAcreateserial").arg(expirydays).arg(client_reqfile).arg(signingPrivateKeyFile).arg(signing_public_certfile).arg(client_certfile).arg(client_cfgfile); if (system(command) < 0) { if (errstr) *errstr = TQString("Execution of \"%s\" failed").arg(command); return -1; } // Secure certificate if (chmod(client_certfile.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH) < 0) { if (errstr) *errstr = TQString("Unable to change permissions of \"%1\"").arg(client_certfile); return -1; } if (chown(client_certfile.ascii(), 0, 0) < 0) { printf("[WARNING] Unable to change owner of \"%s\"\n", client_certfile.ascii()); } // Clean up if (fileExists(client_cfgfile.ascii())) { if (unlink(client_cfgfile.ascii()) < 0) { if (errstr) *errstr = TQString("Unable to unlink \"%1\"").arg(client_cfgfile); return -1; } } if (fileExists(client_reqfile.ascii())) { if (unlink(client_reqfile.ascii()) < 0) { if (errstr) *errstr = TQString("Unable to unlink \"%1\"").arg(client_reqfile); return -1; } } return 0; } int LDAPManager::generatePKICRL(int expirydays, LDAPRealmConfig realmcfg, TQString crlFile, TQString signingPrivateKeyFile, TQString revocationDatabaseFile, TQString *errstr) { int retcode; TQString command; LDAPUserInfoList userList = this->users(&retcode, errstr); if (retcode == 0) { // Generate base CRL TQString crl_certfile = crlFile; TQString revoked_certfile = crlFile + ".rev"; // The public certificate location varies based on the machine role // Prefer the bonded realm's certificate if available TQString signing_public_certfile = KERBEROS_PKI_PUBLICDIR + realmcfg.admin_server + ".ldap.crt"; if (!TQFile(signing_public_certfile).exists()) { signing_public_certfile = KERBEROS_PKI_PEM_FILE; } // Set up OpenSSL environment if (writeOpenSSLConfigurationFile(realmcfg, LDAPUserInfo(), OPENSSL_EXTENSIONS_FILE, signingPrivateKeyFile, signing_public_certfile, revocationDatabaseFile, TQString::null, errstr) != 0) { return -1; } command = TQString("rm -f %1").arg(revocationDatabaseFile); if (system(command) < 0) { if (errstr) *errstr = TQString("Execution of \"%s\" failed").arg(command); return -1; } command = TQString("touch %1").arg(revocationDatabaseFile); if (system(command) < 0) { if (errstr) *errstr = TQString("Execution of \"%s\" failed").arg(command); return -1; } command = TQString("openssl ca -days %1 -crldays %2 -gencrl -out \"%3\" -config \"%4\"").arg(expirydays).arg(expirydays).arg(crl_certfile).arg(OPENSSL_EXTENSIONS_FILE); if (system(command) < 0) { if (errstr) *errstr = TQString("Execution of \"%s\" failed").arg(command); return -1; } if (fileExists(revoked_certfile.ascii())) { if (unlink(revoked_certfile.ascii()) < 0) { if (errstr) *errstr = TQString("Unable to unlink \"%1\"").arg(revoked_certfile); return -1; } } LDAPUserInfoList::Iterator it; for (it = userList.begin(); it != userList.end(); ++it) { LDAPUserInfo user = *it; PKICertificateEntryList::Iterator it; for (it = user.pkiCertificates.begin(); it != user.pkiCertificates.end(); ++it) { PKICertificateEntry certificateData = *it; TQCString ssldata(certificateData.second); ssldata[certificateData.second.size()] = 0; ssldata.replace("-----BEGIN CERTIFICATE-----", ""); ssldata.replace("-----END CERTIFICATE-----", ""); ssldata.replace("\n", ""); KSSLCertificate* cert = KSSLCertificate::fromString(ssldata); if (cert) { bool expired = false; if (TQDateTime::currentDateTime(Qt::UTC) > cert->getQDTNotAfter()) { expired = true; } if ((certificateData.first == PKICertificateStatus::Revoked) || expired) { // Revoke this certificate { TQFile revokedCertFile(revoked_certfile); if (revokedCertFile.open(IO_WriteOnly)) { revokedCertFile.writeBlock(certificateData.second); } } command = TQString("openssl ca -revoke \"%1\" -config \"%2\"").arg(revoked_certfile).arg(OPENSSL_EXTENSIONS_FILE); if (system(command) < 0) { if (errstr) *errstr = TQString("Execution of \"%s\" failed").arg(command); return -1; } if (fileExists(revoked_certfile.ascii())) { if (unlink(revoked_certfile.ascii()) < 0) { if (errstr) *errstr = TQString("Unable to unlink \"%1\"").arg(revoked_certfile); return -1; } } } } } } // Regenerate CRL certificate command = TQString("openssl ca -days %1 -crldays %2 -gencrl -out \"%3\" -config \"%4\"").arg(expirydays).arg(expirydays).arg(crl_certfile).arg(OPENSSL_EXTENSIONS_FILE); if (system(command) < 0) { if (errstr) *errstr = TQString("Execution of \"%s\" failed").arg(command); return -1; } // Upload certificate to LDAP TQFile crlfile(crl_certfile); if (crlfile.open(IO_ReadOnly)) { TQByteArray crlfiledata = crlfile.readAll(); if (this->writeCertificateFileIntoDirectory(crlfiledata, "publicRootCertificateRevocationList", errstr) != 0) { return -1; } } // Clean up if (fileExists(crl_certfile.ascii())) { if (unlink(crl_certfile.ascii()) < 0) { if (errstr) *errstr = TQString("Unable to unlink \"%1\"").arg(crl_certfile); return -1; } } if (fileExists(revoked_certfile.ascii())) { if (unlink(revoked_certfile.ascii()) < 0) { if (errstr) *errstr = TQString("Unable to unlink \"%1\"").arg(revoked_certfile); return -1; } } if (fileExists(revocationDatabaseFile.ascii())) { if (unlink(revocationDatabaseFile.ascii()) < 0) { if (errstr) *errstr = TQString("Unable to unlink \"%1\"").arg(revocationDatabaseFile); return -1; } } } return retcode; } TQString LDAPManager::getMachineFQDN() { struct addrinfo hints, *info, *p; int gai_result; char hostname[1024]; hostname[1023] = '\0'; gethostname(hostname, 1023); memset(&hints, 0, sizeof hints); hints.ai_family = AF_UNSPEC; // IPV4 or IPV6 hints.ai_socktype = SOCK_STREAM; hints.ai_flags = AI_CANONNAME; if ((gai_result = getaddrinfo(hostname, NULL, &hints, &info)) != 0) { return TQString(hostname); } TQString fqdn = TQString(hostname); for (p=info; p!=NULL; p=p->ai_next) { fqdn = TQString(p->ai_canonname); } freeaddrinfo(info); return fqdn; } LDAPClientRealmConfig LDAPManager::loadClientRealmConfig(KSimpleConfig* config, bool useDefaults) { LDAPClientRealmConfig clientRealmConfig; config->setReadDefaults(useDefaults); config->setGroup(NULL); clientRealmConfig.enable_bonding = config->readBoolEntry("EnableLDAP", false); clientRealmConfig.defaultRealm = config->readEntry("DefaultRealm", TQString::null); clientRealmConfig.ticketLifetime = config->readNumEntry("TicketLifetime", 86400); clientRealmConfig.ldapRole = config->readEntry("LDAPRole", "Workstation"); if (LDAPManager::getMachineFQDN() == config->readEntry("HostFQDN", "")) { clientRealmConfig.configurationVerifiedForLocalMachine = true; } else { clientRealmConfig.configurationVerifiedForLocalMachine = false; } clientRealmConfig.ldapVersion = config->readNumEntry("ConnectionLDAPVersion", 3); clientRealmConfig.ldapTimeout = config->readNumEntry("ConnectionLDAPTimeout", 2); clientRealmConfig.bindPolicy = config->readEntry("ConnectionBindPolicy", "soft"); clientRealmConfig.ldapBindTimeout = config->readNumEntry("ConnectionBindTimeout", 2); clientRealmConfig.passwordHash = config->readEntry("ConnectionPasswordHash", "exop"); clientRealmConfig.ignoredUsers = config->readEntry("ConnectionIgnoredUsers", DEFAULT_IGNORED_USERS_LIST); clientRealmConfig.pamConfig.enable_pkcs11_login = config->readBoolEntry("EnablePKCS11Login", false); clientRealmConfig.pamConfig.pkcs11_login_card_slot = config->readNumEntry("PKCS11LoginCardSlot", 0); clientRealmConfig.pamConfig.enable_cached_credentials = config->readBoolEntry("EnableCachedCredentials", true); clientRealmConfig.pamConfig.autocreate_user_directories_enable = config->readBoolEntry("EnableAutoUserDir", true); clientRealmConfig.pamConfig.autocreate_user_directories_umask = config->readNumEntry("AutoUserDirUmask", 0022); clientRealmConfig.pamConfig.autocreate_user_directories_skel = config->readEntry("AutoUserDirSkelDir", "/etc/skel"); return clientRealmConfig; } int LDAPManager::saveClientRealmConfig(LDAPClientRealmConfig clientRealmConfig, KSimpleConfig* config, TQString *errstr) { Q_UNUSED(errstr) config->setGroup(NULL); config->writeEntry("EnableLDAP", clientRealmConfig.enable_bonding); config->writeEntry("HostFQDN", clientRealmConfig.hostFQDN); if (clientRealmConfig.defaultRealm != "") { config->writeEntry("DefaultRealm", clientRealmConfig.defaultRealm); } else { config->deleteEntry("DefaultRealm"); } config->writeEntry("TicketLifetime", clientRealmConfig.ticketLifetime); config->writeEntry("ConnectionLDAPVersion", clientRealmConfig.ldapVersion); config->writeEntry("ConnectionLDAPTimeout", clientRealmConfig.ldapTimeout); config->writeEntry("ConnectionBindPolicy", clientRealmConfig.bindPolicy); config->writeEntry("ConnectionBindTimeout", clientRealmConfig.ldapBindTimeout); config->writeEntry("ConnectionPasswordHash", clientRealmConfig.passwordHash); config->writeEntry("ConnectionIgnoredUsers", clientRealmConfig.ignoredUsers); config->writeEntry("EnablePKCS11Login", clientRealmConfig.pamConfig.enable_pkcs11_login); config->writeEntry("PKCS11LoginCardSlot", clientRealmConfig.pamConfig.pkcs11_login_card_slot); config->writeEntry("EnableCachedCredentials", clientRealmConfig.pamConfig.enable_cached_credentials); config->writeEntry("EnableAutoUserDir", clientRealmConfig.pamConfig.autocreate_user_directories_enable); config->writeEntry("AutoUserDirUmask", clientRealmConfig.pamConfig.autocreate_user_directories_umask); config->writeEntry("AutoUserDirSkelDir", clientRealmConfig.pamConfig.autocreate_user_directories_skel); return 0; } int LDAPManager::writeClientKrb5ConfFile(LDAPClientRealmConfig clientRealmConfig, LDAPRealmConfigList realmList, TQString *errstr) { TQFile file(KRB5_FILE); if (file.open(IO_WriteOnly)) { TQTextStream stream( &file ); stream << "# This file was automatically generated by TDE\n"; stream << "# All changes will be lost!\n"; stream << "\n"; // Get PKCS#11 slot number from the LDAP configuration file KSimpleConfig* systemconfig = new KSimpleConfig( TQString::fromLatin1( KDE_CONFDIR "/ldap/ldapconfigrc" )); systemconfig->setGroup(NULL); int pkcs11_login_card_slot = systemconfig->readNumEntry("PKCS11LoginCardSlot", 0); delete systemconfig; // Generate PKCS#11 provider string TQString pkcsProviderString = TDECryptographicCardDevice::pkcsProviderLibrary(); if (pkcs11_login_card_slot != 0) { pkcsProviderString.append(TQString(",slot=%1").arg(pkcs11_login_card_slot)); } // Appdefaults stream << "[appdefaults]\n"; if (realmList.begin() != realmList.end()) { LDAPRealmConfig realmcfg = *realmList.begin(); TQString ldap_certfile = LDAP_CERT_FILE; TQString ldap_crlfile = LDAP_CERTREVOC_FILE; ldap_certfile.replace("@@@ADMINSERVER@@@", realmcfg.admin_server); ldap_crlfile.replace("@@@ADMINSERVER@@@", realmcfg.admin_server); stream << " pkinit_anchors = FILE:" << ldap_certfile << "\n"; stream << " pkinit_revoke = FILE:" << ldap_crlfile << "\n"; } stream << " pkinit_require_crl_checking = true\n"; if (pkcsProviderString != "") { stream << " pam = {\n"; stream << " pkinit_user = PKCS11:" << pkcsProviderString << "\n"; stream << " }\n"; } stream << "\n"; // Defaults stream << "[libdefaults]\n"; stream << " ticket_lifetime = " << clientRealmConfig.ticketLifetime << "\n"; if (clientRealmConfig.defaultRealm != "") { stream << " default_realm = " << clientRealmConfig.defaultRealm << "\n"; } stream << "\n"; // Realms stream << "[realms]\n"; LDAPRealmConfigList::Iterator it; for (it = realmList.begin(); it != realmList.end(); ++it) { LDAPRealmConfig realmcfg = it.data(); stream << " " << realmcfg.name << " = {\n"; stream << " kdc = " << realmcfg.kdc << ":" << realmcfg.kdc_port << "\n"; stream << " admin_server = " << realmcfg.admin_server << ":" << realmcfg.admin_server_port << "\n"; stream << " pkinit_require_eku = " << (realmcfg.pkinit_require_eku?"true":"false") << "\n"; stream << " pkinit_require_krbtgt_otherName = " << (realmcfg.pkinit_require_krbtgt_otherName?"true":"false") << "\n"; stream << " win2k_pkinit = " << (realmcfg.win2k_pkinit?"yes":"no") << "\n"; stream << " win2k_pkinit_require_binding = " << (realmcfg.win2k_pkinit_require_binding?"yes":"no") << "\n"; stream << " }\n"; } stream << "\n"; // Domain aliases stream << "[domain_realm]\n"; LDAPRealmConfigList::Iterator it2; for (it2 = realmList.begin(); it2 != realmList.end(); ++it2) { LDAPRealmConfig realmcfg = it2.data(); TQStringList domains = realmcfg.domain_mappings; for (TQStringList::Iterator it3 = domains.begin(); it3 != domains.end(); ++it3 ) { stream << " " << *it3 << " = " << realmcfg.name << "\n"; } } file.close(); } else { if (errstr) { *errstr = i18n("Could not open file '%1' for writing").arg(file.name()); } } return 0; } int LDAPManager::writeNSSwitchFile(TQString *errstr) { TQFile file(NSSWITCH_FILE); if (file.open(IO_WriteOnly)) { TQTextStream stream( &file ); stream << "# This file was automatically generated by TDE\n"; stream << "# All changes will be lost!\n"; stream << "\n"; stream << "passwd: files ldap [NOTFOUND=return] db" << "\n"; stream << "group: files ldap [NOTFOUND=return] db" << "\n"; stream << "shadow: files ldap [NOTFOUND=return] db" << "\n"; stream << "\n"; stream << "hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4" << "\n"; stream << "networks: files" << "\n"; stream << "\n"; stream << "protocols: db files" << "\n"; stream << "services: db files" << "\n"; stream << "ethers: db files" << "\n"; stream << "rpc: db files" << "\n"; stream << "\n"; stream << "netgroup: nis" << "\n"; file.close(); } else { if (errstr) { *errstr = i18n("Could not open file '%1' for writing").arg(file.name()); } } return 0; } int LDAPManager::rehashClientPKCSCertificates(TQString *errstr) { // Save the original working directory DIR* original_cwd = opendir("."); // Change working directory to root certificate directory if (chdir(KERBEROS_PKI_PUBLICDIR) < 0) { if (errstr) { *errstr = i18n("Could not change working directory to '%1'").arg(KERBEROS_PKI_PUBLICDIR); } return 1; } // Rehash certificates if (system(PAMD_PKCS11_CERT_REHASH_COMMAND) < 0) { if (errstr) { *errstr = i18n("Could not rehash certificates in directory '%1'").arg(KERBEROS_PKI_PUBLICDIR); } return 1; } // Restore the original working directory if (original_cwd) { if (fchdir(dirfd(original_cwd)) < 0) { // ERROR } closedir(original_cwd); } return 0; } int LDAPManager::writePAMFiles(LDAPPamConfig pamConfig, TQString *errstr) { TQFile file(PAMD_DIRECTORY PAMD_COMMON_ACCOUNT); if (file.open(IO_WriteOnly)) { TQTextStream stream( &file ); stream << "# This file was automatically generated by TDE\n"; stream << "# All changes will be lost!\n"; stream << "\n"; stream << "account sufficient pam_unix.so nullok_secure" << "\n"; stream << "account sufficient pam_ldap.so" << "\n"; stream << "account required pam_permit.so" << "\n"; file.close(); } else { if (errstr) { *errstr = i18n("Could not open file '%1' for writing").arg(file.name()); } } TQFile file2(PAMD_DIRECTORY PAMD_COMMON_AUTH); if (file2.open(IO_WriteOnly)) { TQTextStream stream( &file2 ); stream << "# This file was automatically generated by TDE\n"; stream << "# All changes will be lost!\n"; stream << "\n"; stream << "auth [default=ignore success=ignore] pam_mount.so" << "\n"; stream << "auth [default=ignore success=done new_authtok_reqd=done] pam_unix.so nullok try_first_pass" << "\n"; if (pamConfig.enable_cached_credentials) { stream << "auth [default=ignore success=1 service_err=reset] pam_krb5.so ccache=/tmp/krb5cc_%u use_first_pass" << "\n"; stream << "auth [default=1 success=done] pam_ccreds.so action=validate use_first_pass" << "\n"; stream << "auth [default=ignore success=done new_authtok_reqd=done] pam_ccreds.so action=store use_first_pass" << "\n"; } else { stream << "auth [default=ignore success=done new_authtok_reqd=done service_err=reset] pam_krb5.so ccache=/tmp/krb5cc_%u use_first_pass" << "\n"; } if (pamConfig.enable_pkcs11_login) { stream << "auth [default=ignore success=done new_authtok_reqd=done service_err=reset] pam_krb5.so use_first_pass no_prompt try_pkinit" << "\n"; stream << "auth [default=ignore success=done new_authtok_reqd=done] pam_pkcs11.so use_first_pass" << "\n"; } stream << "auth required pam_deny.so" << "\n"; file2.close(); } else { if (errstr) { *errstr = i18n("Could not open file '%1' for writing").arg(file2.name()); } } TQFile file3(PAMD_DIRECTORY PAMD_COMMON_SESSION); if (file3.open(IO_WriteOnly)) { TQTextStream stream( &file3 ); stream << "# This file was automatically generated by TDE\n"; stream << "# All changes will be lost!\n"; stream << "\n"; stream << "session [default=1] pam_permit.so" << "\n"; stream << "session requisite pam_deny.so" << "\n"; stream << "session required pam_permit.so" << "\n"; stream << "session required pam_unix.so" << "\n"; stream << "session optional pam_ck_connector.so nox11" << "\n"; if (pamConfig.autocreate_user_directories_enable) { char modestring[8]; sprintf(modestring, "%04o", pamConfig.autocreate_user_directories_umask); TQString skelstring; if (pamConfig.autocreate_user_directories_skel != "") { skelstring = " skel=" + pamConfig.autocreate_user_directories_skel; } TQString umaskString; if (pamConfig.autocreate_user_directories_umask != 0) { umaskString = " umask="; umaskString.append(modestring); } stream << "session required pam_mkhomedir.so" << skelstring << umaskString << "\n"; } stream << "auth required pam_deny.so" << "\n"; file3.close(); } else { if (errstr) { *errstr = i18n("Could not open file '%1' for writing").arg(file3.name()); } } if (pamConfig.enable_pkcs11_login) { TQDir pkcs11dir(PAMD_PKCS11_CONFIG_DIRECTORY); if (!pkcs11dir.exists()) { if (mkdir(PAMD_PKCS11_CONFIG_DIRECTORY, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH) < 0) { if (errstr) { *errstr = i18n("Could not create directoy '%1'").arg(PAMD_PKCS11_CONFIG_DIRECTORY); } } } TQFile file4(PAMD_PKCS11_CONFIG_DIRECTORY PAMD_PKCS11_CONFIG_FILE); if (file4.open(IO_WriteOnly)) { TQTextStream stream( &file4 ); stream << "# This file was automatically generated by TDE\n"; stream << "# All changes will be lost!\n"; stream << "\n"; stream << "pam_pkcs11 {" << "\n"; stream << " nullok = true;" << "\n"; stream << " debug = false;" << "\n"; stream << " use_first_pass = true;" << "\n"; stream << " try_first_pass = false;" << "\n"; stream << " use_authtok = false;" << "\n"; stream << " use_pkcs11_module = opensc;" << "\n"; stream << " pkcs11_module opensc {" << "\n"; stream << " module = " << TDECryptographicCardDevice::pkcsProviderLibrary() << ";" << "\n"; stream << " description = \"OpenSC PKCS#11 module\";" << "\n"; stream << " slot_num = \"" << pamConfig.pkcs11_login_card_slot << "\";" << "\n"; stream << " ca_dir = " KERBEROS_PKI_PUBLICDIR ";" << "\n"; stream << " crl_dir = " KERBEROS_PKI_PUBLICDIR ";" << "\n"; stream << " support_threads = false;" << "\n"; stream << " cert_policy = ca,crl_auto,signature;" << "\n"; stream << " token_type = \"Smart card\";" << "\n"; stream << " }" << "\n"; stream << " use_mappers = cn;" << "\n"; stream << " mapper cn {" << "\n"; stream << " debug = false;" << "\n"; stream << " module = internal;" << "\n"; stream << " ignorecase = true;" << "\n"; stream << " mapfile = \"none\";" << "\n"; stream << " }" << "\n"; stream << "}" << "\n"; file4.close(); } else { if (errstr) { *errstr = i18n("Could not open file '%1' for writing").arg(file4.name()); } } // Rehash PKCS certificates if (rehashClientPKCSCertificates() != 0) { if (errstr) { *errstr = i18n("Could not rehash PKCS certificates"); } } } return 0; } TQString LDAPManager::getOpenSSLVersion() { TQString output; int timeout = 0; int version_end_pos = 0; TQProcess *opensslproc = new TQProcess; opensslproc->addArgument("openssl"); opensslproc->addArgument("version"); if (!opensslproc->start()) { delete opensslproc; return TQString::null; } while (opensslproc->isRunning()) { if (timeout > 10000) { opensslproc->kill(); tqApp->processEvents(); delete opensslproc; return TQString::null; } tqApp->processEvents(); usleep(10000); timeout++; } TQByteArray byteOutput = opensslproc->readStdout(); delete opensslproc; output = byteOutput.data(); output = output.replace("OpenSSL ", ""); version_end_pos = output.find(" "); if (version_end_pos > 0) { output.truncate(version_end_pos); } return output; } int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, TQString *errstr) { return writeOpenSSLConfigurationFile(realmcfg, LDAPUserInfo(), TQString::fromLatin1(OPENSSL_EXTENSIONS_FILE), TQString::null, TQString::null, TQString::null, TQString::null, errstr); } int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, LDAPUserInfo user, TQString opensslConfigFile, TQString caRootKeyFile, TQString caRootCertFile, TQString caRootDatabaseFile, TQString autoLoginPIN, TQString *errstr) { TQString ca_public_crl_certfile = KERBEROS_PKI_PUBLICDIR + realmcfg.admin_server + ".ldap.crl"; TQString crl_url; crl_url = TQString("URI:file://%1,URI:file://%2").arg(KERBEROS_PKI_CRL_FILE).arg(ca_public_crl_certfile); TQString openssl_version = getOpenSSLVersion(); if (openssl_version.length() < 1) { if (errstr) { *errstr = i18n("Could not determine OpenSSL version. Is OpenSSL installed?"); } return 1; } if (caRootKeyFile == "") { caRootKeyFile = KERBEROS_PKI_PEMKEY_FILE; } if (caRootCertFile == "") { caRootCertFile = KERBEROS_PKI_PEM_FILE; } if (caRootDatabaseFile == "") { caRootDatabaseFile = KERBEROS_PKI_CRLDB_FILE; } TQString krb_principal = TQString::null; if (user.informationValid) { krb_principal = user.name + "@" + realmcfg.name.upper(); } TQFileInfo tde_cert_file_info(opensslConfigFile); TQString tde_cert_dir_path = tde_cert_file_info.dirPath(true); TQDir tde_cert_dir(tde_cert_dir_path); if (!tde_cert_dir.exists()) { TQString command = TQString("mkdir -p %1").arg(tde_cert_dir_path); if (system(command) < 0) { if (errstr) { *errstr = i18n("Could not create directory '%1'").arg(tde_cert_dir_path); } return 1; } } TQFile file(opensslConfigFile); if (file.open(IO_WriteOnly)) { TQTextStream stream(&file); stream << "# This file was automatically generated by TDE\n"; stream << "# All changes will be lost!\n"; stream << "\n"; if (openssl_version.startsWith("0") || openssl_version.startsWith("1.0")) { stream << "oid_section = new_oids" << "\n"; stream << "\n"; stream << "[new_oids]" << "\n"; stream << "uid = 0.9.2342.19200300.100.1.1" << "\n"; stream << "pkkdcekuoid = 1.3.6.1.5.2.3.5" << "\n"; stream << "\n"; } stream << "[ca]" << "\n"; stream << "default_ca = certificate_authority" << "\n"; stream << "\n"; stream << "[usr]" << "\n"; // stream << "database = index.txt" << "\n"; // stream << "serial = serial" << "\n"; stream << "x509_extensions = usr_cert" << "\n"; stream << "default_md = sha1" << "\n"; stream << "policy = policy_match" << "\n"; stream << "email_in_dn = no" << "\n"; stream << "certs = ." << "\n"; stream << "\n"; stream << "[certificate_authority]" << "\n"; stream << TQString("database = %1\n").arg(caRootDatabaseFile) << "\n"; stream << TQString("certificate = %1\n").arg(caRootCertFile) << "\n"; stream << TQString("private_key = %1\n").arg(caRootKeyFile) << "\n"; // stream << TQString("crl = %1\n").arg(KERBEROS_PKI_CRL_FILE) << "\n"; stream << "default_md = sha1" << "\n"; stream << "policy = policy_match" << "\n"; stream << "email_in_dn = no" << "\n"; stream << "certs = ." << "\n"; stream << "\n"; stream << "[ocsp]" << "\n"; // stream << "database = index.txt" << "\n"; // stream << "serial = serial" << "\n"; stream << "x509_extensions = ocsp_cert" << "\n"; stream << "default_md = sha1" << "\n"; stream << "policy = policy_match" << "\n"; stream << "email_in_dn = no" << "\n"; stream << "certs = ." << "\n"; stream << "\n"; stream << "[usr_ke]" << "\n"; // stream << "database = index.txt" << "\n"; // stream << "serial = serial" << "\n"; stream << "x509_extensions = usr_cert_ke" << "\n"; stream << "default_md = sha1" << "\n"; stream << "policy = policy_match" << "\n"; stream << "email_in_dn = no" << "\n"; stream << "certs = ." << "\n"; stream << "\n"; stream << "[usr_ds]" << "\n"; // stream << "database = index.txt" << "\n"; // stream << "serial = serial" << "\n"; stream << "x509_extensions = usr_cert_ds" << "\n"; stream << "default_md = sha1" << "\n"; stream << "policy = policy_match" << "\n"; stream << "email_in_dn = no" << "\n"; stream << "certs = ." << "\n"; stream << "\n"; stream << "[pkinit_client]" << "\n"; // stream << "database = index.txt" << "\n"; // stream << "serial = serial" << "\n"; stream << "x509_extensions = pkinit_client_cert" << "\n"; stream << "default_md = sha1" << "\n"; stream << "policy = policy_match" << "\n"; stream << "email_in_dn = no" << "\n"; stream << "certs = ." << "\n"; stream << "\n"; stream << "[pkinit_kdc]" << "\n"; // stream << "database = index.txt" << "\n"; // stream << "serial = serial" << "\n"; stream << "x509_extensions = pkinit_kdc_cert" << "\n"; stream << "default_md = sha1" << "\n"; stream << "policy = policy_match" << "\n"; stream << "email_in_dn = no" << "\n"; stream << "certs = ." << "\n"; stream << "\n"; stream << "[https]" << "\n"; // stream << "database = index.txt" << "\n"; // stream << "serial = serial" << "\n"; stream << "x509_extensions = https_cert" << "\n"; stream << "default_md = sha1" << "\n"; stream << "policy = policy_match" << "\n"; stream << "email_in_dn = no" << "\n"; stream << "certs = ." << "\n"; stream << "\n"; stream << "[subca]" << "\n"; // stream << "database = index.txt" << "\n"; // stream << "serial = serial" << "\n"; stream << "x509_extensions = v3_ca" << "\n"; stream << "default_md = sha1" << "\n"; stream << "policy = policy_match" << "\n"; stream << "email_in_dn = no" << "\n"; stream << "certs = ." << "\n"; stream << "\n"; stream << "[req]" << "\n"; stream << "distinguished_name = req_distinguished_name" << "\n"; stream << "x509_extensions = v3_ca" << "\n"; stream << "string_mask = utf8only" << "\n"; stream << "\n"; stream << "[v3_ca]" << "\n"; stream << "subjectKeyIdentifier = hash" << "\n"; stream << "authorityKeyIdentifier = keyid:always,issuer:always" << "\n"; stream << "basicConstraints = CA:true" << "\n"; stream << "keyUsage = critical, cRLSign, keyCertSign, keyEncipherment, nonRepudiation, digitalSignature" << "\n"; stream << "\n"; stream << "[usr_cert]" << "\n"; stream << "basicConstraints = CA:FALSE" << "\n"; stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n"; stream << TQString("crlDistributionPoints = %1").arg(crl_url) << "\n"; stream << "subjectKeyIdentifier = hash" << "\n"; stream << "\n"; stream << "[usr_cert_ke]" << "\n"; stream << "basicConstraints = CA:FALSE" << "\n"; stream << "keyUsage = critical, nonRepudiation, keyEncipherment" << "\n"; stream << TQString("crlDistributionPoints = %1").arg(crl_url) << "\n"; stream << "subjectKeyIdentifier = hash" << "\n"; stream << "\n"; stream << "[proxy_cert]" << "\n"; stream << "basicConstraints = CA:FALSE" << "\n"; stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n"; stream << TQString("crlDistributionPoints = %1").arg(crl_url) << "\n"; stream << "subjectKeyIdentifier = hash" << "\n"; // stream << "proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:0,policy:text:foo" << "\n"; stream << "\n"; stream << "[pkinitc_principals]" << "\n"; if (krb_principal != "") { stream << TQString("princ1 = GeneralString:%1").arg(krb_principal) << "\n"; } stream << "\n"; stream << "[pkinitc_principal_seq]" << "\n"; stream << "name_type = EXP:0,INTEGER:1" << "\n"; stream << "name_string = EXP:1,SEQUENCE:pkinitc_principals" << "\n"; stream << "\n"; stream << "[pkinitc_princ_name]" << "\n"; stream << TQString("realm = EXP:0,GeneralString:%1").arg(realmcfg.name.upper()) << "\n"; stream << "principal_name = EXP:1,SEQUENCE:pkinitc_principal_seq" << "\n"; stream << "\n"; if (autoLoginPIN != TQString::null) { stream << "[tde_autopin_login_data]" << "\n"; stream << TQString("pin = EXP:0,GeneralString:%1").arg(autoLoginPIN) << "\n"; stream << "\n"; } stream << "[pkinit_client_cert_alt_names]" << "\n"; stream << "otherName.1=1.3.6.1.5.2.2;SEQUENCE:pkinitc_princ_name" << "\n"; if (autoLoginPIN != TQString::null) { stream << "otherName.2=1.3.6.1.4.1.40364.1.2.1;SEQUENCE:tde_autopin_login_data" << "\n"; } stream << "\n"; stream << "[pkinit_client_cert]" << "\n"; stream << "basicConstraints = CA:FALSE" << "\n"; stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n"; stream << TQString("crlDistributionPoints = %1").arg(crl_url) << "\n"; stream << "subjectKeyIdentifier = hash" << "\n"; stream << "authorityKeyIdentifier = keyid,issuer" << "\n"; stream << "issuerAltName = issuer:copy" << "\n"; stream << "subjectAltName = @pkinit_client_cert_alt_names" << "\n"; stream << "\n"; stream << "[https_cert]" << "\n"; stream << "basicConstraints = CA:FALSE" << "\n"; stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n"; stream << TQString("crlDistributionPoints = %1").arg(crl_url) << "\n"; // stream << "extendedKeyUsage = https-server XXX" << "\n"; stream << "subjectKeyIdentifier = hash" << "\n"; stream << "\n"; stream << "[pkinit_kdc_cert]" << "\n"; stream << "basicConstraints = CA:FALSE" << "\n"; stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n"; stream << TQString("crlDistributionPoints = %1").arg(crl_url) << "\n"; stream << "extendedKeyUsage = 1.3.6.1.5.2.3.5" << "\n"; stream << "subjectKeyIdentifier = hash" << "\n"; stream << "authorityKeyIdentifier = keyid,issuer" << "\n"; stream << "issuerAltName = issuer:copy" << "\n"; stream << "subjectAltName = otherName:1.3.6.1.5.2.2;SEQUENCE:pkinitkdc_princ_name" << "\n"; stream << "\n"; stream << "[pkinitkdc_princ_name]" << "\n"; stream << TQString("realm = EXP:0,GeneralString:%1").arg(realmcfg.name.upper()) << "\n"; stream << "principal_name = EXP:1,SEQUENCE:pkinitkdc_principal_seq" << "\n"; stream << "\n"; stream << "[pkinitkdc_principal_seq]" << "\n"; stream << "name_type = EXP:0,INTEGER:1" << "\n"; stream << "name_string = EXP:1,SEQUENCE:pkinitkdc_principals" << "\n"; stream << "\n"; stream << "[pkinitkdc_principals]" << "\n"; stream << "princ1 = GeneralString:krbtgt" << "\n"; stream << TQString("princ2 = GeneralString:%1").arg(realmcfg.name.upper()) << "\n"; stream << "\n"; stream << "[proxy10_cert]" << "\n"; stream << "basicConstraints = CA:FALSE" << "\n"; stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n"; stream << TQString("crlDistributionPoints = %1").arg(crl_url) << "\n"; stream << "subjectKeyIdentifier = hash" << "\n"; // stream << "proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:10,policy:text:foo" << "\n"; stream << "\n"; stream << "[usr_cert_ds]" << "\n"; stream << "basicConstraints = CA:FALSE" << "\n"; stream << "keyUsage = critical, nonRepudiation, digitalSignature" << "\n"; stream << TQString("crlDistributionPoints = %1").arg(crl_url) << "\n"; stream << "subjectKeyIdentifier = hash" << "\n"; stream << "\n"; stream << "[ocsp_cert]" << "\n"; stream << "basicConstraints = CA:FALSE" << "\n"; stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n"; stream << TQString("crlDistributionPoints = %1").arg(crl_url) << "\n"; // stream << "ocsp-nocheck and kp-OCSPSigning" << "\n"; stream << "extendedKeyUsage = 1.3.6.1.5.5.7.48.1.5, 1.3.6.1.5.5.7.3.9" << "\n"; stream << "subjectKeyIdentifier = hash" << "\n"; stream << "\n"; stream << "[req_distinguished_name]" << "\n"; stream << "countryName = Country Name (2 letter code)" << "\n"; stream << "countryName_min = 2" << "\n"; stream << "countryName_max = 2" << "\n"; stream << "organizationalName = Organizational Unit Name (eg, section)" << "\n"; stream << "commonName = Common Name (eg, YOUR name)" << "\n"; stream << "commonName_max = 64" << "\n"; stream << "\n"; // stream << "[req_attributes]" << "\n"; // stream << "challengePassword = A challenge password" << "\n"; // stream << "challengePassword_min = 4" << "\n"; // stream << "challengePassword_max = 20" << "\n"; // stream << "\n"; stream << "[policy_match]" << "\n"; stream << "countryName = match" << "\n"; stream << "commonName = supplied" << "\n"; stream << "\n"; file.close(); } else { if (errstr) { *errstr = i18n("Could not open file '%1' for writing").arg(file.name()); } return -1; } return 0; } bool LDAPManager::pkcsLoginEnabled() { bool enabled; KSimpleConfig* systemconfig = new KSimpleConfig( TQString::fromLatin1( KDE_CONFDIR "/ldap/ldapconfigrc" )); systemconfig->setGroup(NULL); enabled = systemconfig->readBoolEntry("EnablePKCS11Login", false); delete systemconfig; return enabled; } int LDAPManager::bondRealm(const TQString &adminUserName, const TQString &adminPassword, const TQString &adminRealm, TQString *errstr) { LDAPCredentials admincreds; admincreds.username = adminUserName; admincreds.password = adminPassword; admincreds.realm = adminRealm; admincreds.use_gssapi = false; TQString hoststring = "host/" + getMachineFQDN(); int retcode; LDAPManager* ldap_mgr = new LDAPManager(adminRealm, TQString::null); retcode = ldap_mgr->bindKAdmin(&admincreds, errstr); if (!retcode) { retcode = ldap_mgr->exportKeytabForPrincipal(hoststring, TQString::null, errstr); if (retcode == 2) { // Principal not found, create it retcode = ldap_mgr->kAdminAddNewPrincipal(hoststring, TQString::null, errstr); if (!retcode) { retcode = ldap_mgr->exportKeytabForPrincipal(hoststring, TQString::null, errstr); } } ldap_mgr->unbindKAdmin(); } delete ldap_mgr; return retcode; } int LDAPManager::unbondRealm(LDAPRealmConfig realmcfg, const TQString &adminUserName, const TQString &adminPassword, const TQString &adminRealm, TQString *errstr) { Q_UNUSED(realmcfg); LDAPCredentials admincreds; admincreds.username = adminUserName; admincreds.password = adminPassword; admincreds.realm = adminRealm; admincreds.use_gssapi = false; TQString hoststring = "host/" + getMachineFQDN(); int retcode; LDAPManager* ldap_mgr = new LDAPManager(adminRealm, TQString::null); retcode = ldap_mgr->bindKAdmin(&admincreds, errstr); if (!retcode) { retcode = ldap_mgr->kAdminDeletePrincipal(hoststring, errstr); if (!retcode) { // Principal and associated keys deleted from server, now delete keys from local keytab... retcode = ldap_mgr->deleteKeytabEntriesForPrincipal(hoststring, TQString::null, errstr); } ldap_mgr->unbindKAdmin(); } delete ldap_mgr; return retcode; } // =============================================================================================================== // // DATA CLASS CONSTRUCTORS AND DESTRUCTORS // // =============================================================================================================== LDAPCredentials::LDAPCredentials() { // TQStrings are always initialized to TQString::null, so they don't need initialization here... use_tls = true; use_gssapi = false; use_smartcard = false; } LDAPCredentials::~LDAPCredentials() { // Overwrite password data before destroying object password.fill(0); } LDAPUserInfo::LDAPUserInfo() { // TQStrings are always initialized to TQString::null, so they don't need initialization here... informationValid = false; uid = -1; primary_gid = -1; tde_builtin_account = false; status = (LDAPKRB5Flags)0; account_created = TQDateTime::fromString("1970-01-01T00:00:00", TQt::ISODate); account_modified = TQDateTime::fromString("1970-01-01T00:00:00", TQt::ISODate); password_last_changed = TQDateTime::fromString("1970-01-01T00:00:00", TQt::ISODate); password_expires = false; password_expiration = TQDateTime::fromString("1970-01-01T00:00:00", TQt::ISODate); password_ages = false; new_password_interval = -1; new_password_warn_interval = -1; new_password_lockout_delay = -1; password_has_minimum_age = false; password_minimum_age = -1; maximum_ticket_lifetime = -1; } LDAPUserInfo::~LDAPUserInfo() { // } LDAPGroupInfo::LDAPGroupInfo() { // TQStrings are always initialized to TQString::null, so they don't need initialization here... informationValid = false; gid = -1; tde_builtin_account = false; } LDAPGroupInfo::~LDAPGroupInfo() { // } LDAPMachineInfo::LDAPMachineInfo() { // TQStrings are always initialized to TQString::null, so they don't need initialization here... informationValid = false; tde_builtin_account = false; status = (LDAPKRB5Flags)0; } LDAPMachineInfo::~LDAPMachineInfo() { // } LDAPServiceInfo::LDAPServiceInfo() { // TQStrings are always initialized to TQString::null, so they don't need initialization here... informationValid = false; tde_builtin_account = false; status = (LDAPKRB5Flags)0; } LDAPServiceInfo::~LDAPServiceInfo() { // } LDAPTDEBuiltinsInfo::LDAPTDEBuiltinsInfo() { // TQStrings are always initialized to TQString::null, so they don't need initialization here... informationValid = false; } LDAPTDEBuiltinsInfo::~LDAPTDEBuiltinsInfo() { // } LDAPMasterReplicationInfo::LDAPMasterReplicationInfo() { // TQStrings are always initialized to TQString::null, so they don't need initialization here... informationValid = false; enabled = false; // FIXME // Retry method and timeout should be user configurable // See http://www.openldap.org/doc/admin24/slapdconfig.html for syntax retryMethod = "5 5 300 5 600 +"; timeout = 1; ignore_ssl_failure = false; replicate_olcGlobal = false; } LDAPMasterReplicationInfo::~LDAPMasterReplicationInfo() { // } LDAPMasterReplicationMapping::LDAPMasterReplicationMapping() { id = -1; } LDAPMasterReplicationMapping::~LDAPMasterReplicationMapping() { // } KerberosTicketInfo::KerberosTicketInfo() { // TQStrings are always initialized to TQString::null, so they don't need initialization here... informationValid = false; cacheVersion = -1; keyVersionNumber = -1; ticketSize = -1; flags = (KRB5TicketFlags)0; } KerberosTicketInfo::~KerberosTicketInfo() { // } LDAPCertConfig::LDAPCertConfig() { caCrlExpiryDays = KERBEROS_PKI_CRL_EXPIRY_DAYS; caExpiryDays = KERBEROS_PKI_PEMKEY_EXPIRY_DAYS; kerberosExpiryDays = KERBEROS_PKI_KRB_EXPIRY_DAYS; ldapExpiryDays = KERBEROS_PKI_LDAP_EXPIRY_DAYS; } LDAPCertConfig::~LDAPCertConfig() { // } LDAPPamConfig::LDAPPamConfig() { enable_pkcs11_login = false; pkcs11_login_card_slot = 0; enable_cached_credentials = true; autocreate_user_directories_enable = true; autocreate_user_directories_umask = 0; } LDAPPamConfig::~LDAPPamConfig() { // } #include "libtdeldap.moc"