summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTimothy Pearson <kb9vqf@pearsoncomputing.net>2015-09-18 17:50:49 -0500
committerTimothy Pearson <kb9vqf@pearsoncomputing.net>2015-09-18 17:50:49 -0500
commit5f90079891a07dc451111174baa8ca8a625d460e (patch)
tree760db1c34d2ccfd37ac2ecc9afd2c9812f832d7b
parentc14f2f4613cc75a6dd5ec0d1eebff9c855e40c46 (diff)
downloadkcmldap-5f900798.tar.gz
kcmldap-5f900798.zip
Add PKCS login setup controls
-rw-r--r--cert-updater/main.cpp27
-rw-r--r--src/ldapbonding.cpp14
-rw-r--r--src/ldapconfigbase.ui35
3 files changed, 72 insertions, 4 deletions
diff --git a/cert-updater/main.cpp b/cert-updater/main.cpp
index 78ad0dc..354d9de 100644
--- a/cert-updater/main.cpp
+++ b/cert-updater/main.cpp
@@ -155,6 +155,7 @@ int main(int argc, char *argv[])
int prevSecondsToExpiry = (7*24*60*60);
while (1) {
+ bool newCertDownloaded = false;
bool allDownloadsOK = true;
TQDateTime now = TQDateTime::currentDateTime();
TQDateTime earliestCertExpiry = now.addDays(14); // Recheck every 7 days regardless of last expiry check results
@@ -174,7 +175,10 @@ int main(int argc, char *argv[])
printf("[INFO] Certificate %s expires %s\n", certificateFileName.ascii(), certExpiry.toString().ascii()); fflush(stdout);
}
if (immediate || (certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
- if (get_certificate_from_server("publicRootCertificate", certificateFileName, realmcfg) != 0) {
+ if (get_certificate_from_server("publicRootCertificate", certificateFileName, realmcfg) == 0) {
+ newCertDownloaded = true;
+ }
+ else {
allDownloadsOK = false;
}
}
@@ -185,7 +189,10 @@ int main(int argc, char *argv[])
else {
mkdir(TDE_CERTIFICATE_DIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
mkdir(KERBEROS_PKI_PUBLICDIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
- if (get_certificate_from_server("publicRootCertificate", certificateFileName, realmcfg) != 0) {
+ if (get_certificate_from_server("publicRootCertificate", certificateFileName, realmcfg) == 0) {
+ newCertDownloaded = true;
+ }
+ else {
allDownloadsOK = false;
}
}
@@ -196,7 +203,10 @@ int main(int argc, char *argv[])
printf("[INFO] CRL %s expires %s\n", crlFileName.ascii(), certExpiry.toString().ascii()); fflush(stdout);
}
if (immediate || (certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
- if (get_certificate_from_server("publicRootCertificateRevocationList", crlFileName, realmcfg) != 0) {
+ if (get_certificate_from_server("publicRootCertificateRevocationList", crlFileName, realmcfg) == 0) {
+ newCertDownloaded = true;
+ }
+ else {
allDownloadsOK = false;
}
}
@@ -207,10 +217,19 @@ int main(int argc, char *argv[])
else {
mkdir(TDE_CERTIFICATE_DIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
mkdir(KERBEROS_PKI_PUBLICDIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
- if (get_certificate_from_server("publicRootCertificateRevocationList", crlFileName, realmcfg) != 0) {
+ if (get_certificate_from_server("publicRootCertificateRevocationList", crlFileName, realmcfg) == 0) {
+ newCertDownloaded = true;
+ }
+ else {
allDownloadsOK = false;
}
}
+
+ if (newCertDownloaded) {
+ if (LDAPManager::rehashClientPKCSCertificates() != 0) {
+ printf("[WARNING] Unable to rehash client PKCS certificates\n"); fflush(stdout);
+ }
+ }
}
immediate = false;
diff --git a/src/ldapbonding.cpp b/src/ldapbonding.cpp
index bf20050..abe4e95 100644
--- a/src/ldapbonding.cpp
+++ b/src/ldapbonding.cpp
@@ -102,6 +102,9 @@ LDAPConfig::LDAPConfig(TQWidget *parent, const char *name, const TQStringList&)
connect(base->passwordHash, TQT_SIGNAL(activated(int)), this, TQT_SLOT(changed()));
connect(base->ignoredUsers, TQT_SIGNAL(textChanged(const TQString&)), this, TQT_SLOT(changed()));
+ connect(base->pamEnablePKCS11Logons, TQT_SIGNAL(clicked()), this, TQT_SLOT(changed()));
+ connect(base->pamEnablePKCS11Logons, TQT_SIGNAL(clicked()), this, TQT_SLOT(processLockouts()));
+ connect(base->pamPKCS11LoginCardSlot, TQT_SIGNAL(valueChanged(int)), this, TQT_SLOT(changed()));
connect(base->pamEnableCachedLogons, TQT_SIGNAL(clicked()), this, TQT_SLOT(changed()));
connect(base->pamCreateHomeDirectory, TQT_SIGNAL(clicked()), this, TQT_SLOT(changed()));
connect(base->pamCreateHomeDirectory, TQT_SIGNAL(clicked()), this, TQT_SLOT(processLockouts()));
@@ -165,6 +168,8 @@ void LDAPConfig::load(bool useDefaults )
}
base->ignoredUsers->setText(m_clientRealmConfig.ignoredUsers);
+ base->pamEnablePKCS11Logons->setChecked(m_clientRealmConfig.pamConfig.enable_pkcs11_login);
+ base->pamPKCS11LoginCardSlot->setValue(m_clientRealmConfig.pamConfig.pkcs11_login_card_slot);
base->pamEnableCachedLogons->setChecked(m_clientRealmConfig.pamConfig.enable_cached_credentials);
base->pamCreateHomeDirectory->setChecked(m_clientRealmConfig.pamConfig.autocreate_user_directories_enable);
base->pamCreateHomeDirectoryUmask->setValue(m_clientRealmConfig.pamConfig.autocreate_user_directories_umask);
@@ -217,6 +222,8 @@ void LDAPConfig::save() {
m_clientRealmConfig.passwordHash = base->passwordHash->currentText();
m_clientRealmConfig.ignoredUsers = base->ignoredUsers->text();
+ m_clientRealmConfig.pamConfig.enable_pkcs11_login = base->pamEnablePKCS11Logons->isChecked();
+ m_clientRealmConfig.pamConfig.pkcs11_login_card_slot = base->pamPKCS11LoginCardSlot->value();
m_clientRealmConfig.pamConfig.enable_cached_credentials = base->pamEnableCachedLogons->isChecked();
m_clientRealmConfig.pamConfig.autocreate_user_directories_enable = base->pamCreateHomeDirectory->isChecked();
m_clientRealmConfig.pamConfig.autocreate_user_directories_umask = base->pamCreateHomeDirectoryUmask->value();
@@ -343,6 +350,13 @@ void LDAPConfig::processLockouts() {
base->pamCreateHomeDirectoryUmask->setEnabled(false);
base->pamCreateHomeDirectorySkelDir->setEnabled(false);
}
+
+ if (base->pamEnablePKCS11Logons->isChecked()) {
+ base->pamPKCS11LoginCardSlot->setEnabled(true);
+ }
+ else {
+ base->pamPKCS11LoginCardSlot->setEnabled(false);
+ }
}
void LDAPConfig::bondToNewRealm() {
diff --git a/src/ldapconfigbase.ui b/src/ldapconfigbase.ui
index a889ac9..8c9b2db 100644
--- a/src/ldapconfigbase.ui
+++ b/src/ldapconfigbase.ui
@@ -454,6 +454,14 @@
<string>&amp;Enable logon credentials cache</string>
</property>
</widget>
+ <widget class="TQCheckBox" row="2" column="0" colspan="2">
+ <property name="name">
+ <cstring>pamEnablePKCS11Logons</cstring>
+ </property>
+ <property name="text">
+ <string>&amp;Enable PKCS#11 card login</string>
+ </property>
+ </widget>
<widget class="TQLabel" row="0" column="2">
<property name="name">
<cstring>unnamed</cstring>
@@ -500,6 +508,33 @@
</sizepolicy>
</property>
</widget>
+ <widget class="TQLabel" row="2" column="2">
+ <property name="name">
+ <cstring>unnamed</cstring>
+ </property>
+ <property name="text">
+ <string>PKCS#11 certificate slot</string>
+ </property>
+ <property name="sizePolicy">
+ <sizepolicy>
+ <hsizetype>0</hsizetype>
+ <vsizetype>0</vsizetype>
+ <horstretch>0</horstretch>
+ <verstretch>0</verstretch>
+ </sizepolicy>
+ </property>
+ </widget>
+ <widget class="KIntNumInput" row="2" column="3" >
+ <property name="name">
+ <cstring>pamPKCS11LoginCardSlot</cstring>
+ </property>
+ <property name="minValue">
+ <number>0</number>
+ </property>
+ <property name="maxValue">
+ <number>999</number>
+ </property>
+ </widget>
<widget class="KURLRequester" row="1" column="3" >
<property name="name">
<cstring>pamCreateHomeDirectorySkelDir</cstring>