Add initial Kerberos password change support

author: Timothy Pearson <kb9vqf@pearsoncomputing.net> 2025-10-04 14:30:54 -0500
committer: Timothy Pearson <kb9vqf@pearsoncomputing.net> 2025-10-22 19:18:20 -0500
commit: 01f0efc9b043ed5f528cf659002c6325b6d114e4 (patch)
tree: df05b561bdb84f138c7a2f40a899daf039b33fd2 /src/libtdeldap.cpp
parent: ad930c33b27d9c669c9ecb7172beb3e50e24e2e9 (diff)
download: libtdeldap-01f0efc9.tar.gz
libtdeldap-01f0efc9.zip
1 files changed, 174 insertions, 0 deletions
diff --git a/src/libtdeldap.cpp b/src/libtdeldap.cpp
index 5a7424c..0d8784e 100644
--- a/src/libtdeldap.cpp
+++ b/src/libtdeldap.cpp
@@ -84,6 +84,8 @@ extern "C" {
 #include "libtdeldap.h"
 #include "ldaplogindlg.h"
 #include "ldappasswddlg.h"
+#include "ldapchgpassdlg.h"
+#include "ldapchgpasswddlg.h"
 
 #define LDAP_INSECURE_PORT 389
 #define LDAP_SECURE_PORT 636
@@ -1738,6 +1740,53 @@ int LDAPManager::getKerberosPassword(LDAPCredentials &creds, TQString prompt, bo
 	return ret;
 }
 
+int LDAPManager::getNewKerberosPassword(LDAPCredentials &oldCreds, LDAPCredentials &newCreds, TQString prompt, bool allowSmartCard, TQWidget* parent)
+{
+	int i;
+
+	TQString defaultRealm;
+	LDAPRealmConfigList realms = fetchAndReadTDERealmList(&defaultRealm);
+
+	if (oldCreds.realm != "") {
+		defaultRealm = oldCreds.realm;
+	}
+	LDAPChangePasswordDialog passdlg(parent, 0, false, allowSmartCard);
+	passdlg.m_base->ldapAdminRealm->setEnabled(true);
+	LDAPRealmConfigList::Iterator it;
+	i=0;
+	for (it = realms.begin(); it != realms.end(); ++it) {
+		passdlg.m_base->ldapAdminRealm->insertItem((*it).name);
+		if ((*it).name == defaultRealm) {
+			passdlg.m_base->ldapAdminRealm->setCurrentItem(i);
+		}
+		i++;
+	}
+	passdlg.m_base->passprompt->setText(prompt);
+	passdlg.m_base->ldapUseTLS->hide();
+	if (oldCreds.username != "") {
+		passdlg.m_base->ldapUsername->setText(oldCreds.username);
+		passdlg.m_base->ldapCurrentPassword->setFocus();
+	}
+	const int ret = passdlg.exec();
+	if (ret == KDialog::Accepted) {
+		oldCreds.username = passdlg.m_base->ldapUsername->text();
+		oldCreds.password = passdlg.m_base->ldapCurrentPassword->password();
+		oldCreds.realm = passdlg.m_base->ldapAdminRealm->currentText();
+		oldCreds.service = passdlg.m_base->kerberosServicePrincipal->text();
+		oldCreds.use_tls = passdlg.m_base->ldapUseTLS->isOn();
+		oldCreds.use_gssapi = false;
+		if (allowSmartCard) {
+			oldCreds.use_smartcard = passdlg.use_smartcard;
+		}
+		else {
+			oldCreds.use_smartcard = false;
+		}
+		newCreds = oldCreds;
+		newCreds.password = passdlg.m_base->ldapNewPassword->password();
+	}
+	return ret;
+}
+
 int LDAPManager::obtainKerberosTicket(LDAPCredentials creds, TQString principal, TQString *errstr) {
 	TQCString command = "kinit";
 	QCStringList args;
@@ -1869,6 +1918,131 @@ int LDAPManager::destroyKerberosTicket(TQString principal, TQString *errstr) {
 	return 0;
 }
 
+int LDAPManager::changeKerberosPassword(LDAPCredentials oldCreds, LDAPCredentials newCreds, TQString principal, TQString *errstr) {
+	TQCString command = "kpasswd";
+	QCStringList args;
+	if (oldCreds.use_smartcard) {
+		// Get PKCS#11 slot number from the LDAP configuration file
+		KSimpleConfig* systemconfig = new KSimpleConfig( TQString::fromLatin1( KDE_CONFDIR "/ldap/ldapconfigrc" ));
+		systemconfig->setGroup(NULL);
+		int pkcs11_login_card_slot = systemconfig->readNumEntry("PKCS11LoginCardSlot", 0);
+		delete systemconfig;
+
+		TQString pkcsProviderString = "PKCS11:" + TDECryptographicCardDevice::pkcsProviderLibrary();
+		if (pkcs11_login_card_slot != 0) {
+			 pkcsProviderString.append(TQString(",slot=%1").arg(pkcs11_login_card_slot));
+		}
+		args << TQCString("-C") << pkcsProviderString.local8Bit();
+
+		// Find certificate on card and set credentials to match
+		TDEGenericDevice *hwdevice;
+		TDEHardwareDevices *hwdevices = TDEGlobal::hardwareDevices();
+		TDEGenericHardwareList cardReaderList = hwdevices->listByDeviceClass(TDEGenericDeviceType::CryptographicCard);
+		for (hwdevice = cardReaderList.first(); hwdevice; hwdevice = cardReaderList.next()) {
+			TDECryptographicCardDevice* cdevice = static_cast<TDECryptographicCardDevice*>(hwdevice);
+			TQString username = TQString::null;
+			TQString realm = TQString::null;
+			X509CertificatePtrList certList = cdevice->cardX509Certificates();
+			if (certList.count() > 0) {
+				TQStringList::Iterator it;
+				KSSLCertificate* card_cert = NULL;
+				card_cert = KSSLCertificate::fromX509(certList[0]);
+				TQStringList cert_subject_parts = TQStringList::split("/", card_cert->getSubject(), false);
+				TQStringList reversed_cert_subject_parts;
+				for (it = cert_subject_parts.begin(); it != cert_subject_parts.end(); it++) {
+					reversed_cert_subject_parts.prepend(*it);
+				}
+				for (it = reversed_cert_subject_parts.begin(); it != reversed_cert_subject_parts.end(); ++it ) {
+					TQString lcpart = (*it).lower();
+					if (lcpart.startsWith("cn=")) {
+						username = lcpart.right(lcpart.length() - strlen("cn="));
+					}
+					else if (lcpart.startsWith("dc=")) {
+						realm.append(lcpart.right(lcpart.length() - strlen("dc=")) + ".");
+					}
+				}
+				if (realm.endsWith(".")) {
+					realm.truncate(realm.length() - 1);
+				}
+				delete card_cert;
+			}
+			if (username != "") {
+				oldCreds.username = username;
+				oldCreds.realm = realm;
+				break;
+			}
+		}
+	}
+	if (principal == "") {
+		args << TQString("%1@%2").arg(oldCreds.username).arg(oldCreds.realm.upper()).local8Bit();
+	}
+	else {
+		args << TQCString("-S") << principal.local8Bit() << TQString("%1@%2").arg(oldCreds.username).arg(oldCreds.realm.upper()).local8Bit();
+	}
+
+	TQString prompt;
+	PtyProcess kinitProc;
+	kinitProc.exec(command, args);
+	prompt = readFullLineFromPtyProcess(&kinitProc);
+	prompt = prompt.stripWhiteSpace();
+	while (prompt.endsWith(" Password:") || (oldCreds.use_smartcard && prompt.contains("PIN"))) {
+		if (oldCreds.use_smartcard) {
+			TQString password;
+			int result = KPasswordDialog::getPassword(password, prompt);
+			if (result == KPasswordDialog::Accepted) {
+				oldCreds.password = password;
+			}
+			else {
+				return 0;
+			}
+		}
+		kinitProc.enableLocalEcho(false);
+		kinitProc.writeLine(oldCreds.password.utf8(), true);
+		do { // Discard our own input
+			prompt = readFullLineFromPtyProcess(&kinitProc);
+			printf("(kpasswd) '%s'\n", prompt.ascii());
+		} while (prompt == "");
+		prompt = prompt.stripWhiteSpace();
+	}
+	if (!prompt.startsWith(TQString("New password for %1@%2:").arg(oldCreds.username).arg(oldCreds.realm.upper()))) {
+		if (errstr) *errstr = detailedKAdminErrorMessage(prompt);
+		return 1;
+	}
+	else {
+		kinitProc.enableLocalEcho(false);
+		kinitProc.writeLine(newCreds.password.utf8(), true);
+		do { // Discard our own input
+			prompt = readFullLineFromPtyProcess(&kinitProc);
+			printf("(kpasswd) '%s'\n", prompt.ascii());
+		} while (prompt == "");
+		prompt = prompt.stripWhiteSpace();
+	}
+	if (!prompt.startsWith(TQString("Verify password - "))) {
+		if (errstr) *errstr = detailedKAdminErrorMessage(prompt);
+		return 1;
+	}
+	else {
+		kinitProc.enableLocalEcho(false);
+		kinitProc.writeLine(newCreds.password.utf8(), true);
+		do { // Discard our own input
+			prompt = readFullLineFromPtyProcess(&kinitProc);
+			printf("(kpasswd) '%s'\n", prompt.ascii());
+		} while (prompt == "");
+		prompt = prompt.stripWhiteSpace();
+	}
+	if (prompt.startsWith("Success")) {
+		// Success!
+		return 0;
+	}
+	else if ((prompt != "") && (prompt != "TDE process terminated")) {
+		if (errstr) *errstr = detailedKAdminErrorMessage(prompt);
+		return 1;
+	}
+
+	// Presumed success!
+	return 0;
+}
+
 int LDAPManager::updateGroupInfo(LDAPGroupInfo group, TQString *errstr) {
 	int retcode;
 	int i;
author	Timothy Pearson <kb9vqf@pearsoncomputing.net>	2025-10-04 14:30:54 -0500
committer	Timothy Pearson <kb9vqf@pearsoncomputing.net>	2025-10-22 19:18:20 -0500
commit	01f0efc9b043ed5f528cf659002c6325b6d114e4 (patch)
tree	df05b561bdb84f138c7a2f40a899daf039b33fd2 /src/libtdeldap.cpp
parent	ad930c33b27d9c669c9ecb7172beb3e50e24e2e9 (diff)
download	libtdeldap-01f0efc9.tar.gz libtdeldap-01f0efc9.zip