Fix compilation issues

1 files changed, 717 insertions, 0 deletions

diff --git a/src/ldapbonding.cpp b/src/ldapbonding.cpp
new file mode 100644
index 0000000..9c9d9b5
--- /dev/null
+++ b/src/ldapbonding.cpp
@@ -0,0 +1,717 @@
+/***************************************************************************
+ *   Copyright (C) 2012 by Timothy Pearson                                 *
+ *   kb9vqf@pearsoncomputing.net                                           *
+ *                                                                         *
+ *   This program is free software; you can redistribute it and/or modify  *
+ *   it under the terms of the GNU General Public License as published by  *
+ *   the Free Software Foundation; either version 2 of the License, or     *
+ *   (at your option) any later version.                                   *
+ *                                                                         *
+ *   This program is distributed in the hope that it will be useful,       *
+ *   but WITHOUT ANY WARRANTY; without even the implied warranty of        *
+ *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         *
+ *   GNU General Public License for more details.                          *
+ *                                                                         *
+ *   You should have received a copy of the GNU General Public License     *
+ *   along with this program; if not, write to the                         *
+ *   Free Software Foundation, Inc.,                                       *
+ *   59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.             *
+ ***************************************************************************/
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netdb.h>
+
+#include <tqlayout.h>
+
+#include <klocale.h>
+#include <kglobal.h>
+#include <kcombobox.h>
+#include <kparts/genericfactory.h>
+#include <ksimpleconfig.h>
+#include <kglobalsettings.h>
+#include <kstandarddirs.h>
+#include <kurlrequester.h>
+#include <klistview.h>
+#include <kopenwith.h>
+#include <kpropertiesdialog.h>
+#include <kio/job.h>
+#include <tqdir.h>
+#include <tqheader.h>
+#include <knuminput.h>
+#include <kpassdlg.h>
+#include <klineedit.h>
+#include <kmessagebox.h>
+
+#include <tdesu/process.h>
+
+#include "ldapbonding.h"
+#include "bondwizard.h"
+#include "ldappasswddlg.h"
+#include "realmpropertiesdialog.h"
+
+// FIXME
+// Connect this to CMake/Automake
+#define KDE_CONFDIR "/etc/trinity"
+#define KRB5_FILE "/etc/krb5.conf"
+#define NSSWITCH_FILE "/etc/nsswitch.conf"
+#define PAMD_DIRECTORY "/etc/pam.d/"
+#define PAMD_COMMON_ACCOUNT "common-account"
+#define PAMD_COMMON_AUTH "common-auth"
+#define CRON_UPDATE_NSS_FILE "/etc/cron.daily/upd-local-nss-db"
+
+typedef KGenericFactory<LDAPConfig, TQWidget> ldapFactory;
+
+K_EXPORT_COMPONENT_FACTORY( kcm_ldap, ldapFactory("kcmldap"))
+
+KSimpleConfig *systemconfig = 0;
+
+LDAPConfig::LDAPConfig(TQWidget *parent, const char *name, const TQStringList&)
+    : KCModule(parent, name), myAboutData(0)
+{
+	TQVBoxLayout *layout = new TQVBoxLayout(this, KDialog::marginHint(), KDialog::spacingHint());
+	systemconfig = new KSimpleConfig( TQString::fromLatin1( KDE_CONFDIR "/ldap/ldapconfigrc" ));
+	systemconfig->setFileWriteMode(S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+
+	KAboutData* about = new KAboutData("ldap", I18N_NOOP("TDE LDAP Manager"), "0.1",
+		I18N_NOOP("TDE LDAP Manager Control Panel Module"),
+		KAboutData::License_GPL,
+		I18N_NOOP("(c) 2012 Timothy Pearson"), 0, 0);
+	
+	about->addAuthor("Timothy Pearson", 0, "kb9vqf@pearsoncomputing.net");
+	setAboutData( about );
+
+	base = new LDAPConfigBase(this);
+	layout->add(base);
+	base->ldapRealmList->setAllColumnsShowFocus(true);
+	base->ldapRealmList->setFullWidth(true);
+	
+	setRootOnlyMsg(i18n("<b>Bonded LDAP realms take effect system wide, and require administrator access to modify</b><br>To alter the system's bonded LDAP realms, click on the \"Administrator Mode\" button below."));
+	setUseRootOnlyMsg(true);
+
+	connect(base->systemEnableSupport, TQT_SIGNAL(clicked()), this, TQT_SLOT(changed()));
+	connect(base->defaultRealm, TQT_SIGNAL(activated(int)), this, TQT_SLOT(changed()));
+	connect(base->ticketLifetime, TQT_SIGNAL(valueChanged(int)), this, TQT_SLOT(changed()));
+	connect(base->systemEnableSupport, TQT_SIGNAL(clicked()), this, TQT_SLOT(processLockouts()));
+	connect(base->ldapRealmList, TQT_SIGNAL(selectionChanged()), this, TQT_SLOT(processLockouts()));
+
+	connect(base->btnBondRealm, TQT_SIGNAL(clicked()), this, TQT_SLOT(bondToNewRealm()));
+	connect(base->btnReBondRealm, TQT_SIGNAL(clicked()), this, TQT_SLOT(reBondToRealm()));
+	connect(base->btnRemoveRealm, TQT_SIGNAL(clicked()), this, TQT_SLOT(removeRealm()));
+	connect(base->btnDeactivateRealm, TQT_SIGNAL(clicked()), this, TQT_SLOT(deactivateRealm()));
+	connect(base->btnRealmProperties, TQT_SIGNAL(clicked()), this, TQT_SLOT(realmProperties()));
+
+	connect(base->ldapVersion, TQT_SIGNAL(valueChanged(int)), this, TQT_SLOT(changed()));
+	connect(base->ldapTimeout, TQT_SIGNAL(valueChanged(int)), this, TQT_SLOT(changed()));
+	connect(base->bindPolicy, TQT_SIGNAL(activated(int)), this, TQT_SLOT(changed()));
+	connect(base->ldapBindTimeout, TQT_SIGNAL(valueChanged(int)), this, TQT_SLOT(changed()));
+	connect(base->passwordHash, TQT_SIGNAL(activated(int)), this, TQT_SLOT(changed()));
+	connect(base->ignoredUsers, TQT_SIGNAL(textChanged(const TQString&)), this, TQT_SLOT(changed()));
+
+	m_fqdn = getMachineFQDN();
+	base->hostFQDN->setEnabled(false);
+	base->hostFQDN->clear();
+	base->hostFQDN->insertItem(m_fqdn);
+
+	load();
+
+	if (getuid() != 0 || !systemconfig->checkConfigFilesWritable( true )) {
+		base->systemEnableSupport->setEnabled(false);
+	}
+
+	processLockouts();
+};
+
+LDAPConfig::~LDAPConfig() {
+	delete systemconfig;
+}
+
+// FIXME
+// This should be moved to a TDE core library
+TQString LDAPConfig::getMachineFQDN() {
+	struct addrinfo hints, *info, *p;
+	int gai_result;
+	
+	char hostname[1024];
+	hostname[1023] = '\0';
+	gethostname(hostname, 1023);
+	
+	memset(&hints, 0, sizeof hints);
+	hints.ai_family = AF_UNSPEC; // IPV4 or IPV6
+	hints.ai_socktype = SOCK_STREAM;
+	hints.ai_flags = AI_CANONNAME;
+	
+	if ((gai_result = getaddrinfo(hostname, NULL, &hints, &info)) != 0) {
+		return TQString(hostname);
+	}
+	TQString fqdn = TQString(hostname);
+	for (p=info; p!=NULL; p=p->ai_next) {
+		fqdn = TQString(p->ai_canonname);
+	}
+	freeaddrinfo(info);
+
+	return fqdn;
+}
+
+void LDAPConfig::load() {
+	kgs = new KGlobalSettings();
+
+	load(false);
+}
+
+void LDAPConfig::load(bool useDefaults )
+{
+	int i;
+	bool thisIsMyMachine;
+
+	//Update the toggle buttons with the current configuration
+	systemconfig->setReadDefaults( useDefaults );
+	
+	systemconfig->setGroup(NULL);
+	base->systemEnableSupport->setChecked(systemconfig->readBoolEntry("EnableLDAP", false));
+	m_defaultRealm = systemconfig->readEntry("DefaultRealm", TQString::null);
+	m_ticketLifetime = systemconfig->readNumEntry("TicketLifetime", 86400);
+	if (m_fqdn == systemconfig->readEntry("HostFQDN", "")) {
+		thisIsMyMachine = true;
+	}
+	else {
+		thisIsMyMachine = false;
+	}
+
+	m_ldapVersion = systemconfig->readNumEntry("ConnectionLDAPVersion", 3);
+	m_ldapTimeout = systemconfig->readNumEntry("ConnectionLDAPTimeout", 2);
+	m_bindPolicy = systemconfig->readEntry("ConnectionBindPolicy", "soft");
+	m_ldapBindTimeout = systemconfig->readNumEntry("ConnectionBindTimeout", 2);
+	m_passwordHash = systemconfig->readEntry("ConnectionPasswordHash", "exop");
+	m_ignoredUsers = systemconfig->readEntry("ConnectionIgnoredUsers", DEFAULT_IGNORED_USERS_LIST);
+	
+	// Load realms
+	m_realms.clear();
+	TQStringList cfgRealms = systemconfig->groupList();
+	for (TQStringList::Iterator it(cfgRealms.begin()); it != cfgRealms.end(); ++it) {
+		if ((*it).startsWith("LDAPRealm-")) {
+			systemconfig->setGroup(*it);
+			TQString realmName=*it;
+			realmName.remove(0,strlen("LDAPRealm-"));
+			if (!m_realms.contains(realmName)) {
+				// Read in realm data
+				LDAPRealmConfig realmcfg;
+				realmcfg.name = realmName;
+				if (thisIsMyMachine) {
+					realmcfg.bonded = systemconfig->readBoolEntry("bonded");
+				}
+				else {
+					realmcfg.bonded = false;
+				}
+				realmcfg.uid_offset = systemconfig->readNumEntry("uid_offset");
+				realmcfg.gid_offset = systemconfig->readNumEntry("gid_offset");
+				realmcfg.domain_mappings = systemconfig->readListEntry("domain_mappings");
+				realmcfg.kdc = systemconfig->readEntry("kdc");
+				realmcfg.kdc_port = systemconfig->readNumEntry("kdc_port");
+				realmcfg.admin_server = systemconfig->readEntry("admin_server");
+				realmcfg.admin_server_port = systemconfig->readNumEntry("admin_server_port");
+				realmcfg.pkinit_require_eku = systemconfig->readBoolEntry("pkinit_require_eku");
+				realmcfg.pkinit_require_krbtgt_otherName = systemconfig->readBoolEntry("pkinit_require_krbtgt_otherName");
+				realmcfg.win2k_pkinit = systemconfig->readBoolEntry("win2k_pkinit");
+				realmcfg.win2k_pkinit_require_binding = systemconfig->readBoolEntry("win2k_pkinit_require_binding");
+				// Add realm to list
+				m_realms.insert(realmName, realmcfg);
+			}
+		}
+	}
+
+	base->ticketLifetime->setValue(m_ticketLifetime);
+
+	base->ldapVersion->setValue(m_ldapVersion);
+	base->ldapTimeout->setValue(m_ldapTimeout);
+	for (i=0; i<base->bindPolicy->count(); i++) {
+		if (base->bindPolicy->text(i).lower() == m_defaultRealm.lower()) {
+			base->bindPolicy->setCurrentItem(i);
+			break;
+		}
+	}
+	base->ldapBindTimeout->setValue(m_ldapBindTimeout);
+	for (i=0; i<base->passwordHash->count(); i++) {
+		if (base->passwordHash->text(i).lower() == m_passwordHash.lower()) {
+			base->passwordHash->setCurrentItem(i);
+			break;
+		}
+	}
+	base->ignoredUsers->setText(m_ignoredUsers);
+
+	updateRealmList();
+
+	processLockouts();
+	
+	emit changed(useDefaults);
+}
+
+void LDAPConfig::updateRealmList() {
+	base->ldapRealmList->clear();
+	base->defaultRealm->clear();
+	LDAPRealmConfigList::Iterator it;
+	for (it = m_realms.begin(); it != m_realms.end(); ++it) {
+		LDAPRealmConfig realmcfg = it.data();
+		(void)new TQListViewItem(base->ldapRealmList, ((realmcfg.bonded)?i18n("Bonded"):i18n("Deactivated")), realmcfg.name);
+		base->defaultRealm->insertItem(realmcfg.name);
+	}
+	if (m_defaultRealm != "") {
+		for (int i=0; i<base->defaultRealm->count(); i++) {
+			if (base->defaultRealm->text(i) == m_defaultRealm) {
+				base->defaultRealm->setCurrentItem(i);
+				break;
+			}
+		}
+	}
+	processLockouts();
+}
+
+void LDAPConfig::defaults() {
+	
+}
+
+void LDAPConfig::save() {
+	// Write system configuration
+	systemconfig->setGroup(NULL);
+	systemconfig->writeEntry("EnableLDAP", base->systemEnableSupport->isChecked());
+	systemconfig->writeEntry("HostFQDN", m_fqdn);
+	m_defaultRealm = base->defaultRealm->currentText();
+	m_ticketLifetime = base->ticketLifetime->value();
+
+	m_ldapVersion = base->ldapVersion->value();
+	m_ldapTimeout = base->ldapTimeout->value();
+	m_bindPolicy = base->bindPolicy->currentText();
+	m_ldapBindTimeout = base->ldapBindTimeout->value();
+	m_passwordHash = base->passwordHash->currentText();
+	m_ignoredUsers = base->ignoredUsers->text();
+
+	if (m_defaultRealm != "") {
+		systemconfig->writeEntry("DefaultRealm", m_defaultRealm);
+	}
+	else {
+		systemconfig->deleteEntry("DefaultRealm");
+	}
+	systemconfig->writeEntry("TicketLifetime", m_ticketLifetime);
+
+	systemconfig->writeEntry("ConnectionLDAPVersion", m_ldapVersion);
+	systemconfig->writeEntry("ConnectionLDAPTimeout", m_ldapTimeout);
+	systemconfig->writeEntry("ConnectionBindPolicy", m_bindPolicy);
+	systemconfig->writeEntry("ConnectionBindTimeout", m_ldapBindTimeout);
+	systemconfig->writeEntry("ConnectionPasswordHash", m_passwordHash);
+	systemconfig->writeEntry("ConnectionIgnoredUsers", m_ignoredUsers);
+
+	LDAPManager::writeTDERealmList(m_realms, systemconfig);
+	systemconfig->sync();
+
+	if (base->systemEnableSupport->isChecked()) {
+		// Write the Kerberos5 configuration file
+		writeKrb5ConfFile();
+		// Write the LDAP configuration file
+		writeLDAPConfFile();
+		// Write the NSSwitch configuration file
+		writeNSSwitchFile();
+		// Write the PAM configuration files
+		writePAMFiles();
+		// Write the cron files
+		writeCronFiles();
+		// RAJA FIXME
+		// Update the SUDOERS file with the domain-wide computer local admin group!
+	}
+
+	load();
+}
+
+void LDAPConfig::processLockouts() {
+	bool panelIsEnabled = (base->systemEnableSupport->isEnabled() && base->systemEnableSupport->isChecked());
+
+	base->groupRealms->setEnabled(panelIsEnabled);
+	base->groupKrbDefaults->setEnabled(panelIsEnabled);
+	base->groupConnectionParameters->setEnabled(panelIsEnabled);
+
+	TQListViewItem *selrealm = base->ldapRealmList->selectedItem();
+	if (selrealm) {
+		LDAPRealmConfig realmcfg = m_realms[selrealm->text(1)];
+		base->btnBondRealm->setEnabled(true);
+		base->btnReBondRealm->setEnabled(true);
+		if (realmcfg.bonded) {
+			base->btnDeactivateRealm->setEnabled(true);
+			base->btnRemoveRealm->setEnabled(false);
+			base->btnRealmProperties->setEnabled(false);
+		}
+		else {
+			base->btnDeactivateRealm->setEnabled(false);
+			base->btnRemoveRealm->setEnabled(true);
+			base->btnRealmProperties->setEnabled(true);
+		}
+	}
+	else {
+		base->btnBondRealm->setEnabled(true);
+		base->btnReBondRealm->setEnabled(false);
+		base->btnDeactivateRealm->setEnabled(false);
+		base->btnRemoveRealm->setEnabled(false);
+		base->btnRealmProperties->setEnabled(false);
+	}
+}
+
+void LDAPConfig::bondToNewRealm() {
+	// Something will probably change
+	save();
+
+	BondWizard bondwizard(&m_realms, this, this);
+	bondwizard.exec();
+
+	// Something probably changed
+	load();
+}
+
+void LDAPConfig::reBondToRealm() {
+	TQListViewItem *selrealm = base->ldapRealmList->selectedItem();
+	if (selrealm) {
+		TQString realmName = selrealm->text(1);
+		LDAPRealmConfig realmcfg = m_realms[realmName];
+
+		// Password prompt...
+		TQString errorString;
+		LDAPPasswordDialog passdlg(this);
+		passdlg.m_base->ldapAdminRealm->setEnabled(false);
+		passdlg.m_base->ldapAdminRealm->setText(realmName);
+		if (passdlg.exec() == TQDialog::Accepted) {
+			setEnabled(false);
+			if (bondRealm(m_realms[realmName], passdlg.m_base->ldapAdminUsername->text(), passdlg.m_base->ldapAdminPassword->password(), passdlg.m_base->ldapAdminRealm->text(), &errorString) == 0) {
+				// Success!
+				realmcfg.bonded = true;
+				m_realms.remove(realmName);
+				m_realms.insert(realmName, realmcfg);
+				save();
+			}
+			else {
+				KMessageBox::error(this, i18n("<qt><b>Unable to bond to realm!</b><p>Details: %1</qt>").arg(errorString), i18n("Unable to Bond to Realm"));
+			}
+			setEnabled(true);
+		}
+	}
+	updateRealmList();
+}
+
+void LDAPConfig::removeRealm() {
+	TQListViewItem *selrealm = base->ldapRealmList->selectedItem();
+	if (selrealm) {
+		m_realms.remove(selrealm->text(1));
+		updateRealmList();
+		changed();
+	}
+}
+
+void LDAPConfig::deactivateRealm() {
+	TQListViewItem *selrealm = base->ldapRealmList->selectedItem();
+	if (selrealm) {
+		TQString realmName = selrealm->text(1);
+		LDAPRealmConfig realmcfg = m_realms[realmName];
+		if (realmcfg.bonded == true) {
+			// Password prompt...
+			TQString errorString;
+			LDAPPasswordDialog passdlg(this);
+			passdlg.m_base->ldapAdminRealm->setEnabled(false);
+			passdlg.m_base->ldapAdminRealm->setText(realmName);
+			passdlg.m_base->passprompt->setText(i18n("Please provide LDAP realm administrator credentials below to complete the unbonding process"));
+			if (passdlg.exec() == TQDialog::Accepted) {
+				setEnabled(false);
+				if (unbondRealm(m_realms[realmName], passdlg.m_base->ldapAdminUsername->text(), passdlg.m_base->ldapAdminPassword->password(), passdlg.m_base->ldapAdminRealm->text(), &errorString) == 0) {
+					// Success!
+					realmcfg.bonded = false;
+					m_realms.remove(realmName);
+					m_realms.insert(realmName, realmcfg);
+					save();
+				}
+				else {
+					KMessageBox::error(this, i18n("<qt><b>Unable to unbond from realm!</b><p>%1</qt>").arg(errorString), i18n("Unable to Unbond from Realm"));
+				}
+				setEnabled(true);
+			}
+		}
+	}
+	updateRealmList();
+}
+
+TQString readFullLineFromPtyProcess(PtyProcess* proc) {
+	TQString result = "";
+	while ((!result.contains("\n")) && (!result.contains(":")) && (!result.contains(">"))) {
+		result = result + TQString(proc->readLine(false));
+		tqApp->processEvents();
+	}
+	return result;
+}
+
+int LDAPConfig::bondRealm(LDAPRealmConfig realmcfg, TQString adminUserName, const char * adminPassword, TQString adminRealm, TQString *errstr) {
+	TQCString command = "kadmin";
+	QCStringList args;
+	args << TQCString("-p") << TQCString(adminUserName+"@"+(adminRealm.upper())) << TQCString("-r") << TQCString(adminRealm.upper());
+
+	TQString hoststring = "host/"+m_fqdn;
+
+	TQString prompt;
+	PtyProcess kadminProc;
+	kadminProc.exec(command, args);
+	prompt = kadminProc.readLine(true);
+	prompt = prompt.stripWhiteSpace();
+	if (prompt == "kadmin>") {
+		kadminProc.writeLine(TQCString("ext "+hoststring), true);
+		prompt = kadminProc.readLine(true);	// Discard our own input
+		prompt = readFullLineFromPtyProcess(&kadminProc);
+		prompt = prompt.stripWhiteSpace();
+		if (prompt.endsWith(" Password:")) {
+			kadminProc.writeLine(adminPassword, true);
+			prompt = kadminProc.readLine(true);	// Discard our own input
+			prompt = kadminProc.readLine(true);
+			prompt = prompt.stripWhiteSpace();
+		}
+		if (prompt.contains("authentication failed")) {
+			if (errstr) *errstr = prompt;
+			kadminProc.writeLine("quit", true);
+			return 1;
+		}
+		else if (prompt.endsWith("Principal does not exist")) {
+			kadminProc.writeLine(TQCString("ank --random-key "+hoststring), true);
+			prompt = kadminProc.readLine(true);	// Discard our own input
+			prompt = readFullLineFromPtyProcess(&kadminProc);
+			prompt = prompt.stripWhiteSpace();
+			// Use all defaults
+			while (prompt != "kadmin>") {
+				if (prompt.endsWith(" Password:")) {
+					kadminProc.writeLine(adminPassword, true);
+					prompt = kadminProc.readLine(true);	// Discard our own input
+					prompt = kadminProc.readLine(true);
+					prompt = prompt.stripWhiteSpace();
+				}
+				if (prompt.contains("authentication failed")) {
+					if (errstr) *errstr = prompt;
+					kadminProc.writeLine("quit", true);
+					return 1;
+				}
+				else {
+					// Extract whatever default is in the [brackets] and feed it back to kadmin
+					TQString defaultParam;
+					int leftbracket = prompt.find("[");
+					int rightbracket = prompt.find("]");
+					if ((leftbracket >= 0) && (rightbracket >= 0)) {
+						leftbracket++;
+						defaultParam = prompt.mid(leftbracket, rightbracket-leftbracket);
+					}
+					kadminProc.writeLine(TQCString(defaultParam), true);
+					prompt = kadminProc.readLine(true);	// Discard our own input
+					prompt = kadminProc.readLine(true);
+					prompt = prompt.stripWhiteSpace();
+				}
+			}
+			kadminProc.writeLine(TQCString("ext "+hoststring), true);
+			prompt = kadminProc.readLine(true);	// Discard our own input
+			prompt = readFullLineFromPtyProcess(&kadminProc);
+			prompt = prompt.stripWhiteSpace();
+			if (prompt != "kadmin>") {
+				if (errstr) *errstr = prompt;
+				kadminProc.writeLine("quit", true);
+				return 1;
+			}
+
+			// Success!
+			kadminProc.writeLine("quit", true);
+			return 0;
+		}
+		else if (prompt == "kadmin>") {
+			// Success!
+			kadminProc.writeLine("quit", true);
+			return 0;
+		}
+
+		// Failure
+		if (errstr) *errstr = prompt;
+		kadminProc.writeLine("quit", true);
+		return 1;
+	}
+
+	if (errstr) *errstr = "Internal error.  Verify that kadmin exists and can be executed.";
+	return 1;	// Failure
+}
+
+int LDAPConfig::unbondRealm(LDAPRealmConfig realmcfg, TQString adminUserName, const char * adminPassword, TQString adminRealm, TQString *errstr) {
+	TQCString command = "kadmin";
+	QCStringList args;
+	args << TQCString("-p") << TQCString(adminUserName+"@"+(adminRealm.upper()));
+
+	TQString hoststring = "host/"+m_fqdn;
+
+	TQString prompt;
+	PtyProcess kadminProc;
+	kadminProc.exec(command, args);
+	prompt = kadminProc.readLine(true);
+	prompt = prompt.stripWhiteSpace();
+	if (prompt == "kadmin>") {
+		kadminProc.writeLine(TQCString("delete "+hoststring), true);
+		prompt = kadminProc.readLine(true);	// Discard our own input
+		prompt = readFullLineFromPtyProcess(&kadminProc);
+		prompt = prompt.stripWhiteSpace();
+		if (prompt.endsWith(" Password:")) {
+			kadminProc.writeLine(adminPassword, true);
+			prompt = kadminProc.readLine(true);	// Discard our own input
+			prompt = kadminProc.readLine(true);
+			prompt = prompt.stripWhiteSpace();
+		}
+		if (prompt != "kadmin>") {
+			if (errstr) *errstr = prompt;
+			kadminProc.writeLine("quit", true);
+			return 1;
+		}
+
+		// Success!
+		kadminProc.writeLine("quit", true);
+		return 0;
+	}
+
+	return 1;	// Failure
+}
+
+void LDAPConfig::realmProperties() {
+	TQListViewItem *selrealm = base->ldapRealmList->selectedItem();
+	if (selrealm) {
+		RealmPropertiesDialog rpdialog(&m_realms, selrealm->text(1), this);
+		if (rpdialog.exec() == TQDialog::Accepted) {
+			updateRealmList();
+			changed();
+		}
+	}
+}
+
+void LDAPConfig::writeKrb5ConfFile() {
+	TQFile file(KRB5_FILE);
+	if (file.open(IO_WriteOnly)) {
+		TQTextStream stream( &file );
+
+		stream << "# This file was automatically generated by TDE\n";
+		stream << "# All changes will be lost!\n";
+		stream << "\n";
+
+		// Defaults
+		stream << "[libdefaults]\n";
+		stream << "    ticket_lifetime = " << m_ticketLifetime << "\n";
+		if (m_defaultRealm != "") {
+			stream << "    default_realm = " << m_defaultRealm << "\n";
+		}
+		stream << "\n";
+
+		// Realms
+		stream << "[realms]\n";
+		LDAPRealmConfigList::Iterator it;
+		for (it = m_realms.begin(); it != m_realms.end(); ++it) {
+			LDAPRealmConfig realmcfg = it.data();
+			stream << "   " << realmcfg.name << " = {\n";
+			stream << "        kdc = " << realmcfg.kdc << ":" << realmcfg.kdc_port << "\n";
+			stream << "        admin_server = " << realmcfg.admin_server << ":" << realmcfg.admin_server_port << "\n";
+			stream << "        pkinit_require_eku = " << (realmcfg.pkinit_require_eku?"true":"false") << "\n";
+			stream << "        pkinit_require_krbtgt_otherName = " << (realmcfg.pkinit_require_krbtgt_otherName?"true":"false") << "\n";
+			stream << "        win2k_pkinit = " << (realmcfg.win2k_pkinit?"yes":"no") << "\n";
+			stream << "        win2k_pkinit_require_binding = " << (realmcfg.win2k_pkinit_require_binding?"yes":"no") << "\n";
+			stream << "   }\n";
+		}
+		stream << "\n";
+
+		// Domain aliases
+		stream << "[domain_realm]\n";
+		LDAPRealmConfigList::Iterator it2;
+		for (it2 = m_realms.begin(); it2 != m_realms.end(); ++it2) {
+			LDAPRealmConfig realmcfg = it2.data();
+			TQStringList domains = realmcfg.domain_mappings;
+			for (TQStringList::Iterator it3 = domains.begin(); it3 != domains.end(); ++it3 ) {
+				stream << "    " << *it3 << " = " << realmcfg.name << "\n";
+			}
+		}
+
+		file.close();
+	}
+}
+
+void LDAPConfig::writeLDAPConfFile() {
+	LDAPManager::writeLDAPConfFile(m_realms[m_defaultRealm]);
+}
+
+void LDAPConfig::writeNSSwitchFile() {
+	TQFile file(NSSWITCH_FILE);
+	if (file.open(IO_WriteOnly)) {
+		TQTextStream stream( &file );
+
+		stream << "# This file was automatically generated by TDE\n";
+		stream << "# All changes will be lost!\n";
+		stream << "\n";
+		stream << "passwd:         files ldap [NOTFOUND=return] db" << "\n";
+		stream << "group:          files ldap [NOTFOUND=return] db" << "\n";
+		stream << "shadow:         files ldap [NOTFOUND=return] db" << "\n";
+		stream << "\n";
+		stream << "hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4" << "\n";
+		stream << "networks:       files" << "\n";
+		stream << "\n";
+		stream << "protocols:      db files" << "\n";
+		stream << "services:       db files" << "\n";
+		stream << "ethers:         db files" << "\n";
+		stream << "rpc:            db files" << "\n";
+		stream << "\n";
+		stream << "netgroup:       nis" << "\n";
+
+		file.close();
+	}
+}
+
+void LDAPConfig::writePAMFiles() {
+	TQFile file(PAMD_DIRECTORY PAMD_COMMON_ACCOUNT);
+	if (file.open(IO_WriteOnly)) {
+		TQTextStream stream( &file );
+
+		stream << "# This file was automatically generated by TDE\n";
+		stream << "# All changes will be lost!\n";
+		stream << "\n";
+		stream << "account sufficient pam_unix.so nullok_secure" << "\n";
+		stream << "account sufficient pam_ldap.so" << "\n";
+		stream << "account required pam_permit.so" << "\n";
+
+		file.close();
+	}
+
+	TQFile file2(PAMD_DIRECTORY PAMD_COMMON_AUTH);
+	if (file2.open(IO_WriteOnly)) {
+		TQTextStream stream( &file2 );
+
+		stream << "# This file was automatically generated by TDE\n";
+		stream << "# All changes will be lost!\n";
+		stream << "\n";
+		stream << "auth [default=ignore success=ignore] pam_mount.so" << "\n";
+		stream << "auth sufficient pam_unix.so nullok try_first_pass" << "\n";
+		stream << "auth [default=ignore success=1 service_err=reset] pam_krb5.so ccache=/tmp/krb5cc_%u use_first_pass" << "\n";
+		stream << "auth [default=die success=done] pam_ccreds.so action=validate use_first_pass" << "\n";
+		stream << "auth sufficient pam_ccreds.so action=store use_first_pass" << "\n";
+		stream << "auth required pam_deny.so" << "\n";
+
+		file2.close();
+	}
+}
+
+void LDAPConfig::writeCronFiles() {
+	TQFile file(CRON_UPDATE_NSS_FILE);
+	if (file.open(IO_WriteOnly)) {
+		TQTextStream stream( &file );
+
+		stream << "# This file was automatically generated by TDE\n";
+		stream << "# All changes will be lost!\n";
+		stream << "\n";
+		stream << "#!/bin/sh" << "\n";
+		stream << "/usr/sbin/nss_updatedb ldap" << "\n";
+
+		file.close();
+	}
+}
+
+int LDAPConfig::buttons() {
+	return KCModule::Apply|KCModule::Help;
+}
+
+TQString LDAPConfig::quickHelp() const
+{
+	return i18n("This module configures which LDAP realms TDE uses for authentication.");
+}