summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTimothy Pearson <kb9vqf@pearsoncomputing.net>2015-08-31 23:11:58 +0000
committerTimothy Pearson <kb9vqf@pearsoncomputing.net>2015-08-31 23:11:58 +0000
commit18c4c3789722d6ebbf8b0bb8ce86a508d2aea2c5 (patch)
tree1c291b60a661e6ddbb115dc7af4d50de49c1743a
parent4df015f3265e825cf1375f8a68b3f096d56d084d (diff)
downloadkcmldapcontroller-18c4c378.tar.gz
kcmldapcontroller-18c4c378.zip
Use tdeldap library PKI certificate generation methods
-rw-r--r--cert-updater/main.cpp6
-rw-r--r--confskel/Makefile.am3
-rw-r--r--confskel/openssl/pki_extensions61
-rw-r--r--src/ldapcontroller.cpp8
4 files changed, 7 insertions, 71 deletions
diff --git a/cert-updater/main.cpp b/cert-updater/main.cpp
index e4042fb..0dc3a27 100644
--- a/cert-updater/main.cpp
+++ b/cert-updater/main.cpp
@@ -1,5 +1,5 @@
/***************************************************************************
- * Copyright (C) 2012 by Timothy Pearson *
+ * Copyright (C) 2012 - 2015 by Timothy Pearson *
* kb9vqf@pearsoncomputing.net *
* *
* This program is free software; you can redistribute it and/or modify *
@@ -73,7 +73,7 @@ int main(int argc, char *argv[])
{
TDEAboutData aboutData( "primaryrccertupdater", I18N_NOOP("Realm Certificate Updater"),
version, description, TDEAboutData::License_GPL,
- "(c) 2012-2013, Timothy Pearson");
+ "(c) 2012-2015, Timothy Pearson");
aboutData.addAuthor("Timothy Pearson",0, "kb9vqf@pearsoncomputing.net");
TDECmdLineArgs::init( argc, argv, &aboutData );
TDECmdLineArgs::addCmdLineOptions(options);
@@ -160,7 +160,7 @@ int main(int argc, char *argv[])
}
if (force_update || (certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
printf("Regenerating certificate %s...\n", TQString(KERBEROS_PKI_PEM_FILE).ascii()); fflush(stdout);
- LDAPManager::generatePublicKerberosCACertificate(m_certconfig);
+ LDAPManager::generatePublicKerberosCACertificate(m_certconfig, m_realmconfig[m_defaultRealm]);
TQString realmname = m_defaultRealm.upper();
LDAPCredentials* credentials = new LDAPCredentials;
diff --git a/confskel/Makefile.am b/confskel/Makefile.am
index 42f25a9..2f5fe92 100644
--- a/confskel/Makefile.am
+++ b/confskel/Makefile.am
@@ -14,6 +14,3 @@ ldapldifskel_DATA = openldap/ldif/*
saslskeldir = $(confskeldir)/sasl
saslskel_DATA = sasl/*
-
-sslskeldir = $(confskeldir)/openssl
-sslskel_DATA = openssl/* \ No newline at end of file
diff --git a/confskel/openssl/pki_extensions b/confskel/openssl/pki_extensions
deleted file mode 100644
index d841890..0000000
--- a/confskel/openssl/pki_extensions
+++ /dev/null
@@ -1,61 +0,0 @@
-[ kdc_cert ]
-basicConstraints=CA:FALSE
-
-# Here are some examples of the usage of nsCertType. If it is omitted
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
-
-#Pkinit EKU
-extendedKeyUsage = 1.3.6.1.5.2.3.5
-
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer
-
-# Copy subject details
-
-issuerAltName=issuer:copy
-
-# Add id-pkinit-san (pkinit subjectAlternativeName)
-subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name
-
-[kdc_princ_name]
-realm = EXP:0, GeneralString:@@@REALM_UCNAME@@@
-principal_name = EXP:1, SEQUENCE:kdc_principal_seq
-
-[kdc_principal_seq]
-name_type = EXP:0, INTEGER:1
-name_string = EXP:1, SEQUENCE:kdc_principals
-
-[kdc_principals]
-princ1 = GeneralString:krbtgt
-princ2 = GeneralString:@@@REALM_UCNAME@@@
-
-[ client_cert ]
-
-# These extensions are added when 'ca' signs a request.
-
-basicConstraints=CA:FALSE
-
-keyUsage = digitalSignature, keyEncipherment, keyAgreement
-
-extendedKeyUsage = 1.3.6.1.5.2.3.4
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer
-
-
-subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name
-
-
-# Copy subject details
-
-issuerAltName=issuer:copy
-
-[princ_name]
-realm = EXP:0, GeneralString:@@@REALM_UCNAME@@@
-principal_name = EXP:1, SEQUENCE:principal_seq
-
-[principal_seq]
-name_type = EXP:0, INTEGER:1
-name_string = EXP:1, SEQUENCE:principals
-
-[principals]
-princ1 = GeneralString:@@@KDCSERVER@@@
diff --git a/src/ldapcontroller.cpp b/src/ldapcontroller.cpp
index d88bd34..705ba2b 100644
--- a/src/ldapcontroller.cpp
+++ b/src/ldapcontroller.cpp
@@ -590,7 +590,7 @@ void LDAPController::btncaSetMaster() {
return;
}
- LDAPManager::generatePublicKerberosCACertificate(m_certconfig);
+ LDAPManager::generatePublicKerberosCACertificate(m_certconfig, m_realmconfig[m_defaultRealm]);
// Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server
if (uploadKerberosCAFileToLDAP(ldap_mgr, &errorstring) != 0) {
@@ -604,7 +604,7 @@ void LDAPController::btncaSetMaster() {
}
void LDAPController::btncaRegenerate() {
- LDAPManager::generatePublicKerberosCACertificate(m_certconfig);
+ LDAPManager::generatePublicKerberosCACertificate(m_certconfig, m_realmconfig[m_defaultRealm]);
TQString realmname = m_defaultRealm.upper();
LDAPCredentials* credentials = new LDAPCredentials;
@@ -1591,7 +1591,7 @@ int LDAPController::createRealmCertificates(LDAPCertConfig certinfo, LDAPRealmCo
chmod(KERBEROS_PKI_PEMKEY_FILE, S_IRUSR|S_IWUSR);
chown_safe(KERBEROS_PKI_PEMKEY_FILE, 0, 0);
- LDAPManager::generatePublicKerberosCACertificate(certinfo);
+ LDAPManager::generatePublicKerberosCACertificate(certinfo, m_realmconfig[m_defaultRealm]);
// KDC certificate
TQString kdc_certfile = KERBEROS_PKI_KDC_FILE;
@@ -1807,7 +1807,7 @@ int LDAPController::createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig r
replacePlaceholdersInFile(templateDir + "sasl/slapd.conf", SASL_CONTROL_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, standardUserGroupName, adminPassword, rootUserName, rootPassword);
// OpenSSL
- replacePlaceholdersInFile(templateDir + "openssl/pki_extensions", OPENSSL_EXTENSIONS_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, standardUserGroupName, adminPassword, rootUserName, rootPassword);
+ LDAPManager::writeOpenSSLConfigurationFile(realmconfig);
// FIXME
// This assumes Debian!