summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTimothy Pearson <kb9vqf@pearsoncomputing.net>2015-09-01 19:24:59 -0500
committerTimothy Pearson <kb9vqf@pearsoncomputing.net>2015-09-01 19:24:59 -0500
commit54d8d2580c72d1313182665d49d00b6fcadbe5a7 (patch)
treea0164673fd9416e1aed461612ed29ec2975fbb2b
parent0a81ad9d6e6de1748d6fcfa531c060a3a731c230 (diff)
downloadlibtdeldap-54d8d258.tar.gz
libtdeldap-54d8d258.zip
Extend user key and certificate generation methods
-rw-r--r--src/libtdeldap.cpp245
-rw-r--r--src/libtdeldap.h14
2 files changed, 219 insertions, 40 deletions
diff --git a/src/libtdeldap.cpp b/src/libtdeldap.cpp
index d0022f9..dbb4b3f 100644
--- a/src/libtdeldap.cpp
+++ b/src/libtdeldap.cpp
@@ -1,5 +1,5 @@
/***************************************************************************
- * Copyright (C) 2012-2013 by Timothy Pearson *
+ * Copyright (C) 2012-2015 by Timothy Pearson *
* kb9vqf@pearsoncomputing.net *
* *
* This program is free software; you can redistribute it and/or modify *
@@ -1385,16 +1385,26 @@ KerberosTicketInfoList LDAPManager::getKerberosTicketList(TQString cache, TQStri
return list;
}
-int LDAPManager::getKerberosPassword(LDAPCredentials &creds, TQString prompt, bool requestServicePrincipal, TQWidget* parent)
+LDAPRealmConfigList LDAPManager::fetchAndReadTDERealmList(TQString *defaultRealm)
{
- int i;
-
KSimpleConfig* systemconfig = new KSimpleConfig( TQString::fromLatin1( KDE_CONFDIR "/ldap/ldapconfigrc" ));
systemconfig->setGroup(NULL);
- TQString defaultRealm = systemconfig->readEntry("DefaultRealm", TQString::null);
+ if (defaultRealm != NULL) {
+ *defaultRealm = systemconfig->readEntry("DefaultRealm", TQString::null);
+ }
LDAPRealmConfigList realms = LDAPManager::readTDERealmList(systemconfig, false);
delete systemconfig;
+ return realms;
+}
+
+int LDAPManager::getKerberosPassword(LDAPCredentials &creds, TQString prompt, bool requestServicePrincipal, TQWidget* parent)
+{
+ int i;
+
+ TQString defaultRealm;
+ LDAPRealmConfigList realms = fetchAndReadTDERealmList(&defaultRealm);
+
if (creds.realm != "") {
defaultRealm = creds.realm;
}
@@ -3540,13 +3550,18 @@ int LDAPManager::setLDAPMasterReplicationSettings(LDAPMasterReplicationInfo repl
return -1;
}
-int LDAPManager::getTDECertificate(TQString certificateName, TQString fileName, TQString *errstr) {
+int LDAPManager::getTDECertificate(TQString certificateName, TQFile *fileHandle, TQString *errstr) {
int retcode;
int returncode;
LDAPTDEBuiltinsInfo builtininfo;
TQString dn = TQString("cn=certificate store,o=tde,cn=tde realm data,ou=master services,ou=core,ou=realm,%1").arg(m_basedc);
+ if (!fileHandle) {
+ if (errstr) *errstr = i18n("Invalid file handle passed by host application");
+ return -1;
+ }
+
if (bind(errstr) < 0) {
return -1;
}
@@ -3577,25 +3592,19 @@ int LDAPManager::getTDECertificate(TQString certificateName, TQString fileName,
TQString ldap_field = attr;
i=0;
if (ldap_field == certificateName) {
- TQFile file(fileName);
- if (file.open(IO_WriteOnly)) {
- TQByteArray ba;
- ba.duplicate(vals[i]->bv_val, vals[i]->bv_len);
- file.writeBlock(ba);
- file.close();
- if (chmod(fileName.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH) < 0) {
- if (errstr) *errstr = i18n("Unable to change permissions of \"%1\"").arg(fileName.ascii());
- returncode = -1;
- }
- else {
- returncode = 0;
- }
- }
+ TQByteArray ba;
+ ba.duplicate(vals[i]->bv_val, vals[i]->bv_len);
+ fileHandle->writeBlock(ba);
+ returncode = 0;
}
ldap_value_free_len(vals);
}
ldap_memfree(attr);
}
+ if (returncode != 0) {
+ // Resource not found
+ if (errstr) *errstr = i18n("Resource \"%s\" not found in LDAP database").arg(certificateName);
+ }
if (ber != NULL) {
ber_free(ber, 0);
@@ -3611,6 +3620,25 @@ int LDAPManager::getTDECertificate(TQString certificateName, TQString fileName,
return -1;
}
+int LDAPManager::getTDECertificate(TQString certificateName, TQString fileName, TQString *errstr) {
+ TQFile file(fileName);
+ if (file.open(IO_WriteOnly)) {
+ getTDECertificate(certificateName, &file, errstr);
+ file.close();
+ if (chmod(fileName.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH) < 0) {
+ if (errstr) *errstr = i18n("Unable to change permissions of \"%1\"").arg(fileName.ascii());
+ return -1;
+ }
+ else {
+ return 0;
+ }
+ }
+ else {
+ if (errstr) *errstr = i18n("Unable to open file \"%1\" for writing").arg(fileName.ascii());
+ return -1;
+ }
+}
+
int LDAPManager::writeSudoersConfFile(TQString *errstr) {
LDAPTDEBuiltinsInfo tdebuiltins = getTDEBuiltinMappings(errstr);
if (!tdebuiltins.informationValid) {
@@ -3946,6 +3974,122 @@ int LDAPManager::generatePublicLDAPCertificate(LDAPCertConfig certinfo, LDAPReal
return 0;
}
+int LDAPManager::generateClientCertificatePair(LDAPCertConfig certinfo, LDAPUserInfo user, LDAPRealmConfig realmcfg, TQString signingPrivateKeyFile, TQString privateKeyFile, TQString publicCertFile, TQString *errstr) {
+ int ret;
+
+ ret = generateClientCertificatePrivateKey(user, realmcfg, privateKeyFile, errstr);
+ if (ret == 0) {
+ ret = generateClientCertificatePublicCertificate(certinfo, user, realmcfg, signingPrivateKeyFile, privateKeyFile, publicCertFile, errstr);
+ }
+
+ return ret;
+}
+
+int LDAPManager::generateClientCertificatePrivateKey(LDAPUserInfo user, LDAPRealmConfig realmcfg, TQString privateKeyFile, TQString *errstr) {
+ TQString command;
+ TQString subject;
+
+ TQString client_keyfile = privateKeyFile;
+ TQString client_reqfile = privateKeyFile + ".req";
+ TQString client_cfgfile = privateKeyFile + ".cfg";
+ unsigned int client_key_bit_length = 2048;
+
+ if (writeOpenSSLConfigurationFile(realmcfg, user, client_cfgfile, errstr) != 0) {
+ return -1;
+ }
+
+ // Create private key
+ command = TQString("openssl genrsa -out %1 %2").arg(client_keyfile).arg(client_key_bit_length);
+ if (system(command) < 0) {
+ if (errstr) *errstr = TQString("Execution of \"%s\" failed").arg(command);
+ return -1;
+ }
+
+ // Secure keyfile
+ if (chmod(client_keyfile.ascii(), S_IRUSR|S_IWUSR) < 0) {
+ if (errstr) *errstr = TQString("Unable to change permissions of \"%s\"").arg(client_keyfile);
+ return -1;
+ }
+ if (chown(client_keyfile.ascii(), 0, 0) < 0) {
+ if (errstr) *errstr = TQString("Unable to change owner of \"%s\"").arg(client_keyfile);
+ return -1;
+ }
+
+ // Clean up
+ if (fileExists(client_cfgfile.ascii())) {
+ if (unlink(client_cfgfile.ascii()) < 0) {
+ if (errstr) *errstr = TQString("Unable to unlink \"%s\"").arg(client_keyfile);
+ return -1;
+ }
+ }
+
+ return 0;
+}
+
+int LDAPManager::generateClientCertificatePublicCertificate(LDAPCertConfig certinfo, LDAPUserInfo user, LDAPRealmConfig realmcfg, TQString signingPrivateKeyFile, TQString privateKeyFile, TQString publicCertFile, TQString *errstr) {
+ TQString command;
+ TQString subject;
+
+ TQString client_certfile = publicCertFile;
+ TQString client_keyfile = privateKeyFile;
+ TQString client_reqfile = privateKeyFile + ".req";
+ TQString client_cfgfile = privateKeyFile + ".cfg";
+
+ // The public certificate location varies based on the machine role
+ // Prefer the bonded realm's certificate if available
+ TQString signing_public_certfile = KERBEROS_PKI_PUBLICDIR + realmcfg.admin_server + ".ldap.crt";
+ if (!TQFile(signing_public_certfile).exists()) {
+ signing_public_certfile = KERBEROS_PKI_PEM_FILE;
+ }
+
+ if (writeOpenSSLConfigurationFile(realmcfg, user, client_cfgfile, errstr) != 0) {
+ return -1;
+ }
+
+ TQString common_name = TQString::null;
+ if (user.name != "") {
+ common_name = TQString("/uid=%1").arg(user.name);
+ }
+
+ subject = TQString("\"/C=%1/ST=%2/L=%3/O=%4/OU=%5%6%7\"").arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(openssldcForRealm(realmcfg.name)).arg(common_name);
+ command = TQString("openssl req -days %1 -new -out %2 -key %3 -config %4 -subj %5").arg(certinfo.kerberosExpiryDays).arg(client_reqfile).arg(client_keyfile).arg(OPENSSL_EXTENSIONS_FILE).arg(subject);
+ if (system(command) < 0) {
+ if (errstr) *errstr = TQString("Execution of \"%s\" failed").arg(command);
+ return -1;
+ }
+ command = TQString("openssl x509 -req -days %1 -in %2 -CAkey %3 -CA %4 -out %5 -extfile %6 -extensions pkinit_client_cert -CAcreateserial").arg(certinfo.kerberosExpiryDays).arg(client_reqfile).arg(signingPrivateKeyFile).arg(signing_public_certfile).arg(client_certfile).arg(OPENSSL_EXTENSIONS_FILE);
+ if (system(command) < 0) {
+ if (errstr) *errstr = TQString("Execution of \"%s\" failed").arg(command);
+ return -1;
+ }
+
+ // Secure certificate
+ if (chmod(client_certfile.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH) < 0) {
+ if (errstr) *errstr = TQString("Unable to change permissions of \"%s\"").arg(client_certfile);
+ return -1;
+ }
+ if (chown(client_certfile.ascii(), 0, 0) < 0) {
+ if (errstr) *errstr = TQString("Unable to change owner of \"%s\"").arg(client_certfile);
+ return -1;
+ }
+
+ // Clean up
+ if (fileExists(client_cfgfile.ascii())) {
+ if (unlink(client_cfgfile.ascii()) < 0) {
+ if (errstr) *errstr = TQString("Unable to unlink \"%s\"").arg(client_certfile);
+ return -1;
+ }
+ }
+ if (fileExists(client_reqfile.ascii())) {
+ if (unlink(client_reqfile.ascii()) < 0) {
+ if (errstr) *errstr = TQString("Unable to unlink \"%s\"").arg(client_reqfile);
+ return -1;
+ }
+ }
+
+ return 0;
+}
+
TQString LDAPManager::getMachineFQDN() {
struct addrinfo hints, *info, *p;
int gai_result;
@@ -4205,25 +4349,36 @@ int LDAPManager::writePAMFiles(LDAPPamConfig pamConfig, TQString *errstr) {
}
int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, TQString *errstr) {
+ return writeOpenSSLConfigurationFile(realmcfg, LDAPUserInfo(), TQString::fromLatin1(OPENSSL_EXTENSIONS_FILE), errstr);
+}
+
+int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, LDAPUserInfo user, TQString opensslConfigFile, TQString *errstr) {
TQString crl_url = realmcfg.certificate_revocation_list_url;
if (crl_url == "") {
// Use a default to preserve certificate validity
// crl_url = TQString("http://%1/%2.crl").arg(realmcfg.name).arg(realmcfg.kdc);
}
- TQDir tde_cert_dir(TDE_CERTIFICATE_DIR);
+ TQString krb_principal = TQString::null;
+ if (user.informationValid) {
+ krb_principal = user.name + "@" + realmcfg.name.upper();
+ }
+
+ TQFileInfo tde_cert_file_info(opensslConfigFile);
+ TQString tde_cert_dir_path = tde_cert_file_info.dirPath(true);
+ TQDir tde_cert_dir(tde_cert_dir_path);
if (!tde_cert_dir.exists()) {
- TQString command = TQString("mkdir -p %1").arg(TDE_CERTIFICATE_DIR);
+ TQString command = TQString("mkdir -p %1").arg(tde_cert_dir_path);
if (system(command) < 0) {
if (errstr) {
- *errstr = i18n("Could not create directory '%1'").arg(TDE_CERTIFICATE_DIR);
+ *errstr = i18n("Could not create directory '%1'").arg(tde_cert_dir_path);
}
return 1;
}
}
- TQFile file(TQString::fromLatin1(OPENSSL_EXTENSIONS_FILE));
+ TQFile file(opensslConfigFile);
if (file.open(IO_WriteOnly)) {
- TQTextStream stream( &file );
+ TQTextStream stream(&file);
stream << "# This file was automatically generated by TDE\n";
stream << "# All changes will be lost!\n";
@@ -4310,31 +4465,33 @@ int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, TQStrin
stream << "\n";
stream << "[v3_ca]" << "\n";
stream << "subjectKeyIdentifier = hash" << "\n";
- stream << "authorityKeyIdentifier=keyid:always,issuer:always" << "\n";
+ stream << "authorityKeyIdentifier = keyid:always,issuer:always" << "\n";
stream << "basicConstraints = CA:true" << "\n";
stream << "keyUsage = critical, cRLSign, keyCertSign, keyEncipherment, nonRepudiation, digitalSignature" << "\n";
stream << "\n";
stream << "[usr_cert]" << "\n";
- stream << "basicConstraints=CA:FALSE" << "\n";
+ stream << "basicConstraints = CA:FALSE" << "\n";
stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n";
stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n";
stream << "subjectKeyIdentifier = hash" << "\n";
stream << "\n";
stream << "[usr_cert_ke]" << "\n";
- stream << "basicConstraints=CA:FALSE" << "\n";
+ stream << "basicConstraints = CA:FALSE" << "\n";
stream << "keyUsage = critical, nonRepudiation, keyEncipherment" << "\n";
stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n";
stream << "subjectKeyIdentifier = hash" << "\n";
stream << "\n";
stream << "[proxy_cert]" << "\n";
- stream << "basicConstraints=CA:FALSE" << "\n";
+ stream << "basicConstraints = CA:FALSE" << "\n";
stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n";
stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n";
stream << "subjectKeyIdentifier = hash" << "\n";
// stream << "proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:0,policy:text:foo" << "\n";
stream << "\n";
- stream << "[pkinitc_principals]" << "\n";
- // stream << "princ1 = GeneralString:bar" << "\n";
+ stream << "[pkinitc_principals]" << "\n";
+ if (krb_principal != "") {
+ stream << TQString("princ1 = GeneralString:%1").arg(krb_principal) << "\n";
+ }
stream << "\n";
stream << "[pkinitc_principal_seq]" << "\n";
stream << "name_type = EXP:0,INTEGER:1" << "\n";
@@ -4345,28 +4502,28 @@ int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, TQStrin
stream << "principal_name = EXP:1,SEQUENCE:pkinitc_principal_seq" << "\n";
stream << "\n";
stream << "[pkinit_client_cert]" << "\n";
- stream << "basicConstraints=CA:FALSE" << "\n";
+ stream << "basicConstraints = CA:FALSE" << "\n";
stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n";
stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n";
stream << "subjectKeyIdentifier = hash" << "\n";
- stream << "authorityKeyIdentifier=keyid,issuer" << "\n";
+ stream << "authorityKeyIdentifier = keyid,issuer" << "\n";
stream << "issuerAltName=issuer:copy" << "\n";
stream << "subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:pkinitc_princ_name" << "\n";
stream << "\n";
stream << "[https_cert]" << "\n";
- stream << "basicConstraints=CA:FALSE" << "\n";
+ stream << "basicConstraints = CA:FALSE" << "\n";
stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n";
stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n";
// stream << "extendedKeyUsage = https-server XXX" << "\n";
stream << "subjectKeyIdentifier = hash" << "\n";
stream << "\n";
stream << "[pkinit_kdc_cert]" << "\n";
- stream << "basicConstraints=CA:FALSE" << "\n";
+ stream << "basicConstraints = CA:FALSE" << "\n";
stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n";
stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n";
stream << "extendedKeyUsage = 1.3.6.1.5.2.3.5" << "\n";
stream << "subjectKeyIdentifier = hash" << "\n";
- stream << "authorityKeyIdentifier=keyid,issuer" << "\n";
+ stream << "authorityKeyIdentifier = keyid,issuer" << "\n";
stream << "issuerAltName=issuer:copy" << "\n";
stream << "subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:pkinitkdc_princ_name" << "\n";
stream << "\n";
@@ -4383,20 +4540,20 @@ int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, TQStrin
stream << TQString("princ2 = GeneralString:%1").arg(realmcfg.name.upper()) << "\n";
stream << "\n";
stream << "[proxy10_cert]" << "\n";
- stream << "basicConstraints=CA:FALSE" << "\n";
+ stream << "basicConstraints = CA:FALSE" << "\n";
stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n";
stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n";
stream << "subjectKeyIdentifier = hash" << "\n";
// stream << "proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:10,policy:text:foo" << "\n";
stream << "\n";
stream << "[usr_cert_ds]" << "\n";
- stream << "basicConstraints=CA:FALSE" << "\n";
+ stream << "basicConstraints = CA:FALSE" << "\n";
stream << "keyUsage = critical, nonRepudiation, digitalSignature" << "\n";
stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n";
stream << "subjectKeyIdentifier = hash" << "\n";
stream << "\n";
stream << "[ocsp_cert]" << "\n";
- stream << "basicConstraints=CA:FALSE" << "\n";
+ stream << "basicConstraints = CA:FALSE" << "\n";
stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n";
stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n";
// stream << "ocsp-nocheck and kp-OCSPSigning" << "\n";
@@ -4764,6 +4921,16 @@ KerberosTicketInfo::~KerberosTicketInfo() {
//
}
+LDAPCertConfig::LDAPCertConfig() {
+ caExpiryDays = KERBEROS_PKI_PEMKEY_EXPIRY_DAYS;
+ kerberosExpiryDays = KERBEROS_PKI_KRB_EXPIRY_DAYS;
+ ldapExpiryDays = KERBEROS_PKI_LDAP_EXPIRY_DAYS;
+}
+
+LDAPCertConfig::~LDAPCertConfig() {
+ //
+}
+
LDAPPamConfig::LDAPPamConfig() {
enable_cached_credentials = true;
autocreate_user_directories_enable = true;
diff --git a/src/libtdeldap.h b/src/libtdeldap.h
index 9c356a5..f472c6c 100644
--- a/src/libtdeldap.h
+++ b/src/libtdeldap.h
@@ -1,5 +1,5 @@
/***************************************************************************
- * Copyright (C) 2012-2013 by Timothy Pearson *
+ * Copyright (C) 2012-2015 by Timothy Pearson *
* kb9vqf@pearsoncomputing.net *
* *
* This program is free software; you can redistribute it and/or modify *
@@ -29,6 +29,7 @@
#include <tqstring.h>
#include <tqdatetime.h>
#include <tqvaluelist.h>
+#include <tqfile.h>
#include <ksimpleconfig.h>
@@ -187,6 +188,10 @@ class LDAPRealmConfig
class LDAPCertConfig
{
public:
+ LDAPCertConfig();
+ ~LDAPCertConfig();
+
+ public:
bool generate_certs;
TQString provided_kerberos_pem;
TQString provided_kerberos_pemkey;
@@ -504,12 +509,14 @@ class LDAPManager : public TQObject {
LDAPMasterReplicationInfo getLDAPMasterReplicationSettings(TQString *errstr=0);
int setLDAPMasterReplicationSettings(LDAPMasterReplicationInfo replicationinfo, TQString *errstr=0);
int writeSudoersConfFile(TQString *errstr=0);
+ int getTDECertificate(TQString certificateName, TQFile *fileHandle, TQString *errstr=0);
int getTDECertificate(TQString certificateName, TQString fileName, TQString *errstr=0);
int setPasswordForUser(LDAPUserInfo user, TQString *errstr);
static int writePrimaryRealmCertificateUpdateCronFile(TQString *errstr=0);
static TQString getMachineFQDN();
static int writeTDERealmList(LDAPRealmConfigList realms, KSimpleConfig* config, TQString *errstr=0);
+ static LDAPRealmConfigList fetchAndReadTDERealmList(TQString *defaultRealm=0);
static LDAPRealmConfigList readTDERealmList(KSimpleConfig* config, bool disableAllBonds=false);
static TQDateTime getCertificateExpiration(TQString certfile);
@@ -517,6 +524,10 @@ class LDAPManager : public TQObject {
static int generatePublicKerberosCertificate(LDAPCertConfig certinfo, LDAPRealmConfig realmcfg);
static int generatePublicLDAPCertificate(LDAPCertConfig certinfo, LDAPRealmConfig realmcfg, uid_t ldap_uid, gid_t ldap_gid);
+ static int generateClientCertificatePair(LDAPCertConfig certinfo, LDAPUserInfo user, LDAPRealmConfig realmcfg, TQString signingPrivateKeyFile, TQString privateKeyFile, TQString publicCertFile, TQString *errstr=0);
+ static int generateClientCertificatePrivateKey(LDAPUserInfo user, LDAPRealmConfig realmcfg, TQString privateKeyFile, TQString *errstr=0);
+ static int generateClientCertificatePublicCertificate(LDAPCertConfig certinfo, LDAPUserInfo user, LDAPRealmConfig realmcfg, TQString signingPrivateKeyFile, TQString privateKeyFile, TQString publicCertFile, TQString *errstr=0);
+
static TQString ldapdnForRealm(TQString realm);
static TQString openssldcForRealm(TQString realm);
static TQString cnFromDn(TQString dn);
@@ -536,6 +547,7 @@ class LDAPManager : public TQObject {
static int writeLDAPConfFile(LDAPRealmConfig realmcfg, LDAPMachineRole machineRole, TQString *errstr=0);
static int writeNSSwitchFile(TQString *errstr=0);
static int writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, TQString *errstr=0);
+ static int writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, LDAPUserInfo user, TQString opensslConfigFile, TQString *errstr=0);
static int writeClientCronFiles(TQString *errstr=0);
static int writePAMFiles(LDAPPamConfig pamConfig, TQString *errstr=0);