From 9bde56028895a13a7a0139f37c3f6957fe92e158 Mon Sep 17 00:00:00 2001 From: Timothy Pearson Date: Tue, 5 Jun 2012 00:42:52 -0500 Subject: Fix compilation issues --- src/Makefile.am | 4 +- src/bondfinishpage.h | 2 +- src/bondrealmpage.cpp | 1 + src/bondrealmpage.h | 2 +- src/ldap.cpp | 717 -------------------------------------------- src/ldap.h | 98 ------ src/ldapbonding.cpp | 717 ++++++++++++++++++++++++++++++++++++++++++++ src/ldapbonding.h | 98 ++++++ src/realmpropertiesdialog.h | 2 +- 9 files changed, 821 insertions(+), 820 deletions(-) delete mode 100644 src/ldap.cpp delete mode 100644 src/ldap.h create mode 100644 src/ldapbonding.cpp create mode 100644 src/ldapbonding.h diff --git a/src/Makefile.am b/src/Makefile.am index ba0703e..90c6ea3 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -1,10 +1,10 @@ -INCLUDES = $(all_includes) +INCLUDES = $(all_includes) $(KDE_INCLUDES)/tde METASOURCES = AUTO # Install this plugin in the KDE modules directory kde_module_LTLIBRARIES = kcm_ldap.la -kcm_ldap_la_SOURCES = ldap.cpp ldapconfigbase.ui realmpropertiesdialog.cpp bondintropage.cpp bondintropagedlg.ui bondrealmpage.cpp bondrealmpagedlg.ui bondfinishpage.cpp bondfinishpagedlg.ui bondwizard.cpp ldappasswddlg.cpp +kcm_ldap_la_SOURCES = ldapbonding.cpp ldapconfigbase.ui realmpropertiesdialog.cpp bondintropage.cpp bondintropagedlg.ui bondrealmpage.cpp bondrealmpagedlg.ui bondfinishpage.cpp bondfinishpagedlg.ui bondwizard.cpp ldappasswddlg.cpp kcm_ldap_la_LIBADD = -lkio $(LIB_TDEUI) kcm_ldap_la_LDFLAGS = -avoid-version -module -no-undefined \ $(all_libraries) diff --git a/src/bondfinishpage.h b/src/bondfinishpage.h index c737904..c5250ef 100644 --- a/src/bondfinishpage.h +++ b/src/bondfinishpage.h @@ -21,7 +21,7 @@ #ifndef BONDFINISHPAGE_H #define BONDFINISHPAGE_H -#include "ldap.h" +#include "ldapbonding.h" #include "bondfinishpagedlg.h" diff --git a/src/bondrealmpage.cpp b/src/bondrealmpage.cpp index e244e84..3707f9c 100644 --- a/src/bondrealmpage.cpp +++ b/src/bondrealmpage.cpp @@ -21,6 +21,7 @@ #include #include #include +#include #include #include diff --git a/src/bondrealmpage.h b/src/bondrealmpage.h index 21b8169..117d537 100644 --- a/src/bondrealmpage.h +++ b/src/bondrealmpage.h @@ -21,7 +21,7 @@ #ifndef BONDREALMPAGE_H #define BONDREALMPAGE_H -#include "ldap.h" +#include "ldapbonding.h" #include "bondrealmpagedlg.h" diff --git a/src/ldap.cpp b/src/ldap.cpp deleted file mode 100644 index 9895f0f..0000000 --- a/src/ldap.cpp +++ /dev/null @@ -1,717 +0,0 @@ -/*************************************************************************** - * Copyright (C) 2012 by Timothy Pearson * - * kb9vqf@pearsoncomputing.net * - * * - * This program is free software; you can redistribute it and/or modify * - * it under the terms of the GNU General Public License as published by * - * the Free Software Foundation; either version 2 of the License, or * - * (at your option) any later version. * - * * - * This program is distributed in the hope that it will be useful, * - * but WITHOUT ANY WARRANTY; without even the implied warranty of * - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * - * GNU General Public License for more details. * - * * - * You should have received a copy of the GNU General Public License * - * along with this program; if not, write to the * - * Free Software Foundation, Inc., * - * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - ***************************************************************************/ - -#include -#include -#include - -#include - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include - -#include "ldap.h" -#include "bondwizard.h" -#include "ldappasswddlg.h" -#include "realmpropertiesdialog.h" - -// FIXME -// Connect this to CMake/Automake -#define KDE_CONFDIR "/etc/trinity" -#define KRB5_FILE "/etc/krb5.conf" -#define NSSWITCH_FILE "/etc/nsswitch.conf" -#define PAMD_DIRECTORY "/etc/pam.d/" -#define PAMD_COMMON_ACCOUNT "common-account" -#define PAMD_COMMON_AUTH "common-auth" -#define CRON_UPDATE_NSS_FILE "/etc/cron.daily/upd-local-nss-db" - -typedef KGenericFactory ldapFactory; - -K_EXPORT_COMPONENT_FACTORY( kcm_ldap, ldapFactory("kcmldap")) - -KSimpleConfig *systemconfig = 0; - -LDAPConfig::LDAPConfig(TQWidget *parent, const char *name, const TQStringList&) - : KCModule(parent, name), myAboutData(0) -{ - TQVBoxLayout *layout = new TQVBoxLayout(this, KDialog::marginHint(), KDialog::spacingHint()); - systemconfig = new KSimpleConfig( TQString::fromLatin1( KDE_CONFDIR "/ldap/ldapconfigrc" )); - systemconfig->setFileWriteMode(S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); - - KAboutData* about = new KAboutData("ldap", I18N_NOOP("TDE LDAP Manager"), "0.1", - I18N_NOOP("TDE LDAP Manager Control Panel Module"), - KAboutData::License_GPL, - I18N_NOOP("(c) 2012 Timothy Pearson"), 0, 0); - - about->addAuthor("Timothy Pearson", 0, "kb9vqf@pearsoncomputing.net"); - setAboutData( about ); - - base = new LDAPConfigBase(this); - layout->add(base); - base->ldapRealmList->setAllColumnsShowFocus(true); - base->ldapRealmList->setFullWidth(true); - - setRootOnlyMsg(i18n("Bonded LDAP realms take effect system wide, and require administrator access to modify
To alter the system's bonded LDAP realms, click on the \"Administrator Mode\" button below.")); - setUseRootOnlyMsg(true); - - connect(base->systemEnableSupport, TQT_SIGNAL(clicked()), this, TQT_SLOT(changed())); - connect(base->defaultRealm, TQT_SIGNAL(activated(int)), this, TQT_SLOT(changed())); - connect(base->ticketLifetime, TQT_SIGNAL(valueChanged(int)), this, TQT_SLOT(changed())); - connect(base->systemEnableSupport, TQT_SIGNAL(clicked()), this, TQT_SLOT(processLockouts())); - connect(base->ldapRealmList, TQT_SIGNAL(selectionChanged()), this, TQT_SLOT(processLockouts())); - - connect(base->btnBondRealm, TQT_SIGNAL(clicked()), this, TQT_SLOT(bondToNewRealm())); - connect(base->btnReBondRealm, TQT_SIGNAL(clicked()), this, TQT_SLOT(reBondToRealm())); - connect(base->btnRemoveRealm, TQT_SIGNAL(clicked()), this, TQT_SLOT(removeRealm())); - connect(base->btnDeactivateRealm, TQT_SIGNAL(clicked()), this, TQT_SLOT(deactivateRealm())); - connect(base->btnRealmProperties, TQT_SIGNAL(clicked()), this, TQT_SLOT(realmProperties())); - - connect(base->ldapVersion, TQT_SIGNAL(valueChanged(int)), this, TQT_SLOT(changed())); - connect(base->ldapTimeout, TQT_SIGNAL(valueChanged(int)), this, TQT_SLOT(changed())); - connect(base->bindPolicy, TQT_SIGNAL(activated(int)), this, TQT_SLOT(changed())); - connect(base->ldapBindTimeout, TQT_SIGNAL(valueChanged(int)), this, TQT_SLOT(changed())); - connect(base->passwordHash, TQT_SIGNAL(activated(int)), this, TQT_SLOT(changed())); - connect(base->ignoredUsers, TQT_SIGNAL(textChanged(const TQString&)), this, TQT_SLOT(changed())); - - m_fqdn = getMachineFQDN(); - base->hostFQDN->setEnabled(false); - base->hostFQDN->clear(); - base->hostFQDN->insertItem(m_fqdn); - - load(); - - if (getuid() != 0 || !systemconfig->checkConfigFilesWritable( true )) { - base->systemEnableSupport->setEnabled(false); - } - - processLockouts(); -}; - -LDAPConfig::~LDAPConfig() { - delete systemconfig; -} - -// FIXME -// This should be moved to a TDE core library -TQString LDAPConfig::getMachineFQDN() { - struct addrinfo hints, *info, *p; - int gai_result; - - char hostname[1024]; - hostname[1023] = '\0'; - gethostname(hostname, 1023); - - memset(&hints, 0, sizeof hints); - hints.ai_family = AF_UNSPEC; // IPV4 or IPV6 - hints.ai_socktype = SOCK_STREAM; - hints.ai_flags = AI_CANONNAME; - - if ((gai_result = getaddrinfo(hostname, NULL, &hints, &info)) != 0) { - return TQString(hostname); - } - TQString fqdn = TQString(hostname); - for (p=info; p!=NULL; p=p->ai_next) { - fqdn = TQString(p->ai_canonname); - } - freeaddrinfo(info); - - return fqdn; -} - -void LDAPConfig::load() { - kgs = new KGlobalSettings(); - - load(false); -} - -void LDAPConfig::load(bool useDefaults ) -{ - int i; - bool thisIsMyMachine; - - //Update the toggle buttons with the current configuration - systemconfig->setReadDefaults( useDefaults ); - - systemconfig->setGroup(NULL); - base->systemEnableSupport->setChecked(systemconfig->readBoolEntry("EnableLDAP", false)); - m_defaultRealm = systemconfig->readEntry("DefaultRealm", TQString::null); - m_ticketLifetime = systemconfig->readNumEntry("TicketLifetime", 86400); - if (m_fqdn == systemconfig->readEntry("HostFQDN", "")) { - thisIsMyMachine = true; - } - else { - thisIsMyMachine = false; - } - - m_ldapVersion = systemconfig->readNumEntry("ConnectionLDAPVersion", 3); - m_ldapTimeout = systemconfig->readNumEntry("ConnectionLDAPTimeout", 2); - m_bindPolicy = systemconfig->readEntry("ConnectionBindPolicy", "soft"); - m_ldapBindTimeout = systemconfig->readNumEntry("ConnectionBindTimeout", 2); - m_passwordHash = systemconfig->readEntry("ConnectionPasswordHash", "exop"); - m_ignoredUsers = systemconfig->readEntry("ConnectionIgnoredUsers", DEFAULT_IGNORED_USERS_LIST); - - // Load realms - m_realms.clear(); - TQStringList cfgRealms = systemconfig->groupList(); - for (TQStringList::Iterator it(cfgRealms.begin()); it != cfgRealms.end(); ++it) { - if ((*it).startsWith("LDAPRealm-")) { - systemconfig->setGroup(*it); - TQString realmName=*it; - realmName.remove(0,strlen("LDAPRealm-")); - if (!m_realms.contains(realmName)) { - // Read in realm data - LDAPRealmConfig realmcfg; - realmcfg.name = realmName; - if (thisIsMyMachine) { - realmcfg.bonded = systemconfig->readBoolEntry("bonded"); - } - else { - realmcfg.bonded = false; - } - realmcfg.uid_offset = systemconfig->readNumEntry("uid_offset"); - realmcfg.gid_offset = systemconfig->readNumEntry("gid_offset"); - realmcfg.domain_mappings = systemconfig->readListEntry("domain_mappings"); - realmcfg.kdc = systemconfig->readEntry("kdc"); - realmcfg.kdc_port = systemconfig->readNumEntry("kdc_port"); - realmcfg.admin_server = systemconfig->readEntry("admin_server"); - realmcfg.admin_server_port = systemconfig->readNumEntry("admin_server_port"); - realmcfg.pkinit_require_eku = systemconfig->readBoolEntry("pkinit_require_eku"); - realmcfg.pkinit_require_krbtgt_otherName = systemconfig->readBoolEntry("pkinit_require_krbtgt_otherName"); - realmcfg.win2k_pkinit = systemconfig->readBoolEntry("win2k_pkinit"); - realmcfg.win2k_pkinit_require_binding = systemconfig->readBoolEntry("win2k_pkinit_require_binding"); - // Add realm to list - m_realms.insert(realmName, realmcfg); - } - } - } - - base->ticketLifetime->setValue(m_ticketLifetime); - - base->ldapVersion->setValue(m_ldapVersion); - base->ldapTimeout->setValue(m_ldapTimeout); - for (i=0; ibindPolicy->count(); i++) { - if (base->bindPolicy->text(i).lower() == m_defaultRealm.lower()) { - base->bindPolicy->setCurrentItem(i); - break; - } - } - base->ldapBindTimeout->setValue(m_ldapBindTimeout); - for (i=0; ipasswordHash->count(); i++) { - if (base->passwordHash->text(i).lower() == m_passwordHash.lower()) { - base->passwordHash->setCurrentItem(i); - break; - } - } - base->ignoredUsers->setText(m_ignoredUsers); - - updateRealmList(); - - processLockouts(); - - emit changed(useDefaults); -} - -void LDAPConfig::updateRealmList() { - base->ldapRealmList->clear(); - base->defaultRealm->clear(); - LDAPRealmConfigList::Iterator it; - for (it = m_realms.begin(); it != m_realms.end(); ++it) { - LDAPRealmConfig realmcfg = it.data(); - (void)new TQListViewItem(base->ldapRealmList, ((realmcfg.bonded)?i18n("Bonded"):i18n("Deactivated")), realmcfg.name); - base->defaultRealm->insertItem(realmcfg.name); - } - if (m_defaultRealm != "") { - for (int i=0; idefaultRealm->count(); i++) { - if (base->defaultRealm->text(i) == m_defaultRealm) { - base->defaultRealm->setCurrentItem(i); - break; - } - } - } - processLockouts(); -} - -void LDAPConfig::defaults() { - -} - -void LDAPConfig::save() { - // Write system configuration - systemconfig->setGroup(NULL); - systemconfig->writeEntry("EnableLDAP", base->systemEnableSupport->isChecked()); - systemconfig->writeEntry("HostFQDN", m_fqdn); - m_defaultRealm = base->defaultRealm->currentText(); - m_ticketLifetime = base->ticketLifetime->value(); - - m_ldapVersion = base->ldapVersion->value(); - m_ldapTimeout = base->ldapTimeout->value(); - m_bindPolicy = base->bindPolicy->currentText(); - m_ldapBindTimeout = base->ldapBindTimeout->value(); - m_passwordHash = base->passwordHash->currentText(); - m_ignoredUsers = base->ignoredUsers->text(); - - if (m_defaultRealm != "") { - systemconfig->writeEntry("DefaultRealm", m_defaultRealm); - } - else { - systemconfig->deleteEntry("DefaultRealm"); - } - systemconfig->writeEntry("TicketLifetime", m_ticketLifetime); - - systemconfig->writeEntry("ConnectionLDAPVersion", m_ldapVersion); - systemconfig->writeEntry("ConnectionLDAPTimeout", m_ldapTimeout); - systemconfig->writeEntry("ConnectionBindPolicy", m_bindPolicy); - systemconfig->writeEntry("ConnectionBindTimeout", m_ldapBindTimeout); - systemconfig->writeEntry("ConnectionPasswordHash", m_passwordHash); - systemconfig->writeEntry("ConnectionIgnoredUsers", m_ignoredUsers); - - LDAPManager::writeTDERealmList(m_realms, systemconfig); - systemconfig->sync(); - - if (base->systemEnableSupport->isChecked()) { - // Write the Kerberos5 configuration file - writeKrb5ConfFile(); - // Write the LDAP configuration file - writeLDAPConfFile(); - // Write the NSSwitch configuration file - writeNSSwitchFile(); - // Write the PAM configuration files - writePAMFiles(); - // Write the cron files - writeCronFiles(); - // RAJA FIXME - // Update the SUDOERS file with the domain-wide computer local admin group! - } - - load(); -} - -void LDAPConfig::processLockouts() { - bool panelIsEnabled = (base->systemEnableSupport->isEnabled() && base->systemEnableSupport->isChecked()); - - base->groupRealms->setEnabled(panelIsEnabled); - base->groupKrbDefaults->setEnabled(panelIsEnabled); - base->groupConnectionParameters->setEnabled(panelIsEnabled); - - TQListViewItem *selrealm = base->ldapRealmList->selectedItem(); - if (selrealm) { - LDAPRealmConfig realmcfg = m_realms[selrealm->text(1)]; - base->btnBondRealm->setEnabled(true); - base->btnReBondRealm->setEnabled(true); - if (realmcfg.bonded) { - base->btnDeactivateRealm->setEnabled(true); - base->btnRemoveRealm->setEnabled(false); - base->btnRealmProperties->setEnabled(false); - } - else { - base->btnDeactivateRealm->setEnabled(false); - base->btnRemoveRealm->setEnabled(true); - base->btnRealmProperties->setEnabled(true); - } - } - else { - base->btnBondRealm->setEnabled(true); - base->btnReBondRealm->setEnabled(false); - base->btnDeactivateRealm->setEnabled(false); - base->btnRemoveRealm->setEnabled(false); - base->btnRealmProperties->setEnabled(false); - } -} - -void LDAPConfig::bondToNewRealm() { - // Something will probably change - save(); - - BondWizard bondwizard(&m_realms, this, this); - bondwizard.exec(); - - // Something probably changed - load(); -} - -void LDAPConfig::reBondToRealm() { - TQListViewItem *selrealm = base->ldapRealmList->selectedItem(); - if (selrealm) { - TQString realmName = selrealm->text(1); - LDAPRealmConfig realmcfg = m_realms[realmName]; - - // Password prompt... - TQString errorString; - LDAPPasswordDialog passdlg(this); - passdlg.m_base->ldapAdminRealm->setEnabled(false); - passdlg.m_base->ldapAdminRealm->setText(realmName); - if (passdlg.exec() == TQDialog::Accepted) { - setEnabled(false); - if (bondRealm(m_realms[realmName], passdlg.m_base->ldapAdminUsername->text(), passdlg.m_base->ldapAdminPassword->password(), passdlg.m_base->ldapAdminRealm->text(), &errorString) == 0) { - // Success! - realmcfg.bonded = true; - m_realms.remove(realmName); - m_realms.insert(realmName, realmcfg); - save(); - } - else { - KMessageBox::error(this, i18n("Unable to bond to realm!

Details: %1").arg(errorString), i18n("Unable to Bond to Realm")); - } - setEnabled(true); - } - } - updateRealmList(); -} - -void LDAPConfig::removeRealm() { - TQListViewItem *selrealm = base->ldapRealmList->selectedItem(); - if (selrealm) { - m_realms.remove(selrealm->text(1)); - updateRealmList(); - changed(); - } -} - -void LDAPConfig::deactivateRealm() { - TQListViewItem *selrealm = base->ldapRealmList->selectedItem(); - if (selrealm) { - TQString realmName = selrealm->text(1); - LDAPRealmConfig realmcfg = m_realms[realmName]; - if (realmcfg.bonded == true) { - // Password prompt... - TQString errorString; - LDAPPasswordDialog passdlg(this); - passdlg.m_base->ldapAdminRealm->setEnabled(false); - passdlg.m_base->ldapAdminRealm->setText(realmName); - passdlg.m_base->passprompt->setText(i18n("Please provide LDAP realm administrator credentials below to complete the unbonding process")); - if (passdlg.exec() == TQDialog::Accepted) { - setEnabled(false); - if (unbondRealm(m_realms[realmName], passdlg.m_base->ldapAdminUsername->text(), passdlg.m_base->ldapAdminPassword->password(), passdlg.m_base->ldapAdminRealm->text(), &errorString) == 0) { - // Success! - realmcfg.bonded = false; - m_realms.remove(realmName); - m_realms.insert(realmName, realmcfg); - save(); - } - else { - KMessageBox::error(this, i18n("Unable to unbond from realm!

%1").arg(errorString), i18n("Unable to Unbond from Realm")); - } - setEnabled(true); - } - } - } - updateRealmList(); -} - -TQString readFullLineFromPtyProcess(PtyProcess* proc) { - TQString result = ""; - while ((!result.contains("\n")) && (!result.contains(":")) && (!result.contains(">"))) { - result = result + TQString(proc->readLine(false)); - tqApp->processEvents(); - } - return result; -} - -int LDAPConfig::bondRealm(LDAPRealmConfig realmcfg, TQString adminUserName, const char * adminPassword, TQString adminRealm, TQString *errstr) { - TQCString command = "kadmin"; - QCStringList args; - args << TQCString("-p") << TQCString(adminUserName+"@"+(adminRealm.upper())) << TQCString("-r") << TQCString(adminRealm.upper()); - - TQString hoststring = "host/"+m_fqdn; - - TQString prompt; - PtyProcess kadminProc; - kadminProc.exec(command, args); - prompt = kadminProc.readLine(true); - prompt = prompt.stripWhiteSpace(); - if (prompt == "kadmin>") { - kadminProc.writeLine(TQCString("ext "+hoststring), true); - prompt = kadminProc.readLine(true); // Discard our own input - prompt = readFullLineFromPtyProcess(&kadminProc); - prompt = prompt.stripWhiteSpace(); - if (prompt.endsWith(" Password:")) { - kadminProc.writeLine(adminPassword, true); - prompt = kadminProc.readLine(true); // Discard our own input - prompt = kadminProc.readLine(true); - prompt = prompt.stripWhiteSpace(); - } - if (prompt.contains("authentication failed")) { - if (errstr) *errstr = prompt; - kadminProc.writeLine("quit", true); - return 1; - } - else if (prompt.endsWith("Principal does not exist")) { - kadminProc.writeLine(TQCString("ank --random-key "+hoststring), true); - prompt = kadminProc.readLine(true); // Discard our own input - prompt = readFullLineFromPtyProcess(&kadminProc); - prompt = prompt.stripWhiteSpace(); - // Use all defaults - while (prompt != "kadmin>") { - if (prompt.endsWith(" Password:")) { - kadminProc.writeLine(adminPassword, true); - prompt = kadminProc.readLine(true); // Discard our own input - prompt = kadminProc.readLine(true); - prompt = prompt.stripWhiteSpace(); - } - if (prompt.contains("authentication failed")) { - if (errstr) *errstr = prompt; - kadminProc.writeLine("quit", true); - return 1; - } - else { - // Extract whatever default is in the [brackets] and feed it back to kadmin - TQString defaultParam; - int leftbracket = prompt.find("["); - int rightbracket = prompt.find("]"); - if ((leftbracket >= 0) && (rightbracket >= 0)) { - leftbracket++; - defaultParam = prompt.mid(leftbracket, rightbracket-leftbracket); - } - kadminProc.writeLine(TQCString(defaultParam), true); - prompt = kadminProc.readLine(true); // Discard our own input - prompt = kadminProc.readLine(true); - prompt = prompt.stripWhiteSpace(); - } - } - kadminProc.writeLine(TQCString("ext "+hoststring), true); - prompt = kadminProc.readLine(true); // Discard our own input - prompt = readFullLineFromPtyProcess(&kadminProc); - prompt = prompt.stripWhiteSpace(); - if (prompt != "kadmin>") { - if (errstr) *errstr = prompt; - kadminProc.writeLine("quit", true); - return 1; - } - - // Success! - kadminProc.writeLine("quit", true); - return 0; - } - else if (prompt == "kadmin>") { - // Success! - kadminProc.writeLine("quit", true); - return 0; - } - - // Failure - if (errstr) *errstr = prompt; - kadminProc.writeLine("quit", true); - return 1; - } - - if (errstr) *errstr = "Internal error. Verify that kadmin exists and can be executed."; - return 1; // Failure -} - -int LDAPConfig::unbondRealm(LDAPRealmConfig realmcfg, TQString adminUserName, const char * adminPassword, TQString adminRealm, TQString *errstr) { - TQCString command = "kadmin"; - QCStringList args; - args << TQCString("-p") << TQCString(adminUserName+"@"+(adminRealm.upper())); - - TQString hoststring = "host/"+m_fqdn; - - TQString prompt; - PtyProcess kadminProc; - kadminProc.exec(command, args); - prompt = kadminProc.readLine(true); - prompt = prompt.stripWhiteSpace(); - if (prompt == "kadmin>") { - kadminProc.writeLine(TQCString("delete "+hoststring), true); - prompt = kadminProc.readLine(true); // Discard our own input - prompt = readFullLineFromPtyProcess(&kadminProc); - prompt = prompt.stripWhiteSpace(); - if (prompt.endsWith(" Password:")) { - kadminProc.writeLine(adminPassword, true); - prompt = kadminProc.readLine(true); // Discard our own input - prompt = kadminProc.readLine(true); - prompt = prompt.stripWhiteSpace(); - } - if (prompt != "kadmin>") { - if (errstr) *errstr = prompt; - kadminProc.writeLine("quit", true); - return 1; - } - - // Success! - kadminProc.writeLine("quit", true); - return 0; - } - - return 1; // Failure -} - -void LDAPConfig::realmProperties() { - TQListViewItem *selrealm = base->ldapRealmList->selectedItem(); - if (selrealm) { - RealmPropertiesDialog rpdialog(&m_realms, selrealm->text(1), this); - if (rpdialog.exec() == TQDialog::Accepted) { - updateRealmList(); - changed(); - } - } -} - -void LDAPConfig::writeKrb5ConfFile() { - TQFile file(KRB5_FILE); - if (file.open(IO_WriteOnly)) { - TQTextStream stream( &file ); - - stream << "# This file was automatically generated by TDE\n"; - stream << "# All changes will be lost!\n"; - stream << "\n"; - - // Defaults - stream << "[libdefaults]\n"; - stream << " ticket_lifetime = " << m_ticketLifetime << "\n"; - if (m_defaultRealm != "") { - stream << " default_realm = " << m_defaultRealm << "\n"; - } - stream << "\n"; - - // Realms - stream << "[realms]\n"; - LDAPRealmConfigList::Iterator it; - for (it = m_realms.begin(); it != m_realms.end(); ++it) { - LDAPRealmConfig realmcfg = it.data(); - stream << " " << realmcfg.name << " = {\n"; - stream << " kdc = " << realmcfg.kdc << ":" << realmcfg.kdc_port << "\n"; - stream << " admin_server = " << realmcfg.admin_server << ":" << realmcfg.admin_server_port << "\n"; - stream << " pkinit_require_eku = " << (realmcfg.pkinit_require_eku?"true":"false") << "\n"; - stream << " pkinit_require_krbtgt_otherName = " << (realmcfg.pkinit_require_krbtgt_otherName?"true":"false") << "\n"; - stream << " win2k_pkinit = " << (realmcfg.win2k_pkinit?"yes":"no") << "\n"; - stream << " win2k_pkinit_require_binding = " << (realmcfg.win2k_pkinit_require_binding?"yes":"no") << "\n"; - stream << " }\n"; - } - stream << "\n"; - - // Domain aliases - stream << "[domain_realm]\n"; - LDAPRealmConfigList::Iterator it2; - for (it2 = m_realms.begin(); it2 != m_realms.end(); ++it2) { - LDAPRealmConfig realmcfg = it2.data(); - TQStringList domains = realmcfg.domain_mappings; - for (TQStringList::Iterator it3 = domains.begin(); it3 != domains.end(); ++it3 ) { - stream << " " << *it3 << " = " << realmcfg.name << "\n"; - } - } - - file.close(); - } -} - -void LDAPConfig::writeLDAPConfFile() { - LDAPManager::writeLDAPConfFile(m_realms[m_defaultRealm]); -} - -void LDAPConfig::writeNSSwitchFile() { - TQFile file(NSSWITCH_FILE); - if (file.open(IO_WriteOnly)) { - TQTextStream stream( &file ); - - stream << "# This file was automatically generated by TDE\n"; - stream << "# All changes will be lost!\n"; - stream << "\n"; - stream << "passwd: files ldap [NOTFOUND=return] db" << "\n"; - stream << "group: files ldap [NOTFOUND=return] db" << "\n"; - stream << "shadow: files ldap [NOTFOUND=return] db" << "\n"; - stream << "\n"; - stream << "hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4" << "\n"; - stream << "networks: files" << "\n"; - stream << "\n"; - stream << "protocols: db files" << "\n"; - stream << "services: db files" << "\n"; - stream << "ethers: db files" << "\n"; - stream << "rpc: db files" << "\n"; - stream << "\n"; - stream << "netgroup: nis" << "\n"; - - file.close(); - } -} - -void LDAPConfig::writePAMFiles() { - TQFile file(PAMD_DIRECTORY PAMD_COMMON_ACCOUNT); - if (file.open(IO_WriteOnly)) { - TQTextStream stream( &file ); - - stream << "# This file was automatically generated by TDE\n"; - stream << "# All changes will be lost!\n"; - stream << "\n"; - stream << "account sufficient pam_unix.so nullok_secure" << "\n"; - stream << "account sufficient pam_ldap.so" << "\n"; - stream << "account required pam_permit.so" << "\n"; - - file.close(); - } - - TQFile file2(PAMD_DIRECTORY PAMD_COMMON_AUTH); - if (file2.open(IO_WriteOnly)) { - TQTextStream stream( &file2 ); - - stream << "# This file was automatically generated by TDE\n"; - stream << "# All changes will be lost!\n"; - stream << "\n"; - stream << "auth [default=ignore success=ignore] pam_mount.so" << "\n"; - stream << "auth sufficient pam_unix.so nullok try_first_pass" << "\n"; - stream << "auth [default=ignore success=1 service_err=reset] pam_krb5.so ccache=/tmp/krb5cc_%u use_first_pass" << "\n"; - stream << "auth [default=die success=done] pam_ccreds.so action=validate use_first_pass" << "\n"; - stream << "auth sufficient pam_ccreds.so action=store use_first_pass" << "\n"; - stream << "auth required pam_deny.so" << "\n"; - - file2.close(); - } -} - -void LDAPConfig::writeCronFiles() { - TQFile file(CRON_UPDATE_NSS_FILE); - if (file.open(IO_WriteOnly)) { - TQTextStream stream( &file ); - - stream << "# This file was automatically generated by TDE\n"; - stream << "# All changes will be lost!\n"; - stream << "\n"; - stream << "#!/bin/sh" << "\n"; - stream << "/usr/sbin/nss_updatedb ldap" << "\n"; - - file.close(); - } -} - -int LDAPConfig::buttons() { - return KCModule::Apply|KCModule::Help; -} - -TQString LDAPConfig::quickHelp() const -{ - return i18n("This module configures which LDAP realms TDE uses for authentication."); -} diff --git a/src/ldap.h b/src/ldap.h deleted file mode 100644 index 124411d..0000000 --- a/src/ldap.h +++ /dev/null @@ -1,98 +0,0 @@ -/*************************************************************************** - * Copyright (C) 2012 by Timothy Pearson * - * kb9vqf@pearsoncomputing.net * - * * - * This program is free software; you can redistribute it and/or modify * - * it under the terms of the GNU General Public License as published by * - * the Free Software Foundation; either version 2 of the License, or * - * (at your option) any later version. * - * * - * This program is distributed in the hope that it will be useful, * - * but WITHOUT ANY WARRANTY; without even the implied warranty of * - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * - * GNU General Public License for more details. * - * * - * You should have received a copy of the GNU General Public License * - * along with this program; if not, write to the * - * Free Software Foundation, Inc., * - * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - ***************************************************************************/ - -#ifndef _LDAP_H_ -#define _LDAP_H_ - -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include - -#include "ldapconfigbase.h" - -#ifdef HAVE_CONFIG_H -#include -#endif - -class LDAPConfig: public KCModule -{ - Q_OBJECT - - public: - LDAPConfig( TQWidget *parent=0, const char *name=0, const TQStringList& = TQStringList() ); - ~LDAPConfig(); - - virtual void load(); - virtual void load( bool useDefaults); - virtual void save(); - virtual void defaults(); - virtual int buttons(); - virtual TQString quickHelp() const; - virtual const KAboutData *aboutData() const { return myAboutData; }; - - int bondRealm(LDAPRealmConfig realmcfg, TQString adminUserName, const char * adminPassword, TQString adminRealm, TQString *errstr=0); - int unbondRealm(LDAPRealmConfig realmcfg, TQString adminUserName, const char * adminPassword, TQString adminRealm, TQString *errstr=0); - - // FIXME - // This should be moved to a TDE core library - TQString getMachineFQDN(); - - private slots: - void processLockouts(); - void bondToNewRealm(); - void reBondToRealm(); - void removeRealm(); - void deactivateRealm(); - void realmProperties(); - - private: - void updateRealmList(); - void writeKrb5ConfFile(); - void writeLDAPConfFile(); - void writeNSSwitchFile(); - void writePAMFiles(); - void writeCronFiles(); - - private: - KAboutData *myAboutData; - KGlobalSettings *kgs; - LDAPConfigBase *base; - LDAPRealmConfigList m_realms; - TQString m_fqdn; - TQString m_defaultRealm; - int m_ticketLifetime; - - int m_ldapVersion; - int m_ldapTimeout; - TQString m_bindPolicy; - int m_ldapBindTimeout; - TQString m_passwordHash; - TQString m_ignoredUsers; -}; - -#endif diff --git a/src/ldapbonding.cpp b/src/ldapbonding.cpp new file mode 100644 index 0000000..9c9d9b5 --- /dev/null +++ b/src/ldapbonding.cpp @@ -0,0 +1,717 @@ +/*************************************************************************** + * Copyright (C) 2012 by Timothy Pearson * + * kb9vqf@pearsoncomputing.net * + * * + * This program is free software; you can redistribute it and/or modify * + * it under the terms of the GNU General Public License as published by * + * the Free Software Foundation; either version 2 of the License, or * + * (at your option) any later version. * + * * + * This program is distributed in the hope that it will be useful, * + * but WITHOUT ANY WARRANTY; without even the implied warranty of * + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * + * GNU General Public License for more details. * + * * + * You should have received a copy of the GNU General Public License * + * along with this program; if not, write to the * + * Free Software Foundation, Inc., * + * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * + ***************************************************************************/ + +#include +#include +#include + +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include + +#include "ldapbonding.h" +#include "bondwizard.h" +#include "ldappasswddlg.h" +#include "realmpropertiesdialog.h" + +// FIXME +// Connect this to CMake/Automake +#define KDE_CONFDIR "/etc/trinity" +#define KRB5_FILE "/etc/krb5.conf" +#define NSSWITCH_FILE "/etc/nsswitch.conf" +#define PAMD_DIRECTORY "/etc/pam.d/" +#define PAMD_COMMON_ACCOUNT "common-account" +#define PAMD_COMMON_AUTH "common-auth" +#define CRON_UPDATE_NSS_FILE "/etc/cron.daily/upd-local-nss-db" + +typedef KGenericFactory ldapFactory; + +K_EXPORT_COMPONENT_FACTORY( kcm_ldap, ldapFactory("kcmldap")) + +KSimpleConfig *systemconfig = 0; + +LDAPConfig::LDAPConfig(TQWidget *parent, const char *name, const TQStringList&) + : KCModule(parent, name), myAboutData(0) +{ + TQVBoxLayout *layout = new TQVBoxLayout(this, KDialog::marginHint(), KDialog::spacingHint()); + systemconfig = new KSimpleConfig( TQString::fromLatin1( KDE_CONFDIR "/ldap/ldapconfigrc" )); + systemconfig->setFileWriteMode(S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); + + KAboutData* about = new KAboutData("ldap", I18N_NOOP("TDE LDAP Manager"), "0.1", + I18N_NOOP("TDE LDAP Manager Control Panel Module"), + KAboutData::License_GPL, + I18N_NOOP("(c) 2012 Timothy Pearson"), 0, 0); + + about->addAuthor("Timothy Pearson", 0, "kb9vqf@pearsoncomputing.net"); + setAboutData( about ); + + base = new LDAPConfigBase(this); + layout->add(base); + base->ldapRealmList->setAllColumnsShowFocus(true); + base->ldapRealmList->setFullWidth(true); + + setRootOnlyMsg(i18n("Bonded LDAP realms take effect system wide, and require administrator access to modify
To alter the system's bonded LDAP realms, click on the \"Administrator Mode\" button below.")); + setUseRootOnlyMsg(true); + + connect(base->systemEnableSupport, TQT_SIGNAL(clicked()), this, TQT_SLOT(changed())); + connect(base->defaultRealm, TQT_SIGNAL(activated(int)), this, TQT_SLOT(changed())); + connect(base->ticketLifetime, TQT_SIGNAL(valueChanged(int)), this, TQT_SLOT(changed())); + connect(base->systemEnableSupport, TQT_SIGNAL(clicked()), this, TQT_SLOT(processLockouts())); + connect(base->ldapRealmList, TQT_SIGNAL(selectionChanged()), this, TQT_SLOT(processLockouts())); + + connect(base->btnBondRealm, TQT_SIGNAL(clicked()), this, TQT_SLOT(bondToNewRealm())); + connect(base->btnReBondRealm, TQT_SIGNAL(clicked()), this, TQT_SLOT(reBondToRealm())); + connect(base->btnRemoveRealm, TQT_SIGNAL(clicked()), this, TQT_SLOT(removeRealm())); + connect(base->btnDeactivateRealm, TQT_SIGNAL(clicked()), this, TQT_SLOT(deactivateRealm())); + connect(base->btnRealmProperties, TQT_SIGNAL(clicked()), this, TQT_SLOT(realmProperties())); + + connect(base->ldapVersion, TQT_SIGNAL(valueChanged(int)), this, TQT_SLOT(changed())); + connect(base->ldapTimeout, TQT_SIGNAL(valueChanged(int)), this, TQT_SLOT(changed())); + connect(base->bindPolicy, TQT_SIGNAL(activated(int)), this, TQT_SLOT(changed())); + connect(base->ldapBindTimeout, TQT_SIGNAL(valueChanged(int)), this, TQT_SLOT(changed())); + connect(base->passwordHash, TQT_SIGNAL(activated(int)), this, TQT_SLOT(changed())); + connect(base->ignoredUsers, TQT_SIGNAL(textChanged(const TQString&)), this, TQT_SLOT(changed())); + + m_fqdn = getMachineFQDN(); + base->hostFQDN->setEnabled(false); + base->hostFQDN->clear(); + base->hostFQDN->insertItem(m_fqdn); + + load(); + + if (getuid() != 0 || !systemconfig->checkConfigFilesWritable( true )) { + base->systemEnableSupport->setEnabled(false); + } + + processLockouts(); +}; + +LDAPConfig::~LDAPConfig() { + delete systemconfig; +} + +// FIXME +// This should be moved to a TDE core library +TQString LDAPConfig::getMachineFQDN() { + struct addrinfo hints, *info, *p; + int gai_result; + + char hostname[1024]; + hostname[1023] = '\0'; + gethostname(hostname, 1023); + + memset(&hints, 0, sizeof hints); + hints.ai_family = AF_UNSPEC; // IPV4 or IPV6 + hints.ai_socktype = SOCK_STREAM; + hints.ai_flags = AI_CANONNAME; + + if ((gai_result = getaddrinfo(hostname, NULL, &hints, &info)) != 0) { + return TQString(hostname); + } + TQString fqdn = TQString(hostname); + for (p=info; p!=NULL; p=p->ai_next) { + fqdn = TQString(p->ai_canonname); + } + freeaddrinfo(info); + + return fqdn; +} + +void LDAPConfig::load() { + kgs = new KGlobalSettings(); + + load(false); +} + +void LDAPConfig::load(bool useDefaults ) +{ + int i; + bool thisIsMyMachine; + + //Update the toggle buttons with the current configuration + systemconfig->setReadDefaults( useDefaults ); + + systemconfig->setGroup(NULL); + base->systemEnableSupport->setChecked(systemconfig->readBoolEntry("EnableLDAP", false)); + m_defaultRealm = systemconfig->readEntry("DefaultRealm", TQString::null); + m_ticketLifetime = systemconfig->readNumEntry("TicketLifetime", 86400); + if (m_fqdn == systemconfig->readEntry("HostFQDN", "")) { + thisIsMyMachine = true; + } + else { + thisIsMyMachine = false; + } + + m_ldapVersion = systemconfig->readNumEntry("ConnectionLDAPVersion", 3); + m_ldapTimeout = systemconfig->readNumEntry("ConnectionLDAPTimeout", 2); + m_bindPolicy = systemconfig->readEntry("ConnectionBindPolicy", "soft"); + m_ldapBindTimeout = systemconfig->readNumEntry("ConnectionBindTimeout", 2); + m_passwordHash = systemconfig->readEntry("ConnectionPasswordHash", "exop"); + m_ignoredUsers = systemconfig->readEntry("ConnectionIgnoredUsers", DEFAULT_IGNORED_USERS_LIST); + + // Load realms + m_realms.clear(); + TQStringList cfgRealms = systemconfig->groupList(); + for (TQStringList::Iterator it(cfgRealms.begin()); it != cfgRealms.end(); ++it) { + if ((*it).startsWith("LDAPRealm-")) { + systemconfig->setGroup(*it); + TQString realmName=*it; + realmName.remove(0,strlen("LDAPRealm-")); + if (!m_realms.contains(realmName)) { + // Read in realm data + LDAPRealmConfig realmcfg; + realmcfg.name = realmName; + if (thisIsMyMachine) { + realmcfg.bonded = systemconfig->readBoolEntry("bonded"); + } + else { + realmcfg.bonded = false; + } + realmcfg.uid_offset = systemconfig->readNumEntry("uid_offset"); + realmcfg.gid_offset = systemconfig->readNumEntry("gid_offset"); + realmcfg.domain_mappings = systemconfig->readListEntry("domain_mappings"); + realmcfg.kdc = systemconfig->readEntry("kdc"); + realmcfg.kdc_port = systemconfig->readNumEntry("kdc_port"); + realmcfg.admin_server = systemconfig->readEntry("admin_server"); + realmcfg.admin_server_port = systemconfig->readNumEntry("admin_server_port"); + realmcfg.pkinit_require_eku = systemconfig->readBoolEntry("pkinit_require_eku"); + realmcfg.pkinit_require_krbtgt_otherName = systemconfig->readBoolEntry("pkinit_require_krbtgt_otherName"); + realmcfg.win2k_pkinit = systemconfig->readBoolEntry("win2k_pkinit"); + realmcfg.win2k_pkinit_require_binding = systemconfig->readBoolEntry("win2k_pkinit_require_binding"); + // Add realm to list + m_realms.insert(realmName, realmcfg); + } + } + } + + base->ticketLifetime->setValue(m_ticketLifetime); + + base->ldapVersion->setValue(m_ldapVersion); + base->ldapTimeout->setValue(m_ldapTimeout); + for (i=0; ibindPolicy->count(); i++) { + if (base->bindPolicy->text(i).lower() == m_defaultRealm.lower()) { + base->bindPolicy->setCurrentItem(i); + break; + } + } + base->ldapBindTimeout->setValue(m_ldapBindTimeout); + for (i=0; ipasswordHash->count(); i++) { + if (base->passwordHash->text(i).lower() == m_passwordHash.lower()) { + base->passwordHash->setCurrentItem(i); + break; + } + } + base->ignoredUsers->setText(m_ignoredUsers); + + updateRealmList(); + + processLockouts(); + + emit changed(useDefaults); +} + +void LDAPConfig::updateRealmList() { + base->ldapRealmList->clear(); + base->defaultRealm->clear(); + LDAPRealmConfigList::Iterator it; + for (it = m_realms.begin(); it != m_realms.end(); ++it) { + LDAPRealmConfig realmcfg = it.data(); + (void)new TQListViewItem(base->ldapRealmList, ((realmcfg.bonded)?i18n("Bonded"):i18n("Deactivated")), realmcfg.name); + base->defaultRealm->insertItem(realmcfg.name); + } + if (m_defaultRealm != "") { + for (int i=0; idefaultRealm->count(); i++) { + if (base->defaultRealm->text(i) == m_defaultRealm) { + base->defaultRealm->setCurrentItem(i); + break; + } + } + } + processLockouts(); +} + +void LDAPConfig::defaults() { + +} + +void LDAPConfig::save() { + // Write system configuration + systemconfig->setGroup(NULL); + systemconfig->writeEntry("EnableLDAP", base->systemEnableSupport->isChecked()); + systemconfig->writeEntry("HostFQDN", m_fqdn); + m_defaultRealm = base->defaultRealm->currentText(); + m_ticketLifetime = base->ticketLifetime->value(); + + m_ldapVersion = base->ldapVersion->value(); + m_ldapTimeout = base->ldapTimeout->value(); + m_bindPolicy = base->bindPolicy->currentText(); + m_ldapBindTimeout = base->ldapBindTimeout->value(); + m_passwordHash = base->passwordHash->currentText(); + m_ignoredUsers = base->ignoredUsers->text(); + + if (m_defaultRealm != "") { + systemconfig->writeEntry("DefaultRealm", m_defaultRealm); + } + else { + systemconfig->deleteEntry("DefaultRealm"); + } + systemconfig->writeEntry("TicketLifetime", m_ticketLifetime); + + systemconfig->writeEntry("ConnectionLDAPVersion", m_ldapVersion); + systemconfig->writeEntry("ConnectionLDAPTimeout", m_ldapTimeout); + systemconfig->writeEntry("ConnectionBindPolicy", m_bindPolicy); + systemconfig->writeEntry("ConnectionBindTimeout", m_ldapBindTimeout); + systemconfig->writeEntry("ConnectionPasswordHash", m_passwordHash); + systemconfig->writeEntry("ConnectionIgnoredUsers", m_ignoredUsers); + + LDAPManager::writeTDERealmList(m_realms, systemconfig); + systemconfig->sync(); + + if (base->systemEnableSupport->isChecked()) { + // Write the Kerberos5 configuration file + writeKrb5ConfFile(); + // Write the LDAP configuration file + writeLDAPConfFile(); + // Write the NSSwitch configuration file + writeNSSwitchFile(); + // Write the PAM configuration files + writePAMFiles(); + // Write the cron files + writeCronFiles(); + // RAJA FIXME + // Update the SUDOERS file with the domain-wide computer local admin group! + } + + load(); +} + +void LDAPConfig::processLockouts() { + bool panelIsEnabled = (base->systemEnableSupport->isEnabled() && base->systemEnableSupport->isChecked()); + + base->groupRealms->setEnabled(panelIsEnabled); + base->groupKrbDefaults->setEnabled(panelIsEnabled); + base->groupConnectionParameters->setEnabled(panelIsEnabled); + + TQListViewItem *selrealm = base->ldapRealmList->selectedItem(); + if (selrealm) { + LDAPRealmConfig realmcfg = m_realms[selrealm->text(1)]; + base->btnBondRealm->setEnabled(true); + base->btnReBondRealm->setEnabled(true); + if (realmcfg.bonded) { + base->btnDeactivateRealm->setEnabled(true); + base->btnRemoveRealm->setEnabled(false); + base->btnRealmProperties->setEnabled(false); + } + else { + base->btnDeactivateRealm->setEnabled(false); + base->btnRemoveRealm->setEnabled(true); + base->btnRealmProperties->setEnabled(true); + } + } + else { + base->btnBondRealm->setEnabled(true); + base->btnReBondRealm->setEnabled(false); + base->btnDeactivateRealm->setEnabled(false); + base->btnRemoveRealm->setEnabled(false); + base->btnRealmProperties->setEnabled(false); + } +} + +void LDAPConfig::bondToNewRealm() { + // Something will probably change + save(); + + BondWizard bondwizard(&m_realms, this, this); + bondwizard.exec(); + + // Something probably changed + load(); +} + +void LDAPConfig::reBondToRealm() { + TQListViewItem *selrealm = base->ldapRealmList->selectedItem(); + if (selrealm) { + TQString realmName = selrealm->text(1); + LDAPRealmConfig realmcfg = m_realms[realmName]; + + // Password prompt... + TQString errorString; + LDAPPasswordDialog passdlg(this); + passdlg.m_base->ldapAdminRealm->setEnabled(false); + passdlg.m_base->ldapAdminRealm->setText(realmName); + if (passdlg.exec() == TQDialog::Accepted) { + setEnabled(false); + if (bondRealm(m_realms[realmName], passdlg.m_base->ldapAdminUsername->text(), passdlg.m_base->ldapAdminPassword->password(), passdlg.m_base->ldapAdminRealm->text(), &errorString) == 0) { + // Success! + realmcfg.bonded = true; + m_realms.remove(realmName); + m_realms.insert(realmName, realmcfg); + save(); + } + else { + KMessageBox::error(this, i18n("Unable to bond to realm!

Details: %1").arg(errorString), i18n("Unable to Bond to Realm")); + } + setEnabled(true); + } + } + updateRealmList(); +} + +void LDAPConfig::removeRealm() { + TQListViewItem *selrealm = base->ldapRealmList->selectedItem(); + if (selrealm) { + m_realms.remove(selrealm->text(1)); + updateRealmList(); + changed(); + } +} + +void LDAPConfig::deactivateRealm() { + TQListViewItem *selrealm = base->ldapRealmList->selectedItem(); + if (selrealm) { + TQString realmName = selrealm->text(1); + LDAPRealmConfig realmcfg = m_realms[realmName]; + if (realmcfg.bonded == true) { + // Password prompt... + TQString errorString; + LDAPPasswordDialog passdlg(this); + passdlg.m_base->ldapAdminRealm->setEnabled(false); + passdlg.m_base->ldapAdminRealm->setText(realmName); + passdlg.m_base->passprompt->setText(i18n("Please provide LDAP realm administrator credentials below to complete the unbonding process")); + if (passdlg.exec() == TQDialog::Accepted) { + setEnabled(false); + if (unbondRealm(m_realms[realmName], passdlg.m_base->ldapAdminUsername->text(), passdlg.m_base->ldapAdminPassword->password(), passdlg.m_base->ldapAdminRealm->text(), &errorString) == 0) { + // Success! + realmcfg.bonded = false; + m_realms.remove(realmName); + m_realms.insert(realmName, realmcfg); + save(); + } + else { + KMessageBox::error(this, i18n("Unable to unbond from realm!

%1").arg(errorString), i18n("Unable to Unbond from Realm")); + } + setEnabled(true); + } + } + } + updateRealmList(); +} + +TQString readFullLineFromPtyProcess(PtyProcess* proc) { + TQString result = ""; + while ((!result.contains("\n")) && (!result.contains(":")) && (!result.contains(">"))) { + result = result + TQString(proc->readLine(false)); + tqApp->processEvents(); + } + return result; +} + +int LDAPConfig::bondRealm(LDAPRealmConfig realmcfg, TQString adminUserName, const char * adminPassword, TQString adminRealm, TQString *errstr) { + TQCString command = "kadmin"; + QCStringList args; + args << TQCString("-p") << TQCString(adminUserName+"@"+(adminRealm.upper())) << TQCString("-r") << TQCString(adminRealm.upper()); + + TQString hoststring = "host/"+m_fqdn; + + TQString prompt; + PtyProcess kadminProc; + kadminProc.exec(command, args); + prompt = kadminProc.readLine(true); + prompt = prompt.stripWhiteSpace(); + if (prompt == "kadmin>") { + kadminProc.writeLine(TQCString("ext "+hoststring), true); + prompt = kadminProc.readLine(true); // Discard our own input + prompt = readFullLineFromPtyProcess(&kadminProc); + prompt = prompt.stripWhiteSpace(); + if (prompt.endsWith(" Password:")) { + kadminProc.writeLine(adminPassword, true); + prompt = kadminProc.readLine(true); // Discard our own input + prompt = kadminProc.readLine(true); + prompt = prompt.stripWhiteSpace(); + } + if (prompt.contains("authentication failed")) { + if (errstr) *errstr = prompt; + kadminProc.writeLine("quit", true); + return 1; + } + else if (prompt.endsWith("Principal does not exist")) { + kadminProc.writeLine(TQCString("ank --random-key "+hoststring), true); + prompt = kadminProc.readLine(true); // Discard our own input + prompt = readFullLineFromPtyProcess(&kadminProc); + prompt = prompt.stripWhiteSpace(); + // Use all defaults + while (prompt != "kadmin>") { + if (prompt.endsWith(" Password:")) { + kadminProc.writeLine(adminPassword, true); + prompt = kadminProc.readLine(true); // Discard our own input + prompt = kadminProc.readLine(true); + prompt = prompt.stripWhiteSpace(); + } + if (prompt.contains("authentication failed")) { + if (errstr) *errstr = prompt; + kadminProc.writeLine("quit", true); + return 1; + } + else { + // Extract whatever default is in the [brackets] and feed it back to kadmin + TQString defaultParam; + int leftbracket = prompt.find("["); + int rightbracket = prompt.find("]"); + if ((leftbracket >= 0) && (rightbracket >= 0)) { + leftbracket++; + defaultParam = prompt.mid(leftbracket, rightbracket-leftbracket); + } + kadminProc.writeLine(TQCString(defaultParam), true); + prompt = kadminProc.readLine(true); // Discard our own input + prompt = kadminProc.readLine(true); + prompt = prompt.stripWhiteSpace(); + } + } + kadminProc.writeLine(TQCString("ext "+hoststring), true); + prompt = kadminProc.readLine(true); // Discard our own input + prompt = readFullLineFromPtyProcess(&kadminProc); + prompt = prompt.stripWhiteSpace(); + if (prompt != "kadmin>") { + if (errstr) *errstr = prompt; + kadminProc.writeLine("quit", true); + return 1; + } + + // Success! + kadminProc.writeLine("quit", true); + return 0; + } + else if (prompt == "kadmin>") { + // Success! + kadminProc.writeLine("quit", true); + return 0; + } + + // Failure + if (errstr) *errstr = prompt; + kadminProc.writeLine("quit", true); + return 1; + } + + if (errstr) *errstr = "Internal error. Verify that kadmin exists and can be executed."; + return 1; // Failure +} + +int LDAPConfig::unbondRealm(LDAPRealmConfig realmcfg, TQString adminUserName, const char * adminPassword, TQString adminRealm, TQString *errstr) { + TQCString command = "kadmin"; + QCStringList args; + args << TQCString("-p") << TQCString(adminUserName+"@"+(adminRealm.upper())); + + TQString hoststring = "host/"+m_fqdn; + + TQString prompt; + PtyProcess kadminProc; + kadminProc.exec(command, args); + prompt = kadminProc.readLine(true); + prompt = prompt.stripWhiteSpace(); + if (prompt == "kadmin>") { + kadminProc.writeLine(TQCString("delete "+hoststring), true); + prompt = kadminProc.readLine(true); // Discard our own input + prompt = readFullLineFromPtyProcess(&kadminProc); + prompt = prompt.stripWhiteSpace(); + if (prompt.endsWith(" Password:")) { + kadminProc.writeLine(adminPassword, true); + prompt = kadminProc.readLine(true); // Discard our own input + prompt = kadminProc.readLine(true); + prompt = prompt.stripWhiteSpace(); + } + if (prompt != "kadmin>") { + if (errstr) *errstr = prompt; + kadminProc.writeLine("quit", true); + return 1; + } + + // Success! + kadminProc.writeLine("quit", true); + return 0; + } + + return 1; // Failure +} + +void LDAPConfig::realmProperties() { + TQListViewItem *selrealm = base->ldapRealmList->selectedItem(); + if (selrealm) { + RealmPropertiesDialog rpdialog(&m_realms, selrealm->text(1), this); + if (rpdialog.exec() == TQDialog::Accepted) { + updateRealmList(); + changed(); + } + } +} + +void LDAPConfig::writeKrb5ConfFile() { + TQFile file(KRB5_FILE); + if (file.open(IO_WriteOnly)) { + TQTextStream stream( &file ); + + stream << "# This file was automatically generated by TDE\n"; + stream << "# All changes will be lost!\n"; + stream << "\n"; + + // Defaults + stream << "[libdefaults]\n"; + stream << " ticket_lifetime = " << m_ticketLifetime << "\n"; + if (m_defaultRealm != "") { + stream << " default_realm = " << m_defaultRealm << "\n"; + } + stream << "\n"; + + // Realms + stream << "[realms]\n"; + LDAPRealmConfigList::Iterator it; + for (it = m_realms.begin(); it != m_realms.end(); ++it) { + LDAPRealmConfig realmcfg = it.data(); + stream << " " << realmcfg.name << " = {\n"; + stream << " kdc = " << realmcfg.kdc << ":" << realmcfg.kdc_port << "\n"; + stream << " admin_server = " << realmcfg.admin_server << ":" << realmcfg.admin_server_port << "\n"; + stream << " pkinit_require_eku = " << (realmcfg.pkinit_require_eku?"true":"false") << "\n"; + stream << " pkinit_require_krbtgt_otherName = " << (realmcfg.pkinit_require_krbtgt_otherName?"true":"false") << "\n"; + stream << " win2k_pkinit = " << (realmcfg.win2k_pkinit?"yes":"no") << "\n"; + stream << " win2k_pkinit_require_binding = " << (realmcfg.win2k_pkinit_require_binding?"yes":"no") << "\n"; + stream << " }\n"; + } + stream << "\n"; + + // Domain aliases + stream << "[domain_realm]\n"; + LDAPRealmConfigList::Iterator it2; + for (it2 = m_realms.begin(); it2 != m_realms.end(); ++it2) { + LDAPRealmConfig realmcfg = it2.data(); + TQStringList domains = realmcfg.domain_mappings; + for (TQStringList::Iterator it3 = domains.begin(); it3 != domains.end(); ++it3 ) { + stream << " " << *it3 << " = " << realmcfg.name << "\n"; + } + } + + file.close(); + } +} + +void LDAPConfig::writeLDAPConfFile() { + LDAPManager::writeLDAPConfFile(m_realms[m_defaultRealm]); +} + +void LDAPConfig::writeNSSwitchFile() { + TQFile file(NSSWITCH_FILE); + if (file.open(IO_WriteOnly)) { + TQTextStream stream( &file ); + + stream << "# This file was automatically generated by TDE\n"; + stream << "# All changes will be lost!\n"; + stream << "\n"; + stream << "passwd: files ldap [NOTFOUND=return] db" << "\n"; + stream << "group: files ldap [NOTFOUND=return] db" << "\n"; + stream << "shadow: files ldap [NOTFOUND=return] db" << "\n"; + stream << "\n"; + stream << "hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4" << "\n"; + stream << "networks: files" << "\n"; + stream << "\n"; + stream << "protocols: db files" << "\n"; + stream << "services: db files" << "\n"; + stream << "ethers: db files" << "\n"; + stream << "rpc: db files" << "\n"; + stream << "\n"; + stream << "netgroup: nis" << "\n"; + + file.close(); + } +} + +void LDAPConfig::writePAMFiles() { + TQFile file(PAMD_DIRECTORY PAMD_COMMON_ACCOUNT); + if (file.open(IO_WriteOnly)) { + TQTextStream stream( &file ); + + stream << "# This file was automatically generated by TDE\n"; + stream << "# All changes will be lost!\n"; + stream << "\n"; + stream << "account sufficient pam_unix.so nullok_secure" << "\n"; + stream << "account sufficient pam_ldap.so" << "\n"; + stream << "account required pam_permit.so" << "\n"; + + file.close(); + } + + TQFile file2(PAMD_DIRECTORY PAMD_COMMON_AUTH); + if (file2.open(IO_WriteOnly)) { + TQTextStream stream( &file2 ); + + stream << "# This file was automatically generated by TDE\n"; + stream << "# All changes will be lost!\n"; + stream << "\n"; + stream << "auth [default=ignore success=ignore] pam_mount.so" << "\n"; + stream << "auth sufficient pam_unix.so nullok try_first_pass" << "\n"; + stream << "auth [default=ignore success=1 service_err=reset] pam_krb5.so ccache=/tmp/krb5cc_%u use_first_pass" << "\n"; + stream << "auth [default=die success=done] pam_ccreds.so action=validate use_first_pass" << "\n"; + stream << "auth sufficient pam_ccreds.so action=store use_first_pass" << "\n"; + stream << "auth required pam_deny.so" << "\n"; + + file2.close(); + } +} + +void LDAPConfig::writeCronFiles() { + TQFile file(CRON_UPDATE_NSS_FILE); + if (file.open(IO_WriteOnly)) { + TQTextStream stream( &file ); + + stream << "# This file was automatically generated by TDE\n"; + stream << "# All changes will be lost!\n"; + stream << "\n"; + stream << "#!/bin/sh" << "\n"; + stream << "/usr/sbin/nss_updatedb ldap" << "\n"; + + file.close(); + } +} + +int LDAPConfig::buttons() { + return KCModule::Apply|KCModule::Help; +} + +TQString LDAPConfig::quickHelp() const +{ + return i18n("This module configures which LDAP realms TDE uses for authentication."); +} diff --git a/src/ldapbonding.h b/src/ldapbonding.h new file mode 100644 index 0000000..ac7979a --- /dev/null +++ b/src/ldapbonding.h @@ -0,0 +1,98 @@ +/*************************************************************************** + * Copyright (C) 2012 by Timothy Pearson * + * kb9vqf@pearsoncomputing.net * + * * + * This program is free software; you can redistribute it and/or modify * + * it under the terms of the GNU General Public License as published by * + * the Free Software Foundation; either version 2 of the License, or * + * (at your option) any later version. * + * * + * This program is distributed in the hope that it will be useful, * + * but WITHOUT ANY WARRANTY; without even the implied warranty of * + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * + * GNU General Public License for more details. * + * * + * You should have received a copy of the GNU General Public License * + * along with this program; if not, write to the * + * Free Software Foundation, Inc., * + * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * + ***************************************************************************/ + +#ifndef _KCMLDAP_H_ +#define _KCMLDAP_H_ + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include + +#include "ldapconfigbase.h" + +#ifdef HAVE_CONFIG_H +#include +#endif + +class LDAPConfig: public KCModule +{ + Q_OBJECT + + public: + LDAPConfig( TQWidget *parent=0, const char *name=0, const TQStringList& = TQStringList() ); + ~LDAPConfig(); + + virtual void load(); + virtual void load( bool useDefaults); + virtual void save(); + virtual void defaults(); + virtual int buttons(); + virtual TQString quickHelp() const; + virtual const KAboutData *aboutData() const { return myAboutData; }; + + int bondRealm(LDAPRealmConfig realmcfg, TQString adminUserName, const char * adminPassword, TQString adminRealm, TQString *errstr=0); + int unbondRealm(LDAPRealmConfig realmcfg, TQString adminUserName, const char * adminPassword, TQString adminRealm, TQString *errstr=0); + + // FIXME + // This should be moved to a TDE core library + TQString getMachineFQDN(); + + private slots: + void processLockouts(); + void bondToNewRealm(); + void reBondToRealm(); + void removeRealm(); + void deactivateRealm(); + void realmProperties(); + + private: + void updateRealmList(); + void writeKrb5ConfFile(); + void writeLDAPConfFile(); + void writeNSSwitchFile(); + void writePAMFiles(); + void writeCronFiles(); + + private: + KAboutData *myAboutData; + KGlobalSettings *kgs; + LDAPConfigBase *base; + LDAPRealmConfigList m_realms; + TQString m_fqdn; + TQString m_defaultRealm; + int m_ticketLifetime; + + int m_ldapVersion; + int m_ldapTimeout; + TQString m_bindPolicy; + int m_ldapBindTimeout; + TQString m_passwordHash; + TQString m_ignoredUsers; +}; + +#endif // _KCMLDAP_H_ diff --git a/src/realmpropertiesdialog.h b/src/realmpropertiesdialog.h index c696cf0..00d9d0d 100644 --- a/src/realmpropertiesdialog.h +++ b/src/realmpropertiesdialog.h @@ -23,7 +23,7 @@ #include -#include "ldap.h" +#include "ldapbonding.h" #include "bondrealmpage.h" class RealmPropertiesDialog : public KDialogBase -- cgit v1.2.1