summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/ldapcontroller.cpp101
1 files changed, 62 insertions, 39 deletions
diff --git a/src/ldapcontroller.cpp b/src/ldapcontroller.cpp
index 2aa3ee3..2ec4260 100644
--- a/src/ldapcontroller.cpp
+++ b/src/ldapcontroller.cpp
@@ -145,6 +145,18 @@ LDAPController::LDAPController(TQWidget *parent, const char *name, const TQStrin
LDAPController::~LDAPController() {
}
+void system_safe(const char * cmdstr) {
+ if (system(cmdstr) < 0) {
+ printf("[ERROR] System call to '%s' failed!\n\r", cmdstr);
+ }
+}
+
+void chown_safe(const char * file, uid_t user, gid_t group) {
+ if (chown(file, user, group) < 0) {
+ printf("[ERROR] Chown call to '%s' for %d:%d failed!\n\r", file, user, group);
+ }
+}
+
void LDAPController::systemRoleChanged() {
int previousRole = m_prevRole;
@@ -264,8 +276,8 @@ void LDAPController::systemRoleChanged() {
pdialog.setStatusMessage(i18n("Purging local configuration..."));
tqApp->processEvents();
- system(TQString("rm -f %1").arg(CRON_UPDATE_PRIMARY_REALM_CERTIFICATES_FILE));
- system(TQString("rm -rf %1").arg(TDE_CERTIFICATE_DIR));
+ system_safe(TQString("rm -f %1").arg(CRON_UPDATE_PRIMARY_REALM_CERTIFICATES_FILE));
+ system_safe(TQString("rm -rf %1").arg(TDE_CERTIFICATE_DIR));
// Write the TDE realm configuration file
LDAPRealmConfigList realms;
@@ -536,7 +548,6 @@ void LDAPController::btnkrbExportCert() {
}
void LDAPController::btnldapRegenerate() {
- struct stat sb;
uid_t slapd_uid = 0;
gid_t slapd_gid = 0;
@@ -769,7 +780,7 @@ void replacePlaceholdersInFile(TQString infile, TQString outfile, LDAPRealmConfi
// Set permissions
if ((userid > 0) && (groupid > 0)) {
- chown(outfile.ascii(), userid, groupid);
+ chown_safe(outfile.ascii(), userid, groupid);
}
}
else {
@@ -833,17 +844,17 @@ int LDAPController::controlHeimdalServer(sc_command command, uid_t userid, gid_t
}
if (command == SC_PURGE) {
controlHeimdalServer(SC_STOP);
- system("rm -f " + TQString(LDAP_KEYTAB_FILE));
+ system_safe("rm -f " + TQString(LDAP_KEYTAB_FILE));
// FIXME
// This assumes Debian
- system("rm -f /etc/krb5.keytab");
- system("rm -rf /var/lib/heimdal-kdc/*");
+ system_safe("rm -f /etc/krb5.keytab");
+ system_safe("rm -rf /var/lib/heimdal-kdc/*");
}
if (command == SC_SETDBPERMS) {
if ((userid > 0) && (groupid > 0)) {
TQString command;
command = TQString("chgrp %1 " + TQString(LDAP_KEYTAB_FILE)).arg(groupid);
- system(command.ascii());
+ system_safe(command.ascii());
chmod(LDAP_KEYTAB_FILE, S_IRUSR|S_IWUSR|S_IRGRP);
}
}
@@ -870,8 +881,8 @@ int LDAPController::controlLDAPServer(sc_command command, uid_t userid, gid_t gr
controlLDAPServer(SC_STOP);
// FIXME
// This assumes Debian!
- system("rm -rf /var/lib/ldap/*");
- system("rm -rf /etc/ldap/slapd.d/*");
+ system_safe("rm -rf /var/lib/ldap/*");
+ system_safe("rm -rf /etc/ldap/slapd.d/*");
}
if (command == SC_SETDBPERMS) {
if ((userid > 0) && (groupid > 0)) {
@@ -879,21 +890,30 @@ int LDAPController::controlLDAPServer(sc_command command, uid_t userid, gid_t gr
// This assumes Debian!
TQString command;
command = TQString("chown -R %1 /var/lib/ldap/*").arg(userid);
- system(command.ascii());
+ system_safe(command.ascii());
command = TQString("chgrp -R %1 /var/lib/ldap/*").arg(groupid);
- system(command.ascii());
+ system_safe(command.ascii());
command = TQString("chown -R %1 /etc/ldap/slapd.d/*").arg(userid);
- system(command.ascii());
+ system_safe(command.ascii());
command = TQString("chgrp -R %1 /etc/ldap/slapd.d/*").arg(groupid);
- system(command.ascii());
+ system_safe(command.ascii());
}
}
return -2;
}
+// WARNING
+// kadmin does not have a standard "waiting for user input" character or sequence
+// To make matters worse, the colon does not uniquely designate the end of a line; for example the response "kadmin: ext openldap/foo.bar.baz: Principal does not exist"
+// One way around this would be to see if the first colon is part of a "kadmin:" string; if so, then the colon is not a reliable end of line indicator for the current line
+// (in fact only '\r' should be used as the end of line indicator in that case)
TQString readFullLineFromPtyProcess(PtyProcess* proc) {
TQString result = "";
- while ((!result.contains("\r")) && (!result.contains(":")) && (!result.contains(">"))) {
+ while ((!result.contains("\r")) &&
+ (!result.contains(">")) &&
+ (!((!result.contains("kadmin:")) && result.contains(":"))) &&
+ (!((result.contains("kadmin:")) && result.contains("\r")))
+ ) {
result = result + TQString(proc->readLine(false));
tqApp->processEvents();
}
@@ -1232,9 +1252,9 @@ int LDAPController::createRealmCertificates(LDAPCertConfig certinfo, LDAPRealmCo
// Certificate authority certificate
TQString command;
command = TQString("openssl genrsa -out %1 %2").arg(KERBEROS_PKI_PEMKEY_FILE).arg(KEY_STRENGTH);
- system(command);
+ system_safe(command);
chmod(KERBEROS_PKI_PEMKEY_FILE, S_IRUSR|S_IWUSR);
- chown(KERBEROS_PKI_PEMKEY_FILE, 0, 0);
+ chown_safe(KERBEROS_PKI_PEMKEY_FILE, 0, 0);
LDAPManager::generatePublicKerberosCACertificate(certinfo);
@@ -1246,9 +1266,9 @@ int LDAPController::createRealmCertificates(LDAPCertConfig certinfo, LDAPRealmCo
kdc_keyfile.replace("@@@KDCSERVER@@@", realmconfig.kdc);
kdc_reqfile.replace("@@@KDCSERVER@@@", realmconfig.kdc);
command = TQString("openssl genrsa -out %1 %2").arg(kdc_keyfile).arg(KEY_STRENGTH);
- system(command);
+ system_safe(command);
chmod(kdc_keyfile.ascii(), S_IRUSR|S_IWUSR);
- chown(kdc_keyfile.ascii(), 0, 0);
+ chown_safe(kdc_keyfile.ascii(), 0, 0);
LDAPManager::generatePublicKerberosCertificate(certinfo, realmconfig);
@@ -1260,9 +1280,9 @@ int LDAPController::createRealmCertificates(LDAPCertConfig certinfo, LDAPRealmCo
ldap_keyfile.replace("@@@ADMINSERVER@@@", realmconfig.admin_server);
ldap_reqfile.replace("@@@ADMINSERVER@@@", realmconfig.admin_server);
command = TQString("openssl genrsa -out %1 %2").arg(ldap_keyfile).arg(KEY_STRENGTH);
- system(command);
+ system_safe(command);
chmod(ldap_keyfile.ascii(), S_IRUSR|S_IWUSR);
- chown(ldap_keyfile.ascii(), ldap_uid, ldap_gid);
+ chown_safe(ldap_keyfile.ascii(), ldap_uid, ldap_gid);
LDAPManager::generatePublicLDAPCertificate(certinfo, realmconfig, ldap_uid, ldap_gid);
@@ -1356,9 +1376,13 @@ int LDAPController::createNewSecondaryController(TQWidget* dialogparent, LDAPRea
// 2.) Bond machine to Kerberos
// 3.) Set up LDAP replication
// 4.) Point local Kerberos and SASL instances to this LDAP server
+
+ return -1;
}
int LDAPController::createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig realmconfig, TQString adminUserName, TQString adminGroupName, TQString machineAdminGroupName, TQString standardUserGroupName, const char * adminPassword, TQString rootUserName, const char * rootPassword, TQString adminRealm, LDAPCertConfig certinfo, TQString *errstr) {
+ Q_UNUSED(adminRealm)
+
int ldifSchemaNumber;
ProcessingDialog pdialog(dialogparent);
@@ -1453,15 +1477,14 @@ int LDAPController::createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig r
// FIXME
// This assumes Debian!
// Grant LDAP access to SASL mux pipe
- system("dpkg-statoverride --remove --quiet /var/run/saslauthd");
- system(TQString("dpkg-statoverride --add root %1 710 /var/run/saslauthd").arg(m_ldapGroupName).ascii());
+ system_safe("dpkg-statoverride --remove --quiet /var/run/saslauthd");
+ system_safe(TQString("dpkg-statoverride --add root %1 710 /var/run/saslauthd").arg(m_ldapGroupName).ascii());
// FIXME
// This assumes Debian!
- system("ln -s /etc/heimdal-kdc/kadmind.acl /var/lib/heimdal-kdc/kadmind.acl");
- system("ln -s /etc/heimdal-kdc/kdc.conf /var/lib/heimdal-kdc/kdc.conf");
+ system_safe("ln -s /etc/heimdal-kdc/kadmind.acl /var/lib/heimdal-kdc/kadmind.acl");
+ system_safe("ln -s /etc/heimdal-kdc/kdc.conf /var/lib/heimdal-kdc/kdc.conf");
- struct stat sb;
uid_t slapd_uid = 0;
gid_t slapd_gid = 0;
@@ -1511,7 +1534,7 @@ int LDAPController::createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig r
// Set permissions
chmod(TQString(HEIMDAL_DEFAULT_FILE).ascii(), S_IRUSR|S_IWUSR|S_IRGRP);
chmod(TQString(HEIMDAL_ACL_FILE).ascii(), S_IRUSR|S_IWUSR|S_IRGRP);
- chown(TQString(HEIMDAL_ACL_FILE).ascii(), slapd_uid, 0);
+ chown_safe(TQString(HEIMDAL_ACL_FILE).ascii(), slapd_uid, 0);
chmod(TQString(destDir + "heimdal-kdc/kdc.conf").ascii(), S_IRUSR|S_IWUSR|S_IRGRP);
chmod(TQString(destDir + "krb5.conf").ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
@@ -1552,31 +1575,31 @@ int LDAPController::createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig r
// There has GOT to be a better way to do this than system()!!!
TQString command;
command = TQString("cp %1 %2").arg(certinfo.provided_kerberos_pem).arg(KERBEROS_PKI_PEMKEY_FILE);
- system(command);
+ system_safe(command);
command = TQString("cp %1 %2").arg(certinfo.provided_kerberos_pemkey).arg(KERBEROS_PKI_PEM_FILE);
- system(command);
+ system_safe(command);
command = TQString("cp %1 %2").arg(certinfo.provided_kerberos_crt).arg(kdc_certfile);
- system(command);
+ system_safe(command);
command = TQString("cp %1 %2").arg(certinfo.provided_kerberos_key).arg(kdc_keyfile);
- system(command);
+ system_safe(command);
command = TQString("cp %1 %2").arg(certinfo.provided_ldap_crt).arg(ldap_certfile);
- system(command);
+ system_safe(command);
command = TQString("cp %1 %2").arg(certinfo.provided_ldap_key).arg(ldap_keyfile);
- system(command);
+ system_safe(command);
// Set permissions
chmod(KERBEROS_PKI_PEMKEY_FILE, S_IRUSR|S_IWUSR);
- chown(KERBEROS_PKI_PEMKEY_FILE, 0, 0);
+ chown_safe(KERBEROS_PKI_PEMKEY_FILE, 0, 0);
chmod(KERBEROS_PKI_PEM_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
- chown(KERBEROS_PKI_PEM_FILE, 0, 0);
+ chown_safe(KERBEROS_PKI_PEM_FILE, 0, 0);
chmod(kdc_keyfile.ascii(), S_IRUSR|S_IWUSR);
- chown(kdc_keyfile.ascii(), 0, 0);
+ chown_safe(kdc_keyfile.ascii(), 0, 0);
chmod(kdc_certfile.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
- chown(kdc_certfile.ascii(), 0, 0);
+ chown_safe(kdc_certfile.ascii(), 0, 0);
chmod(ldap_keyfile.ascii(), S_IRUSR|S_IWUSR);
- chown(ldap_keyfile.ascii(), slapd_uid, slapd_gid);
+ chown_safe(ldap_keyfile.ascii(), slapd_uid, slapd_gid);
chmod(ldap_certfile.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
- chown(ldap_certfile.ascii(), slapd_uid, slapd_gid);
+ chown_safe(ldap_certfile.ascii(), slapd_uid, slapd_gid);
}
pdialog.setStatusMessage(i18n("Loading initial database into LDAP..."));