summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTimothy Pearson <kb9vqf@pearsoncomputing.net>2015-09-29 21:14:19 (GMT)
committer Timothy Pearson <kb9vqf@pearsoncomputing.net>2015-09-29 21:14:19 (GMT)
commit56c2b5fc9b206903e60f90a84edfd7130d5b0473 (patch)
tree0a35482c115a3d2ea9216b1b97dce2fa2590703d
parent7ebf958b1051f6a4034b68f25c20226b6d6e22fa (diff)
downloadlibtdeldap-56c2b5fc.zip
libtdeldap-56c2b5fc.tar.gz
Add deactivated krb5 PKCS login line
-rw-r--r--src/libtdeldap.cpp21
1 files changed, 18 insertions, 3 deletions
diff --git a/src/libtdeldap.cpp b/src/libtdeldap.cpp
index e9961ed..bc6890b 100644
--- a/src/libtdeldap.cpp
+++ b/src/libtdeldap.cpp
@@ -4895,6 +4895,18 @@ int LDAPManager::writeClientKrb5ConfFile(LDAPClientRealmConfig clientRealmConfig
stream << "# All changes will be lost!\n";
stream << "\n";
+ // Get PKCS#11 slot number from the LDAP configuration file
+ KSimpleConfig* systemconfig = new KSimpleConfig( TQString::fromLatin1( KDE_CONFDIR "/ldap/ldapconfigrc" ));
+ systemconfig->setGroup(NULL);
+ int pkcs11_login_card_slot = systemconfig->readNumEntry("PKCS11LoginCardSlot", 0);
+ delete systemconfig;
+
+ // Generate PKCS#11 provider string
+ TQString pkcsProviderString = TDECryptographicCardDevice::pkcsProviderLibrary();
+ if (pkcs11_login_card_slot != 0) {
+ pkcsProviderString.append(TQString(",slot=%1").arg(pkcs11_login_card_slot));
+ }
+
// Appdefaults
stream << "[appdefaults]\n";
if (realmList.begin() != realmList.end()) {
@@ -4908,9 +4920,11 @@ int LDAPManager::writeClientKrb5ConfFile(LDAPClientRealmConfig clientRealmConfig
stream << " pkinit_revoke = FILE:" << ldap_crlfile << "\n";
}
stream << " pkinit_require_crl_checking = true\n";
- stream << " pam = {\n";
- stream << " pkinit_user = PKCS11:" << TDECryptographicCardDevice::pkcsProviderLibrary() << "\n";
- stream << " }\n";
+ if (pkcsProviderString != "") {
+ stream << " pam = {\n";
+ stream << " pkinit_user = PKCS11:" << pkcsProviderString << "\n";
+ stream << " }\n";
+ }
stream << "\n";
// Defaults
@@ -5062,6 +5076,7 @@ int LDAPManager::writePAMFiles(LDAPPamConfig pamConfig, TQString *errstr) {
}
if (pamConfig.enable_pkcs11_login) {
stream << "auth [default=ignore success=done new_authtok_reqd=done] pam_pkcs11.so" << "\n";
+ // stream << "auth [default=ignore success=done new_authtok_reqd=done] pam_krb5.so force_first_pass no_prompt try_pkinit" << "\n";
}
stream << "auth required pam_deny.so" << "\n";