diff options
| author | Timothy Pearson <kb9vqf@pearsoncomputing.net> | 2013-07-01 19:05:32 +0000 |
|---|---|---|
| committer | Timothy Pearson <kb9vqf@pearsoncomputing.net> | 2013-07-01 19:05:32 +0000 |
| commit | 2a0b3a4f1d16ad0afa36cf62ddce4f8eb44f287c (patch) | |
| tree | c8679034447d54ad52409e7b2f19bc4b31055393 | |
| parent | f5f1d1557d02a5cd1b1beb407ba553cbc01a0047 (diff) | |
| download | kcmldapcontroller-2a0b3a4f1d16ad0afa36cf62ddce4f8eb44f287c.tar.gz kcmldapcontroller-2a0b3a4f1d16ad0afa36cf62ddce4f8eb44f287c.zip | |
Add initial support for realm-wide certificate authority certificates
| -rw-r--r-- | cert-updater/main.cpp | 170 | ||||
| -rw-r--r-- | confskel/openldap/ldif/tde-core.ldif | 4 | ||||
| -rw-r--r-- | src/ldapcontroller.cpp | 154 | ||||
| -rw-r--r-- | src/ldapcontroller.h | 1 | ||||
| -rw-r--r-- | src/ldapcontrollerconfigbase.ui | 75 | ||||
| -rw-r--r-- | src/primaryrealmwizard/certconfigpagedlg.ui | 2 |
6 files changed, 324 insertions, 82 deletions
diff --git a/cert-updater/main.cpp b/cert-updater/main.cpp index adb21dd..e4acaa5 100644 --- a/cert-updater/main.cpp +++ b/cert-updater/main.cpp @@ -44,6 +44,18 @@ static const char description[] = static const char version[] = "v0.0.1"; +static const TDECmdLineOptions options[] = +{ + { "force", I18N_NOOP("Force certificate update"), 0 }, + TDECmdLineLastOption // End of options. +}; + +void chown_safe(const char * file, uid_t user, gid_t group) { + if (chown(file, user, group) < 0) { + printf("[ERROR] Chown call to '%s' for %d:%d failed!\n\r", file, user, group); + } +} + int uploadKerberosCAFileToLDAP(LDAPManager* ldap_mgr, TQString* errstr) { // Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server TQFile cafile(KERBEROS_PKI_PEM_FILE); @@ -61,15 +73,23 @@ int main(int argc, char *argv[]) { TDEAboutData aboutData( "primaryrccertupdater", I18N_NOOP("Realm Certificate Updater"), version, description, TDEAboutData::License_GPL, - "(c) 2012, Timothy Pearson"); + "(c) 2012-2013, Timothy Pearson"); aboutData.addAuthor("Timothy Pearson",0, "kb9vqf@pearsoncomputing.net"); TDECmdLineArgs::init( argc, argv, &aboutData ); + TDECmdLineArgs::addCmdLineOptions(options); TDEApplication::disableAutoDcopRegistration(); TDEApplication app(false, false); TDEStartupInfo::appStarted(); + TDECmdLineArgs *args = TDECmdLineArgs::parsedArgs(); + + bool force_update = false; + if (args->isSet("force")) { + force_update = true; + } + //====================================================================================================================================================== // // Updater code follows @@ -107,33 +127,133 @@ int main(int argc, char *argv[]) ldap_certfile.replace("@@@ADMINSERVER@@@", m_realmconfig[m_defaultRealm].admin_server); // Certificate Authority - if (TQFile::exists(KERBEROS_PKI_PEM_FILE)) { - certExpiry = LDAPManager::getCertificateExpiration(KERBEROS_PKI_PEM_FILE); - if (certExpiry >= now) { - printf("Certificate %s expires %s\n", TQString(KERBEROS_PKI_PEM_FILE).ascii(), certExpiry.toString().ascii()); fflush(stdout); - } - if ((certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) { - printf("Regenerating certificate %s...\n", TQString(KERBEROS_PKI_PEM_FILE).ascii()); fflush(stdout); - LDAPManager::generatePublicKerberosCACertificate(m_certconfig); - - TQString realmname = m_defaultRealm.upper(); - LDAPCredentials* credentials = new LDAPCredentials; - credentials->username = ""; - credentials->password = ""; - credentials->realm = realmname; - LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials); - - // Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server - TQString errorstring; - if (uploadKerberosCAFileToLDAP(ldap_mgr, &errorstring) != 0) { - printf("[ERROR] Unable to upload new certificate to LDAP server!\n%s\n", errorstring.ascii()); fflush(stdout); + TQString fqdn = LDAPManager::getMachineFQDN(); + TQString defaultRealm = m_systemconfig->readEntry("DefaultRealm"); + + // Connect to LDAP + TQString realmname = defaultRealm.upper(); + LDAPCredentials* credentials = new LDAPCredentials; + credentials->username = ""; + credentials->password = ""; + credentials->realm = realmname; + LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials); + TQString errorstring; + + TQString basedn = ldap_mgr->basedn(); + + // Get certificate settings from LDAP + TQString realmCAMaster = ldap_mgr->getRealmCAMaster(&errorstring); + + delete ldap_mgr; + delete credentials; + + if (realmCAMaster == fqdn) { + printf("This server is the realm CA master\n"); fflush(stdout); + if (TQFile::exists(KERBEROS_PKI_PEM_FILE)) { + certExpiry = LDAPManager::getCertificateExpiration(KERBEROS_PKI_PEM_FILE); + if (certExpiry >= now) { + printf("Certificate %s expires %s\n", TQString(KERBEROS_PKI_PEM_FILE).ascii(), certExpiry.toString().ascii()); fflush(stdout); + } + if (force_update || (certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) { + printf("Regenerating certificate %s...\n", TQString(KERBEROS_PKI_PEM_FILE).ascii()); fflush(stdout); + LDAPManager::generatePublicKerberosCACertificate(m_certconfig); + + TQString realmname = m_defaultRealm.upper(); + LDAPCredentials* credentials = new LDAPCredentials; + credentials->username = ""; + credentials->password = ""; + credentials->realm = realmname; + LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials); + + // Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server + TQString errorstring; + if (uploadKerberosCAFileToLDAP(ldap_mgr, &errorstring) != 0) { + printf("[ERROR] Unable to upload new certificate to LDAP server!\n%s\n", errorstring.ascii()); fflush(stdout); + } + + delete ldap_mgr; } - delete ldap_mgr; + // Set permissions + chmod(KERBEROS_PKI_PEMKEY_FILE, S_IRUSR|S_IWUSR); + chown_safe(KERBEROS_PKI_PEMKEY_FILE, 0, 0); + chmod(KERBEROS_PKI_PEM_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); + chown_safe(KERBEROS_PKI_PEM_FILE, 0, 0); + } + else { + printf("[WARNING] Certificate file %s not found!\n", TQString(KERBEROS_PKI_PEM_FILE).ascii()); fflush(stdout); } } else { - printf("[WARNING] Certificate file %s not found!\n", TQString(KERBEROS_PKI_PEM_FILE).ascii()); fflush(stdout); + printf("This server is a realm CA slave\n"); fflush(stdout); + + // Connect to LDAP + TQString realmname = defaultRealm.upper(); + LDAPCredentials* credentials = new LDAPCredentials; + credentials->username = "cn=admin," + basedn; + m_systemconfig->setGroup("Replication"); + credentials->password = m_systemconfig->readEntry("Password"); + m_systemconfig->setGroup(NULL); + credentials->realm = realmname; + LDAPManager* ldap_mgr = new LDAPManager(realmname, TQString("ldaps://%1/").arg(realmCAMaster), credentials); + TQString errorstring; + + if (ldap_mgr->getTDECertificate("privateRootCertificateKey", KERBEROS_PKI_PEMKEY_FILE ".tmp", &errorstring) != 0) { + printf("[ERROR] Unable to get private CA certificate key from LDAP server!\n%s\n", errorstring.ascii()); fflush(stdout); + } + if (ldap_mgr->getTDECertificate("publicRootCertificate", KERBEROS_PKI_PEM_FILE ".tmp", &errorstring) != 0) { + printf("[ERROR] Unable to get public CA certificate from LDAP server!\n%s\n", errorstring.ascii()); fflush(stdout); + } + + delete ldap_mgr; + delete credentials; + + TQByteArray originalPemKeyFile; + TQByteArray originalPemFile; + TQByteArray newPemKeyFile; + TQByteArray newPemFile; + + TQFile* cafile; + cafile = new TQFile(KERBEROS_PKI_PEMKEY_FILE); + if (cafile->open(IO_ReadOnly)) { + originalPemKeyFile = cafile->readAll(); + } + delete cafile; + cafile = new TQFile(KERBEROS_PKI_PEM_FILE); + if (cafile->open(IO_ReadOnly)) { + originalPemFile = cafile->readAll(); + } + delete cafile; + cafile = new TQFile(KERBEROS_PKI_PEMKEY_FILE ".tmp"); + if (cafile->open(IO_ReadOnly)) { + newPemKeyFile = cafile->readAll(); + } + delete cafile; + cafile = new TQFile(KERBEROS_PKI_PEM_FILE ".tmp"); + if (cafile->open(IO_ReadOnly)) { + newPemFile = cafile->readAll(); + } + delete cafile; + + if ((originalPemKeyFile == newPemKeyFile) && (originalPemFile == newPemFile)) { + unlink(KERBEROS_PKI_PEMKEY_FILE ".tmp"); + unlink(KERBEROS_PKI_PEM_FILE ".tmp"); + printf("Certificates have not changed since last update\n"); + } + else { + unlink(KERBEROS_PKI_PEMKEY_FILE); + unlink(KERBEROS_PKI_PEM_FILE); + rename(KERBEROS_PKI_PEMKEY_FILE ".tmp", KERBEROS_PKI_PEMKEY_FILE); + rename(KERBEROS_PKI_PEM_FILE ".tmp", KERBEROS_PKI_PEM_FILE); + force_update = true; + printf("Certificates have changed, forcing certificate regeneration\n"); + } + + // Set permissions + chmod(KERBEROS_PKI_PEMKEY_FILE, S_IRUSR|S_IWUSR); + chown_safe(KERBEROS_PKI_PEMKEY_FILE, 0, 0); + chmod(KERBEROS_PKI_PEM_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); + chown_safe(KERBEROS_PKI_PEM_FILE, 0, 0); } // Kerberos @@ -142,7 +262,7 @@ int main(int argc, char *argv[]) if (certExpiry >= now) { printf("Certificate %s expires %s\n", kdc_certfile.ascii(), certExpiry.toString().ascii()); fflush(stdout); } - if ((certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) { + if (force_update || (certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) { printf("Regenerating certificate %s...\n", kdc_certfile.ascii()); fflush(stdout); LDAPManager::generatePublicKerberosCertificate(m_certconfig, m_realmconfig[m_defaultRealm]); } @@ -157,7 +277,7 @@ int main(int argc, char *argv[]) if (certExpiry >= now) { printf("Certificate %s expires %s\n", ldap_certfile.ascii(), certExpiry.toString().ascii()); fflush(stdout); } - if ((certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) { + if (force_update || (certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) { printf("Regenerating certificate %s...\n", ldap_certfile.ascii()); fflush(stdout); uid_t slapd_uid = 0; gid_t slapd_gid = 0; diff --git a/confskel/openldap/ldif/tde-core.ldif b/confskel/openldap/ldif/tde-core.ldif index a823c46..75be21f 100644 --- a/confskel/openldap/ldif/tde-core.ldif +++ b/confskel/openldap/ldif/tde-core.ldif @@ -24,8 +24,10 @@ olcAttributeTypes: {15} ( 1.3.6.1.4.1.40364.1.1.16 NAME 'builtinRealmAdminAccoun olcAttributeTypes: {16} ( 1.3.6.1.4.1.40364.1.1.17 NAME 'builtinRealmAdminGroup' DESC 'Built-in realm administrative group distinguished name' SUP name ) olcAttributeTypes: {17} ( 1.3.6.1.4.1.40364.1.1.18 NAME 'builtinMachineAdminGroup' DESC 'Built-in local machine administrative group distinguished name' SUP name ) olcAttributeTypes: {18} ( 1.3.6.1.4.1.40364.1.1.19 NAME 'builtinStandardUserGroup' DESC 'Built-in standard user group distinguished name' SUP name ) +# Used for storing certificate management settings +olcAttributeTypes: {19} ( 1.3.6.1.4.1.40364.1.1.20 NAME 'publicRootCertificateOriginServer' DESC 'Certificate authority root certificate origin server' SUP name ) olcObjectClasses: {0} ( 1.3.6.1.4.1.40364.1.2.1 NAME 'tdeExtendedUserData' SUP top AUXILIARY MAY ( website URL $ managerName $ secretaryName $ teletexId $ preferredDelivery $ locallyUniqueID $ notes $ pwdLastSet $ badPwdCount $ badPasswordTime $ lastLogon $ lastLogoff ) ) olcObjectClasses: {1} ( 1.3.6.1.4.1.40364.1.2.2 NAME 'tdeAccountObject' SUP top AUXILIARY MAY tdeBuiltinAccount ) -olcObjectClasses: {2} ( 1.3.6.1.4.1.40364.1.2.3 NAME 'tdeCertificateStore' SUP top AUXILIARY MAY ( tdeBuiltinAccount $ publicRootCertificate $ privateRootCertificateKey ) ) +olcObjectClasses: {2} ( 1.3.6.1.4.1.40364.1.2.3 NAME 'tdeCertificateStore' SUP top AUXILIARY MAY ( tdeBuiltinAccount $ publicRootCertificate $ privateRootCertificateKey $ publicRootCertificateOriginServer ) ) olcObjectClasses: {3} ( 1.3.6.1.4.1.40364.1.2.4 NAME 'tdeBuiltinStore' SUP top AUXILIARY MAY ( tdeBuiltinAccount $ builtinRealmAdminAccount $ builtinRealmAdminGroup $ builtinMachineAdminGroup $ builtinStandardUserGroup ) )
\ No newline at end of file diff --git a/src/ldapcontroller.cpp b/src/ldapcontroller.cpp index 27ae4cb..d8f344a 100644 --- a/src/ldapcontroller.cpp +++ b/src/ldapcontroller.cpp @@ -118,6 +118,8 @@ LDAPController::LDAPController(TQWidget *parent, const char *name, const TQStrin connect(m_base->systemEnableSupport, TQT_SIGNAL(clicked()), this, TQT_SLOT(processLockouts())); connect(m_base->systemRole, TQT_SIGNAL(activated(const TQString&)), this, TQT_SLOT(systemRoleChanged())); + connect(m_base->caSetMaster, TQT_SIGNAL(clicked()), this, TQT_SLOT(btncaSetMaster())); + connect(m_base->caRegenerate, TQT_SIGNAL(clicked()), this, TQT_SLOT(btncaRegenerate())); connect(m_base->caExportKey, TQT_SIGNAL(clicked()), this, TQT_SLOT(btncaExportKey())); connect(m_base->caExportCert, TQT_SIGNAL(clicked()), this, TQT_SLOT(btncaExportCert())); @@ -161,13 +163,13 @@ LDAPController::~LDAPController() { void system_safe(const char * cmdstr) { if (system(cmdstr) < 0) { - printf("[ERROR] System call to '%s' failed!\n", cmdstr); + printf("[ERROR] System call to '%s' failed!\n\r", cmdstr); } } void chown_safe(const char * file, uid_t user, gid_t group) { if (chown(file, user, group) < 0) { - printf("[ERROR] Chown call to '%s' for %d:%d failed!\n", file, user, group); + printf("[ERROR] Chown call to '%s' for %d:%d failed!\n\r", file, user, group); } } @@ -298,6 +300,7 @@ void LDAPController::systemRoleChanged() { LDAPManager::writeTDERealmList(realms, m_systemconfig); m_systemconfig->setGroup(NULL); m_systemconfig->deleteEntry("DefaultRealm"); + m_systemconfig->deleteGroup("Replication", true, false); m_systemconfig->sync(); pdialog.closeDialog(); @@ -357,33 +360,16 @@ void LDAPController::load() { } if (ldapRole == "Primary Realm Controller") { m_base->systemRole->setCurrentItem(ROLE_PRIMARY_REALM_CONTROLLER); - - // Connect to LDAP - TQString realmname = m_defaultRealm.upper(); - LDAPCredentials* credentials = new LDAPCredentials; - credentials->username = ""; - credentials->password = ""; - credentials->realm = realmname; - LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials); - TQString errorstring; - - // Get replication mappings from LDAP - LDAPMasterReplicationInfo replicationsettings = ldap_mgr->getLDAPMasterReplicationSettings(&errorstring); - m_base->advancedEnableMultiMasterReplication->setChecked(replicationsettings.enabled); - m_base->multiMasterReplicationMappings->clear(); - LDAPMasterReplicationMap::iterator it; - for (it = replicationsettings.serverIDs.begin(); it != replicationsettings.serverIDs.end(); ++it) { - new TQListViewItem(m_base->multiMasterReplicationMappings, TQString("%1").arg((*it).id), (*it).fqdn); - } - - delete ldap_mgr; - delete credentials; } else { m_base->systemRole->setCurrentItem(ROLE_WORKSTATION); } m_prevRole = m_base->systemRole->currentItem(); + // Load server-specific replication settings + m_systemconfig->setGroup("Replication"); + m_base->ignoreReplicationSSLFailures->setChecked(m_systemconfig->readBoolEntry("IgnoreSSLFailures", false)); + // Load cert config m_systemconfig->setGroup("Certificates"); m_certconfig.countryName = m_systemconfig->readEntry("countryName"); @@ -415,9 +401,12 @@ void LDAPController::load() { // Display builtin account and group names, and provide a password reset button for each builtin user (yes, this includes the LDAP admin account!) // FIXME // root account should not be locked to "admin"! - // when fixing, please fix the other instance of locked "admin" in realmwizard.cpp ::accept() + // when fixing, please fix the two instances of locked "admin": + // 1.) in realmwizard.cpp ::accept() + // 2.) in LDAPManager::setLDAPMasterReplicationSettings() m_base->ldapRootUser->setText(TQString("cn=%1,").arg("admin") + LDAPManager::ldapdnForRealm(m_defaultRealm)); + // Connect to LDAP TQString realmname = m_defaultRealm.upper(); LDAPCredentials* credentials = new LDAPCredentials; credentials->username = ""; @@ -425,7 +414,22 @@ void LDAPController::load() { credentials->realm = realmname; LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials); TQString errorstring; + + // Get builtin TDE account mappings from LDAP LDAPTDEBuiltinsInfo builtins = ldap_mgr->getTDEBuiltinMappings(&errorstring); + + // Get replication mappings from LDAP + LDAPMasterReplicationInfo replicationsettings = ldap_mgr->getLDAPMasterReplicationSettings(&errorstring); + m_base->advancedEnableMultiMasterReplication->setChecked(replicationsettings.enabled); + m_base->multiMasterReplicationMappings->clear(); + LDAPMasterReplicationMap::iterator it; + for (it = replicationsettings.serverIDs.begin(); it != replicationsettings.serverIDs.end(); ++it) { + new TQListViewItem(m_base->multiMasterReplicationMappings, TQString("%1").arg((*it).id), (*it).fqdn); + } + + // Get certificate settings from LDAP + TQString realmCAMaster = ldap_mgr->getRealmCAMaster(&errorstring); + delete ldap_mgr; delete credentials; @@ -434,6 +438,14 @@ void LDAPController::load() { m_base->realmMachineAdminGroup->setText(LDAPManager::cnFromDn(builtins.builtinMachineAdminGroup)); m_base->realmStandardUserGroup->setText(LDAPManager::cnFromDn(builtins.builtinStandardUserGroup)); + m_base->caCurrentMaster->setText(realmCAMaster); + if (m_fqdn == realmCAMaster) { + m_base->caSetMaster->setEnabled(false); + } + else { + m_base->caSetMaster->setEnabled(true); + } + updateCertDisplay(); m_certRefreshTimer.start(60*1000); } @@ -533,6 +545,37 @@ void LDAPController::updateCertDisplay() { } } +void LDAPController::btncaSetMaster() { + if (KMessageBox::warningYesNo(this, i18n("<qt><b>You are about to promote the server '%1' to the role of Certificate Authority Master</b><p>Are you sure you want to proceed?</qt>").arg(m_fqdn), i18n("Confirmation Required")) == KMessageBox::Yes) { + TQString errorstring; + + TQString realmname = m_defaultRealm.upper(); + LDAPCredentials* credentials = new LDAPCredentials; + credentials->username = ""; + credentials->password = ""; + credentials->realm = realmname; + LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials); + + if (ldap_mgr->setRealmCAMaster(m_fqdn, &errorstring) != 0) { + KMessageBox::error(0, i18n("<qt>Unable to change certificate authority master server!<p>%1</qt>").arg(errorstring), i18n("Internal Failure")); + delete ldap_mgr; + load(); + return; + } + + LDAPManager::generatePublicKerberosCACertificate(m_certconfig); + + // Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server + if (uploadKerberosCAFileToLDAP(ldap_mgr, &errorstring) != 0) { + KMessageBox::error(0, i18n("<qt>Unable to upload new certificate to LDAP server!<p>%1</qt>").arg(errorstring), i18n("Internal Failure")); + } + + delete ldap_mgr; + + load(); + } +} + void LDAPController::btncaRegenerate() { LDAPManager::generatePublicKerberosCACertificate(m_certconfig); @@ -723,6 +766,11 @@ void LDAPController::btnChangeRealmAdminPassword() { if (adminuserinfo.informationValid) { adminuserinfo.new_password = adminPassword; ldap_mgr->setPasswordForUser(adminuserinfo, &errorstring); + + m_systemconfig->setGroup("Replication"); + m_systemconfig->writeEntry("Password", adminPassword.data()); + m_systemconfig->setGroup(NULL); + m_systemconfig->sync(); } delete ldap_mgr; @@ -853,6 +901,10 @@ void LDAPController::save() { m_systemconfig->writeEntry("HostFQDN", m_fqdn); m_systemconfig->writeEntry("LDAPRole", m_base->systemRole->currentText()); + // Write server-specific replication settings + m_systemconfig->setGroup("Replication"); + m_systemconfig->writeEntry("IgnoreSSLFailures", m_base->ignoreReplicationSSLFailures->isChecked()); + // Write cert config m_systemconfig->setGroup("Certificates"); m_systemconfig->writeEntry("countryName", m_certconfig.countryName); @@ -891,6 +943,14 @@ void LDAPController::save() { replicationSettings.serverIDs.append(mapping); ++it; } + // Use the local password for inter-master authentication + // All realm controllers in a realm must (obviously) use the same admin/config password! + m_systemconfig->setGroup("Replication"); + replicationSettings.syncPassword = m_systemconfig->readEntry("Password"); + m_systemconfig->setGroup(NULL); + + replicationSettings.ignore_ssl_failure = m_base->ignoreReplicationSSLFailures->isChecked(); + if (ldap_mgr->setLDAPMasterReplicationSettings(replicationSettings, NULL) != 0) { // ERROR } @@ -983,13 +1043,13 @@ void replacePlaceholdersInFile(TQString infile, TQString outfile, LDAPRealmConfi } else { //KMessageBox::error(0, i18n("<qt>Unable to open output schema file %1 for writing</qt>").arg(outfile), i18n("Internal Failure")); - printf("[INTERNAL FAILURE] Unable to open output schema file %s for writing\n", outfile.ascii()); fflush(stdout); + printf("[INTERNAL FAILURE] Unable to open output schema file %s for writing\n\r", outfile.ascii()); fflush(stdout); } ifile.close(); } else { //KMessageBox::error(0, i18n("<qt>Unable to open template schema file %1</qt>").arg(infile), i18n("Internal Failure")); - printf("[INTERNAL FAILURE] Unable to open template schema file %s\n", infile.ascii()); fflush(stdout); + printf("[INTERNAL FAILURE] Unable to open template schema file %s\n\r", infile.ascii()); fflush(stdout); } // Keep UI responsive @@ -1117,7 +1177,7 @@ int LDAPController::initializeNewKerberosRealm(TQString realmName, TQString *err kadminProc.writeLine(command, true); do { // Discard our own input prompt = LDAPManager::readFullLineFromPtyProcess(&kadminProc); - printf("(kadmin) '%s'\n", prompt.ascii()); + printf("(kadmin) '%s'\n\r", prompt.ascii()); } while (prompt == TQString(command)); prompt = prompt.stripWhiteSpace(); if (prompt.contains("authentication failed")) { @@ -1132,7 +1192,7 @@ int LDAPController::initializeNewKerberosRealm(TQString realmName, TQString *err kadminProc.writeLine(command, true); do { // Discard our own input prompt = LDAPManager::readFullLineFromPtyProcess(&kadminProc); - printf("(kadmin) '%s'\n", prompt.ascii()); + printf("(kadmin) '%s'\n\r", prompt.ascii()); } while (prompt == TQString(command)); prompt = prompt.stripWhiteSpace(); if (prompt.startsWith("Realm max")) { @@ -1141,7 +1201,7 @@ int LDAPController::initializeNewKerberosRealm(TQString realmName, TQString *err kadminProc.writeLine(command, true); do { // Discard our own input prompt = LDAPManager::readFullLineFromPtyProcess(&kadminProc); - printf("(kadmin) '%s'\n", prompt.ascii()); + printf("(kadmin) '%s'\n\r", prompt.ascii()); } while (prompt == TQString(command)); prompt = prompt.stripWhiteSpace(); } @@ -1187,7 +1247,7 @@ int LDAPController::addHostEntryToKerberosRealm(TQString kerberosHost, TQString kadminProc.writeLine(command, true); do { // Discard our own input prompt = LDAPManager::readFullLineFromPtyProcess(&kadminProc); - printf("(kadmin) '%s'\n", prompt.ascii()); + printf("(kadmin) '%s'\n\r", prompt.ascii()); } while (prompt == TQString(command)); prompt = prompt.stripWhiteSpace(); if (prompt.contains("authentication failed")) { @@ -1210,7 +1270,7 @@ int LDAPController::addHostEntryToKerberosRealm(TQString kerberosHost, TQString kadminProc.writeLine(command, true); do { // Discard our own input prompt = LDAPManager::readFullLineFromPtyProcess(&kadminProc); - printf("(kadmin) '%s'\n", prompt.ascii()); + printf("(kadmin) '%s'\n\r", prompt.ascii()); } while (prompt == TQString(command)); prompt = prompt.stripWhiteSpace(); // Use all defaults @@ -1235,7 +1295,7 @@ int LDAPController::addHostEntryToKerberosRealm(TQString kerberosHost, TQString kadminProc.writeLine(command, true); do { // Discard our own input prompt = LDAPManager::readFullLineFromPtyProcess(&kadminProc); - printf("(kadmin) '%s'\n", prompt.ascii()); + printf("(kadmin) '%s'\n\r", prompt.ascii()); } while (prompt == TQString(command)); prompt = prompt.stripWhiteSpace(); } @@ -1245,7 +1305,7 @@ int LDAPController::addHostEntryToKerberosRealm(TQString kerberosHost, TQString kadminProc.writeLine(command, true); do { // Discard our own input prompt = LDAPManager::readFullLineFromPtyProcess(&kadminProc); - printf("(kadmin) '%s'\n", prompt.ascii()); + printf("(kadmin) '%s'\n\r", prompt.ascii()); } while (prompt == TQString(command)); prompt = prompt.stripWhiteSpace(); if (prompt != "kadmin>") { @@ -1296,7 +1356,7 @@ int LDAPController::addLDAPEntryToKerberosRealm(TQString ldapProcessOwnerName, T kadminProc.writeLine(command, true); do { // Discard our own input prompt = LDAPManager::readFullLineFromPtyProcess(&kadminProc); - printf("(kadmin) '%s'\n", prompt.ascii()); + printf("(kadmin) '%s'\n\r", prompt.ascii()); } while (prompt.startsWith("ext --keytab=")); prompt = prompt.stripWhiteSpace(); if (prompt.contains("authentication failed")) { @@ -1319,7 +1379,7 @@ int LDAPController::addLDAPEntryToKerberosRealm(TQString ldapProcessOwnerName, T kadminProc.writeLine(command, true); do { // Discard our own input prompt = LDAPManager::readFullLineFromPtyProcess(&kadminProc); - printf("(kadmin) '%s'\n", prompt.ascii()); + printf("(kadmin) '%s'\n\r", prompt.ascii()); } while (prompt == TQString(command)); prompt = prompt.stripWhiteSpace(); // Use all defaults @@ -1344,7 +1404,7 @@ int LDAPController::addLDAPEntryToKerberosRealm(TQString ldapProcessOwnerName, T kadminProc.writeLine(command, true); do { // Discard our own input prompt = LDAPManager::readFullLineFromPtyProcess(&kadminProc); - printf("(kadmin) '%s'\n", prompt.ascii()); + printf("(kadmin) '%s'\n\r", prompt.ascii()); } while (prompt == TQString(command)); prompt = prompt.stripWhiteSpace(); } @@ -1354,7 +1414,7 @@ int LDAPController::addLDAPEntryToKerberosRealm(TQString ldapProcessOwnerName, T kadminProc.writeLine(command, true); do { // Discard our own input prompt = LDAPManager::readFullLineFromPtyProcess(&kadminProc); - printf("(kadmin) '%s'\n", prompt.ascii()); + printf("(kadmin) '%s'\n\r", prompt.ascii()); } while (prompt.startsWith("ext --keytab=")); prompt = prompt.stripWhiteSpace(); if (prompt != "kadmin>") { @@ -1407,7 +1467,7 @@ int LDAPController::setKerberosPasswordForUser(LDAPCredentials user, TQString *e kadminProc.writeLine(command, true); do { // Discard our own input prompt = LDAPManager::readFullLineFromPtyProcess(&kadminProc); - printf("(kadmin) '%s'\n", prompt.ascii()); + printf("(kadmin) '%s'\n\r", prompt.ascii()); } while (prompt == TQString(command)); prompt = prompt.stripWhiteSpace(); if (prompt.contains("authentication failed")) { @@ -1421,7 +1481,7 @@ int LDAPController::setKerberosPasswordForUser(LDAPCredentials user, TQString *e kadminProc.writeLine(user.password, true); do { // Discard our own input prompt = LDAPManager::readFullLineFromPtyProcess(&kadminProc); - printf("(kadmin) '%s'\n", prompt.ascii()); + printf("(kadmin) '%s'\n\r", prompt.ascii()); } while (prompt == ""); prompt = prompt.stripWhiteSpace(); if ((prompt.endsWith(" Password:")) && (prompt.startsWith("Verify"))) { @@ -1429,7 +1489,7 @@ int LDAPController::setKerberosPasswordForUser(LDAPCredentials user, TQString *e kadminProc.writeLine(user.password, true); do { // Discard our own input prompt = LDAPManager::readFullLineFromPtyProcess(&kadminProc); - printf("(kadmin) '%s'\n", prompt.ascii()); + printf("(kadmin) '%s'\n\r", prompt.ascii()); } while (prompt == ""); prompt = prompt.stripWhiteSpace(); } @@ -1897,6 +1957,15 @@ int LDAPController::createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig r return -1; } + // Set CA master + if (ldap_mgr->setRealmCAMaster(m_fqdn, &errorstring) != 0) { + delete ldap_mgr; + delete credentials; + if (errstr) *errstr = errorstring; + pdialog.closeDialog(); + return -1; + } + // Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server if (uploadKerberosCAFileToLDAP(ldap_mgr, &errorstring) != 0) { delete ldap_mgr; @@ -1937,6 +2006,11 @@ int LDAPController::createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig r LDAPManager::writeTDERealmList(realms, m_systemconfig); m_systemconfig->setGroup(NULL); m_systemconfig->writeEntry("DefaultRealm", realmconfig.name); + + m_systemconfig->setGroup("Replication"); + m_systemconfig->writeEntry("Password", adminPassword); + m_systemconfig->setGroup(NULL); + m_systemconfig->sync(); LDAPManager::writeLDAPConfFile(realmconfig); diff --git a/src/ldapcontroller.h b/src/ldapcontroller.h index bfcfdcd..150addc 100644 --- a/src/ldapcontroller.h +++ b/src/ldapcontroller.h @@ -68,6 +68,7 @@ class LDAPController: public TDECModule void processLockouts(); void updateCertDisplay(); + void btncaSetMaster(); void btncaRegenerate(); void btncaExportKey(); void btncaExportCert(); diff --git a/src/ldapcontrollerconfigbase.ui b/src/ldapcontrollerconfigbase.ui index 06cf035..3834e32 100644 --- a/src/ldapcontrollerconfigbase.ui +++ b/src/ldapcontrollerconfigbase.ui @@ -186,7 +186,31 @@ <property name="name"> <cstring>unnamed</cstring> </property> - <widget class="TQLabel" row="0" column="0" colspan="1"> + <widget class="TQLabel" row="0" column="0" colspan="1" rowspan="1"> + <property name="name"> + <cstring>unnamed10</cstring> + </property> + <property name="text"> + <cstring>Certificate Authority Master:</cstring> + </property> + </widget> + <widget class="TQLabel" row="0" column="2" colspan="1" rowspan="1"> + <property name="name"> + <cstring>caCurrentMaster</cstring> + </property> + <property name="text"> + <cstring></cstring> + </property> + </widget> + <widget class="TQPushButton" row="0" column="3" colspan="2" rowspan="1"> + <property name="name"> + <cstring>caSetMaster</cstring> + </property> + <property name="text"> + <cstring>Promote This Server To CA Master</cstring> + </property> + </widget> + <widget class="TQLabel" row="1" column="0" colspan="1"> <property name="name"> <cstring>unnamed</cstring> </property> @@ -194,12 +218,12 @@ <cstring>Certificate Authority:</cstring> </property> </widget> - <widget class="TQLabel" row="1" column="0" colspan="1"> + <widget class="TQLabel" row="2" column="0" colspan="1"> <property name="name"> <cstring>caExpiryString</cstring> </property> </widget> - <widget class="TQPushButton" row="0" column="2" colspan="1" rowspan="2"> + <widget class="TQPushButton" row="1" column="2" colspan="1" rowspan="2"> <property name="name"> <cstring>caRegenerate</cstring> </property> @@ -207,7 +231,7 @@ <cstring>Regenerate Certificate</cstring> </property> </widget> - <widget class="TQPushButton" row="0" column="3" colspan="1" rowspan="2"> + <widget class="TQPushButton" row="1" column="3" colspan="1" rowspan="2"> <property name="name"> <cstring>caExportKey</cstring> </property> @@ -215,7 +239,7 @@ <cstring>Export Private Key</cstring> </property> </widget> - <widget class="TQPushButton" row="0" column="4" colspan="1" rowspan="2"> + <widget class="TQPushButton" row="1" column="4" colspan="1" rowspan="2"> <property name="name"> <cstring>caExportCert</cstring> </property> @@ -223,7 +247,7 @@ <cstring>Export Public Certificate</cstring> </property> </widget> - <widget class="TQLabel" row="2" column="0" colspan="1"> + <widget class="TQLabel" row="3" column="0" colspan="1"> <property name="name"> <cstring>unnamed</cstring> </property> @@ -231,12 +255,12 @@ <cstring>Kerberos:</cstring> </property> </widget> - <widget class="TQLabel" row="3" column="0" colspan="1"> + <widget class="TQLabel" row="4" column="0" colspan="1"> <property name="name"> <cstring>krbExpiryString</cstring> </property> </widget> - <widget class="TQPushButton" row="2" column="2" colspan="1" rowspan="2"> + <widget class="TQPushButton" row="3" column="2" colspan="1" rowspan="2"> <property name="name"> <cstring>krbRegenerate</cstring> </property> @@ -244,7 +268,7 @@ <cstring>Regenerate Certificate</cstring> </property> </widget> - <widget class="TQPushButton" row="2" column="3" colspan="1" rowspan="2"> + <widget class="TQPushButton" row="3" column="3" colspan="1" rowspan="2"> <property name="name"> <cstring>krbExportKey</cstring> </property> @@ -252,7 +276,7 @@ <cstring>Export Private Key</cstring> </property> </widget> - <widget class="TQPushButton" row="2" column="4" colspan="1" rowspan="2"> + <widget class="TQPushButton" row="3" column="4" colspan="1" rowspan="2"> <property name="name"> <cstring>krbExportCert</cstring> </property> @@ -260,7 +284,7 @@ <cstring>Export Public Certificate</cstring> </property> </widget> - <widget class="TQLabel" row="4" column="0" colspan="1"> + <widget class="TQLabel" row="5" column="0" colspan="1"> <property name="name"> <cstring>unnamed</cstring> </property> @@ -268,12 +292,12 @@ <cstring>LDAP TLS:</cstring> </property> </widget> - <widget class="TQLabel" row="5" column="0" colspan="1"> + <widget class="TQLabel" row="6" column="0" colspan="1"> <property name="name"> <cstring>ldapExpiryString</cstring> </property> </widget> - <widget class="TQPushButton" row="4" column="2" colspan="1" rowspan="2"> + <widget class="TQPushButton" row="5" column="2" colspan="1" rowspan="2"> <property name="name"> <cstring>ldapRegenerate</cstring> </property> @@ -281,7 +305,7 @@ <cstring>Regenerate Certificate</cstring> </property> </widget> - <widget class="TQPushButton" row="4" column="3" colspan="1" rowspan="2"> + <widget class="TQPushButton" row="5" column="3" colspan="1" rowspan="2"> <property name="name"> <cstring>ldapExportKey</cstring> </property> @@ -289,7 +313,7 @@ <cstring>Export Private Key</cstring> </property> </widget> - <widget class="TQPushButton" row="4" column="4" colspan="1" rowspan="2"> + <widget class="TQPushButton" row="5" column="4" colspan="1" rowspan="2"> <property name="name"> <cstring>ldapExportCert</cstring> </property> @@ -404,6 +428,27 @@ </widget> </grid> </widget> + <widget class="TQGroupBox" row="1" column="0"> + <property name="name"> + <cstring>groupMultiMasterReplication</cstring> + </property> + <property name="title"> + <string>Advanced Replication Settings</string> + </property> + <grid> + <property name="name"> + <cstring>unnamed</cstring> + </property> + <widget class="TQCheckBox" row="0" column="0" colspan="1"> + <property name="name"> + <cstring>ignoreReplicationSSLFailures</cstring> + </property> + <property name="text"> + <string>&Ignore SSL Failures</string> + </property> + </widget> + </grid> + </widget> </grid> </widget> </widget> diff --git a/src/primaryrealmwizard/certconfigpagedlg.ui b/src/primaryrealmwizard/certconfigpagedlg.ui index 836cb59..4bdcfcb 100644 --- a/src/primaryrealmwizard/certconfigpagedlg.ui +++ b/src/primaryrealmwizard/certconfigpagedlg.ui @@ -203,7 +203,7 @@ <number>25</number> </property> <property name="filter"> - <cstring>*.key|Private Key (*.key)</cstring> + <cstring>*.key.pem|PKI Private Key (*.key.pem)</cstring> </property> </widget> <widget class="TQLabel" row="13" column="0"> |