From ca4c872008ca065066398629f76818e1c4286adf Mon Sep 17 00:00:00 2001
From: Timothy Pearson <kb9vqf@pearsoncomputing.net>
Date: Fri, 2 Oct 2015 16:06:13 -0500
Subject: Properly report certificate retrieval failures to calling application

---
 src/libtdeldap.cpp | 39 ++++++++++++++++++++-------------------
 1 file changed, 20 insertions(+), 19 deletions(-)

(limited to 'src/libtdeldap.cpp')

diff --git a/src/libtdeldap.cpp b/src/libtdeldap.cpp
index 661e3e6..8a14cc3 100644
--- a/src/libtdeldap.cpp
+++ b/src/libtdeldap.cpp
@@ -4117,7 +4117,22 @@ int LDAPManager::getTDECertificate(TQString certificateName, TQFile *fileHandle,
 	TQByteArray ba;
 	returncode = getTDECertificate(certificateName, &ba, errstr);
 	if (returncode == 0) {
-		fileHandle->writeBlock(ba);
+		if (fileHandle->open(IO_WriteOnly)) {
+			fileHandle->writeBlock(ba);
+			fileHandle->close();
+
+			if (chmod(TQFile::encodeName(fileHandle->name()).data(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH) < 0) {
+				if (errstr) *errstr = i18n("Unable to change permissions of \"%1\"").arg(TQFile::encodeName(fileHandle->name()).data());
+				return -1;
+			}
+			else {
+				return 0;
+			}
+		}
+		else {
+			if (errstr) *errstr = i18n("Unable to open file \"%1\" for writing").arg(TQFile::encodeName(fileHandle->name()).data());
+			return -1;
+		}
 	}
 
 	return returncode;
@@ -4125,21 +4140,7 @@ int LDAPManager::getTDECertificate(TQString certificateName, TQFile *fileHandle,
 
 int LDAPManager::getTDECertificate(TQString certificateName, TQString fileName, TQString *errstr) {
 	TQFile file(fileName);
-	if (file.open(IO_WriteOnly)) {
-		getTDECertificate(certificateName, &file, errstr);
-		file.close();
-		if (chmod(fileName.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH) < 0) {
-			if (errstr) *errstr = i18n("Unable to change permissions of \"%1\"").arg(fileName.ascii());
-			return -1;
-		}
-		else {
-			return 0;
-		}
-	}
-	else {
-		if (errstr) *errstr = i18n("Unable to open file \"%1\" for writing").arg(fileName.ascii());
-		return -1;
-	}
+	return getTDECertificate(certificateName, &file, errstr);
 }
 
 int LDAPManager::writeSudoersConfFile(TQString *errstr) {
@@ -5069,7 +5070,7 @@ int LDAPManager::writePAMFiles(LDAPPamConfig pamConfig, TQString *errstr) {
 		stream << "# All changes will be lost!\n";
 		stream << "\n";
 		stream << "auth [default=ignore success=ignore] pam_mount.so" << "\n";
-		stream << "auth [success=done new_authtok_reqd=done default=ignore] pam_unix.so nullok try_first_pass" << "\n";
+		stream << "auth [default=ignore success=done new_authtok_reqd=done] pam_unix.so nullok try_first_pass" << "\n";
 		if (pamConfig.enable_cached_credentials) {
 			stream << "auth [default=ignore success=1 service_err=reset] pam_krb5.so ccache=/tmp/krb5cc_%u use_first_pass" << "\n";
 			stream << "auth [default=1 success=done] pam_ccreds.so action=validate use_first_pass" << "\n";
@@ -5079,8 +5080,8 @@ int LDAPManager::writePAMFiles(LDAPPamConfig pamConfig, TQString *errstr) {
 			stream << "auth [default=ignore success=done new_authtok_reqd=done service_err=reset] pam_krb5.so ccache=/tmp/krb5cc_%u use_first_pass" << "\n";
 		}
 		if (pamConfig.enable_pkcs11_login) {
-			stream << "auth [default=ignore success=done new_authtok_reqd=done] pam_pkcs11.so" << "\n";
-			// stream << "auth [default=ignore success=done new_authtok_reqd=done] pam_krb5.so force_first_pass no_prompt try_pkinit" << "\n";
+			stream << "auth [default=ignore success=done new_authtok_reqd=done service_err=reset] pam_krb5.so use_first_pass first_pass_is_pin no_prompt try_pkinit" << "\n";
+			stream << "auth [default=ignore success=done new_authtok_reqd=done] pam_pkcs11.so use_first_pass" << "\n";
 		}
 		stream << "auth required pam_deny.so" << "\n";
 
-- 
cgit v1.2.3