From 7b7565e7f5806cd66751049fafd7ad7af9d60c12 Mon Sep 17 00:00:00 2001 From: Timothy Pearson Date: Tue, 11 Dec 2012 13:51:19 -0600 Subject: Fix LDAP primary realm creation failure Clean up build warnings --- src/ldapcontroller.cpp | 101 ++++++++++++++++++++++++++++++------------------- 1 file changed, 62 insertions(+), 39 deletions(-) (limited to 'src') diff --git a/src/ldapcontroller.cpp b/src/ldapcontroller.cpp index 2aa3ee3..2ec4260 100644 --- a/src/ldapcontroller.cpp +++ b/src/ldapcontroller.cpp @@ -145,6 +145,18 @@ LDAPController::LDAPController(TQWidget *parent, const char *name, const TQStrin LDAPController::~LDAPController() { } +void system_safe(const char * cmdstr) { + if (system(cmdstr) < 0) { + printf("[ERROR] System call to '%s' failed!\n\r", cmdstr); + } +} + +void chown_safe(const char * file, uid_t user, gid_t group) { + if (chown(file, user, group) < 0) { + printf("[ERROR] Chown call to '%s' for %d:%d failed!\n\r", file, user, group); + } +} + void LDAPController::systemRoleChanged() { int previousRole = m_prevRole; @@ -264,8 +276,8 @@ void LDAPController::systemRoleChanged() { pdialog.setStatusMessage(i18n("Purging local configuration...")); tqApp->processEvents(); - system(TQString("rm -f %1").arg(CRON_UPDATE_PRIMARY_REALM_CERTIFICATES_FILE)); - system(TQString("rm -rf %1").arg(TDE_CERTIFICATE_DIR)); + system_safe(TQString("rm -f %1").arg(CRON_UPDATE_PRIMARY_REALM_CERTIFICATES_FILE)); + system_safe(TQString("rm -rf %1").arg(TDE_CERTIFICATE_DIR)); // Write the TDE realm configuration file LDAPRealmConfigList realms; @@ -536,7 +548,6 @@ void LDAPController::btnkrbExportCert() { } void LDAPController::btnldapRegenerate() { - struct stat sb; uid_t slapd_uid = 0; gid_t slapd_gid = 0; @@ -769,7 +780,7 @@ void replacePlaceholdersInFile(TQString infile, TQString outfile, LDAPRealmConfi // Set permissions if ((userid > 0) && (groupid > 0)) { - chown(outfile.ascii(), userid, groupid); + chown_safe(outfile.ascii(), userid, groupid); } } else { @@ -833,17 +844,17 @@ int LDAPController::controlHeimdalServer(sc_command command, uid_t userid, gid_t } if (command == SC_PURGE) { controlHeimdalServer(SC_STOP); - system("rm -f " + TQString(LDAP_KEYTAB_FILE)); + system_safe("rm -f " + TQString(LDAP_KEYTAB_FILE)); // FIXME // This assumes Debian - system("rm -f /etc/krb5.keytab"); - system("rm -rf /var/lib/heimdal-kdc/*"); + system_safe("rm -f /etc/krb5.keytab"); + system_safe("rm -rf /var/lib/heimdal-kdc/*"); } if (command == SC_SETDBPERMS) { if ((userid > 0) && (groupid > 0)) { TQString command; command = TQString("chgrp %1 " + TQString(LDAP_KEYTAB_FILE)).arg(groupid); - system(command.ascii()); + system_safe(command.ascii()); chmod(LDAP_KEYTAB_FILE, S_IRUSR|S_IWUSR|S_IRGRP); } } @@ -870,8 +881,8 @@ int LDAPController::controlLDAPServer(sc_command command, uid_t userid, gid_t gr controlLDAPServer(SC_STOP); // FIXME // This assumes Debian! - system("rm -rf /var/lib/ldap/*"); - system("rm -rf /etc/ldap/slapd.d/*"); + system_safe("rm -rf /var/lib/ldap/*"); + system_safe("rm -rf /etc/ldap/slapd.d/*"); } if (command == SC_SETDBPERMS) { if ((userid > 0) && (groupid > 0)) { @@ -879,21 +890,30 @@ int LDAPController::controlLDAPServer(sc_command command, uid_t userid, gid_t gr // This assumes Debian! TQString command; command = TQString("chown -R %1 /var/lib/ldap/*").arg(userid); - system(command.ascii()); + system_safe(command.ascii()); command = TQString("chgrp -R %1 /var/lib/ldap/*").arg(groupid); - system(command.ascii()); + system_safe(command.ascii()); command = TQString("chown -R %1 /etc/ldap/slapd.d/*").arg(userid); - system(command.ascii()); + system_safe(command.ascii()); command = TQString("chgrp -R %1 /etc/ldap/slapd.d/*").arg(groupid); - system(command.ascii()); + system_safe(command.ascii()); } } return -2; } +// WARNING +// kadmin does not have a standard "waiting for user input" character or sequence +// To make matters worse, the colon does not uniquely designate the end of a line; for example the response "kadmin: ext openldap/foo.bar.baz: Principal does not exist" +// One way around this would be to see if the first colon is part of a "kadmin:" string; if so, then the colon is not a reliable end of line indicator for the current line +// (in fact only '\r' should be used as the end of line indicator in that case) TQString readFullLineFromPtyProcess(PtyProcess* proc) { TQString result = ""; - while ((!result.contains("\r")) && (!result.contains(":")) && (!result.contains(">"))) { + while ((!result.contains("\r")) && + (!result.contains(">")) && + (!((!result.contains("kadmin:")) && result.contains(":"))) && + (!((result.contains("kadmin:")) && result.contains("\r"))) + ) { result = result + TQString(proc->readLine(false)); tqApp->processEvents(); } @@ -1232,9 +1252,9 @@ int LDAPController::createRealmCertificates(LDAPCertConfig certinfo, LDAPRealmCo // Certificate authority certificate TQString command; command = TQString("openssl genrsa -out %1 %2").arg(KERBEROS_PKI_PEMKEY_FILE).arg(KEY_STRENGTH); - system(command); + system_safe(command); chmod(KERBEROS_PKI_PEMKEY_FILE, S_IRUSR|S_IWUSR); - chown(KERBEROS_PKI_PEMKEY_FILE, 0, 0); + chown_safe(KERBEROS_PKI_PEMKEY_FILE, 0, 0); LDAPManager::generatePublicKerberosCACertificate(certinfo); @@ -1246,9 +1266,9 @@ int LDAPController::createRealmCertificates(LDAPCertConfig certinfo, LDAPRealmCo kdc_keyfile.replace("@@@KDCSERVER@@@", realmconfig.kdc); kdc_reqfile.replace("@@@KDCSERVER@@@", realmconfig.kdc); command = TQString("openssl genrsa -out %1 %2").arg(kdc_keyfile).arg(KEY_STRENGTH); - system(command); + system_safe(command); chmod(kdc_keyfile.ascii(), S_IRUSR|S_IWUSR); - chown(kdc_keyfile.ascii(), 0, 0); + chown_safe(kdc_keyfile.ascii(), 0, 0); LDAPManager::generatePublicKerberosCertificate(certinfo, realmconfig); @@ -1260,9 +1280,9 @@ int LDAPController::createRealmCertificates(LDAPCertConfig certinfo, LDAPRealmCo ldap_keyfile.replace("@@@ADMINSERVER@@@", realmconfig.admin_server); ldap_reqfile.replace("@@@ADMINSERVER@@@", realmconfig.admin_server); command = TQString("openssl genrsa -out %1 %2").arg(ldap_keyfile).arg(KEY_STRENGTH); - system(command); + system_safe(command); chmod(ldap_keyfile.ascii(), S_IRUSR|S_IWUSR); - chown(ldap_keyfile.ascii(), ldap_uid, ldap_gid); + chown_safe(ldap_keyfile.ascii(), ldap_uid, ldap_gid); LDAPManager::generatePublicLDAPCertificate(certinfo, realmconfig, ldap_uid, ldap_gid); @@ -1356,9 +1376,13 @@ int LDAPController::createNewSecondaryController(TQWidget* dialogparent, LDAPRea // 2.) Bond machine to Kerberos // 3.) Set up LDAP replication // 4.) Point local Kerberos and SASL instances to this LDAP server + + return -1; } int LDAPController::createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig realmconfig, TQString adminUserName, TQString adminGroupName, TQString machineAdminGroupName, TQString standardUserGroupName, const char * adminPassword, TQString rootUserName, const char * rootPassword, TQString adminRealm, LDAPCertConfig certinfo, TQString *errstr) { + Q_UNUSED(adminRealm) + int ldifSchemaNumber; ProcessingDialog pdialog(dialogparent); @@ -1453,15 +1477,14 @@ int LDAPController::createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig r // FIXME // This assumes Debian! // Grant LDAP access to SASL mux pipe - system("dpkg-statoverride --remove --quiet /var/run/saslauthd"); - system(TQString("dpkg-statoverride --add root %1 710 /var/run/saslauthd").arg(m_ldapGroupName).ascii()); + system_safe("dpkg-statoverride --remove --quiet /var/run/saslauthd"); + system_safe(TQString("dpkg-statoverride --add root %1 710 /var/run/saslauthd").arg(m_ldapGroupName).ascii()); // FIXME // This assumes Debian! - system("ln -s /etc/heimdal-kdc/kadmind.acl /var/lib/heimdal-kdc/kadmind.acl"); - system("ln -s /etc/heimdal-kdc/kdc.conf /var/lib/heimdal-kdc/kdc.conf"); + system_safe("ln -s /etc/heimdal-kdc/kadmind.acl /var/lib/heimdal-kdc/kadmind.acl"); + system_safe("ln -s /etc/heimdal-kdc/kdc.conf /var/lib/heimdal-kdc/kdc.conf"); - struct stat sb; uid_t slapd_uid = 0; gid_t slapd_gid = 0; @@ -1511,7 +1534,7 @@ int LDAPController::createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig r // Set permissions chmod(TQString(HEIMDAL_DEFAULT_FILE).ascii(), S_IRUSR|S_IWUSR|S_IRGRP); chmod(TQString(HEIMDAL_ACL_FILE).ascii(), S_IRUSR|S_IWUSR|S_IRGRP); - chown(TQString(HEIMDAL_ACL_FILE).ascii(), slapd_uid, 0); + chown_safe(TQString(HEIMDAL_ACL_FILE).ascii(), slapd_uid, 0); chmod(TQString(destDir + "heimdal-kdc/kdc.conf").ascii(), S_IRUSR|S_IWUSR|S_IRGRP); chmod(TQString(destDir + "krb5.conf").ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); @@ -1552,31 +1575,31 @@ int LDAPController::createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig r // There has GOT to be a better way to do this than system()!!! TQString command; command = TQString("cp %1 %2").arg(certinfo.provided_kerberos_pem).arg(KERBEROS_PKI_PEMKEY_FILE); - system(command); + system_safe(command); command = TQString("cp %1 %2").arg(certinfo.provided_kerberos_pemkey).arg(KERBEROS_PKI_PEM_FILE); - system(command); + system_safe(command); command = TQString("cp %1 %2").arg(certinfo.provided_kerberos_crt).arg(kdc_certfile); - system(command); + system_safe(command); command = TQString("cp %1 %2").arg(certinfo.provided_kerberos_key).arg(kdc_keyfile); - system(command); + system_safe(command); command = TQString("cp %1 %2").arg(certinfo.provided_ldap_crt).arg(ldap_certfile); - system(command); + system_safe(command); command = TQString("cp %1 %2").arg(certinfo.provided_ldap_key).arg(ldap_keyfile); - system(command); + system_safe(command); // Set permissions chmod(KERBEROS_PKI_PEMKEY_FILE, S_IRUSR|S_IWUSR); - chown(KERBEROS_PKI_PEMKEY_FILE, 0, 0); + chown_safe(KERBEROS_PKI_PEMKEY_FILE, 0, 0); chmod(KERBEROS_PKI_PEM_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); - chown(KERBEROS_PKI_PEM_FILE, 0, 0); + chown_safe(KERBEROS_PKI_PEM_FILE, 0, 0); chmod(kdc_keyfile.ascii(), S_IRUSR|S_IWUSR); - chown(kdc_keyfile.ascii(), 0, 0); + chown_safe(kdc_keyfile.ascii(), 0, 0); chmod(kdc_certfile.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); - chown(kdc_certfile.ascii(), 0, 0); + chown_safe(kdc_certfile.ascii(), 0, 0); chmod(ldap_keyfile.ascii(), S_IRUSR|S_IWUSR); - chown(ldap_keyfile.ascii(), slapd_uid, slapd_gid); + chown_safe(ldap_keyfile.ascii(), slapd_uid, slapd_gid); chmod(ldap_certfile.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); - chown(ldap_certfile.ascii(), slapd_uid, slapd_gid); + chown_safe(ldap_certfile.ascii(), slapd_uid, slapd_gid); } pdialog.setStatusMessage(i18n("Loading initial database into LDAP...")); -- cgit v1.2.3