New realm now functions almost fully

author: Timothy Pearson <kb9vqf@pearsoncomputing.net> 2012-06-04 02:43:34 -0500
committer: Timothy Pearson <kb9vqf@pearsoncomputing.net> 2012-06-04 02:43:34 -0500
commit: ffa65c885b78a8d783f9e8cd51cf7c0b751207f9 (patch)
tree: 5265da262e38753ddad75c7b9a98fb9119dd9215 /src/ldapcontroller.cpp
parent: c39d52d4c9425c45394105bebdd6f2fac29569ee (diff)
download: kcmldapcontroller-ffa65c885b78a8d783f9e8cd51cf7c0b751207f9.tar.gz
kcmldapcontroller-ffa65c885b78a8d783f9e8cd51cf7c0b751207f9.zip
1 files changed, 389 insertions, 13 deletions
diff --git a/src/ldapcontroller.cpp b/src/ldapcontroller.cpp
index 3f553be..3d679a0 100644
--- a/src/ldapcontroller.cpp
+++ b/src/ldapcontroller.cpp
@@ -21,6 +21,7 @@
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <netdb.h>
+#include <pwd.h>
 
 #include <tqlayout.h>
 
@@ -54,6 +55,15 @@
 // FIXME
 // Connect this to CMake/Automake
 #define KDE_CONFDIR "/etc/trinity"
+#define LDAP_KEYTAB_FILE "/etc/ldap/ldap.keytab"
+
+// FIXME
+// This assumes Debian!
+// RedHat would be "/etc/sysconfig/ldap"
+#define LDAP_DEFAULT_FILE "/etc/default/slapd"
+#define HEIMDAL_DEFAULT_FILE "/etc/default/heimdal-kdc"
+#define SASL_DEFAULT_FILE "/etc/default/saslauthd"
+#define SASL_CONTROL_FILE "/etc/ldap/sasl2/slapd.conf"
 
 #define ROLE_WORKSTATION 0
 #define ROLE_REALM_CONTROLLER 1
@@ -93,6 +103,11 @@ LDAPController::LDAPController(TQWidget *parent, const char *name, const TQStrin
 
 	m_fqdn = getMachineFQDN();
 
+	// FIXME
+	// This assumes Debian!
+	m_ldapUserName = "openldap";
+	m_ldapGroupName = "openldap";
+
 	load();
 
 	if (getuid() != 0 || !m_systemconfig->checkConfigFilesWritable( true )) {
@@ -230,7 +245,7 @@ void LDAPController::save() {
 	load();
 }
 
-void replacePlaceholdersInFile(TQString infile, TQString outfile, LDAPRealmConfig realmconfig, TQString adminUserName, TQString adminGroupName, TQString machineAdminGroupName, const char * adminPassword, TQString rootUserName, const char * rootPassword, int ldifSchemaNumber=-1, uid_t userid=-1, gid_t groupid=-1) {
+void replacePlaceholdersInFile(TQString infile, TQString outfile, LDAPRealmConfig realmconfig, TQString adminUserName, TQString adminGroupName, TQString machineAdminGroupName, const char * adminPassword, TQString rootUserName, const char * rootPassword, int ldifSchemaNumber=-1, uid_t userid=-1, gid_t groupid=-1, TQString ldapusername=TQString::null, TQString ldapgroupname=TQString::null) {
 	SHA1 sha;
 	sha.process(rootPassword, strlen(rootPassword));
 	TQString rootpw_hash = sha.base64Hash();
@@ -280,6 +295,9 @@ void replacePlaceholdersInFile(TQString infile, TQString outfile, LDAPRealmConfi
 				line.replace("@@@REALM_SIMPLE_CP_NAME@@@", simpledcnamecap);
 				line.replace("@@@REALM_SIMPLE_LC_NAME@@@", simpledcname.lower());
 				line.replace("@@@TIMESTAMP@@@", timestamp);
+				line.replace("@@@LDAP_KEYTAB_FILE@@@", LDAP_KEYTAB_FILE);
+				line.replace("@@@LDAP_USER_NAME@@@", ldapusername);
+				line.replace("@@@LDAP_GROUP_NAME@@@", ldapgroupname);
 				if (ldifSchemaNumber >= 0) {
 					line.replace("@@@LDIFSCHEMANUMBER@@@", TQString("%1").arg(ldifSchemaNumber));
 				}
@@ -294,18 +312,38 @@ void replacePlaceholdersInFile(TQString infile, TQString outfile, LDAPRealmConfi
 			}
 		}
 		else {
-			KMessageBox::error(0, i18n("<qt>Unable to open output schema file %1 for writing</qt>").arg(infile), i18n("Internal Failure"));
+			//KMessageBox::error(0, i18n("<qt>Unable to open output schema file %1 for writing</qt>").arg(outfile), i18n("Internal Failure"));
+			printf("[INTERNAL FAILURE] Unable to open output schema file %s for writing\n\r", outfile.ascii()); fflush(stdout);
 		}
 	}
 	else {
-		KMessageBox::error(0, i18n("<qt>Unable to open template schema file %1</qt>").arg(infile), i18n("Internal Failure"));
+		//KMessageBox::error(0, i18n("<qt>Unable to open template schema file %1</qt>").arg(infile), i18n("Internal Failure"));
+		printf("[INTERNAL FAILURE] Unable to open template schema file %s\n\r", infile.ascii()); fflush(stdout);
 	}
 
 	// Keep UI responsive
 	tqApp->processEvents();
 }
 
-int LDAPController::controlHeimdalServer(sc_command command) {
+int LDAPController::controlSASLServer(sc_command command) {
+	if (command == SC_START) {
+		// FIXME
+		// This assumes Debian!
+		return system("/etc/init.d/saslauthd start");
+	}
+	if (command == SC_STOP) {
+		// FIXME
+		// This assumes Debian!
+		return system("/etc/init.d/saslauthd stop");
+	}
+	if (command == SC_RESTART) {
+		// FIXME
+		// This assumes Debian!
+		return system("/etc/init.d/saslauthd restart");
+	}
+}
+
+int LDAPController::controlHeimdalServer(sc_command command, uid_t userid, gid_t groupid) {
 	if (command == SC_START) {
 		// FIXME
 		// This assumes Debian!
@@ -321,6 +359,22 @@ int LDAPController::controlHeimdalServer(sc_command command) {
 		// This assumes Debian!
 		return system("/etc/init.d/heimdal-kdc restart");
 	}
+	if (command == SC_PURGE) {
+		controlHeimdalServer(SC_STOP);
+		system("rm -f " + TQString(LDAP_KEYTAB_FILE));
+		// FIXME
+		// This assumes Debian
+		system("rm -f /etc/krb5.keytab");
+		system("rm -rf /var/lib/heimdal-kdc/*");
+	}
+	if (command == SC_SETDBPERMS) {
+		if ((userid > 0) && (groupid > 0)) {
+			TQString command;
+			command = TQString("chgrp %1 " + TQString(LDAP_KEYTAB_FILE)).arg(groupid);
+			system(command.ascii());
+			chmod(LDAP_KEYTAB_FILE, S_IRUSR|S_IWUSR|S_IRGRP);
+		}
+	}
 }
 
 int LDAPController::controlLDAPServer(sc_command command, uid_t userid, gid_t groupid) {
@@ -344,7 +398,7 @@ int LDAPController::controlLDAPServer(sc_command command, uid_t userid, gid_t gr
 		// FIXME
 		// This assumes Debian!
 		system("rm -rf /var/lib/ldap/*");
-		system("rm -rf /etc/ldap/slapd.d/cn=config/cn=schema/*");
+		system("rm -rf /etc/ldap/slapd.d/*");
 	}
 	if (command == SC_SETDBPERMS) {
 		if ((userid > 0) && (groupid > 0)) {
@@ -355,6 +409,10 @@ int LDAPController::controlLDAPServer(sc_command command, uid_t userid, gid_t gr
 			system(command.ascii());
 			command = TQString("chgrp -R %1 /var/lib/ldap/*").arg(groupid);
 			system(command.ascii());
+			command = TQString("chown -R %1 /etc/ldap/slapd.d/*").arg(userid);
+			system(command.ascii());
+			command = TQString("chgrp -R %1 /etc/ldap/slapd.d/*").arg(groupid);
+			system(command.ascii());
 		}
 	}
 	return -2;
@@ -421,6 +479,225 @@ int LDAPController::initializeNewKerberosRealm(TQString realmName, TQString *err
 	return 1;	// Failure
 }
 
+int LDAPController::addHostEntryToKerberosRealm(TQString kerberosHost, TQString *errstr) {
+	TQCString command = "kadmin";
+	QCStringList args;
+	args << TQCString("-l");
+
+	TQString hoststring = "host/"+kerberosHost;
+
+	TQString prompt;
+	PtyProcess kadminProc;
+	kadminProc.exec(command, args);
+	prompt = kadminProc.readLine(true);
+	prompt = prompt.stripWhiteSpace();
+	if (prompt == "kadmin>") {
+		kadminProc.writeLine(TQCString("ext "+hoststring), true);
+		prompt = kadminProc.readLine(true);	// Discard our own input
+		prompt = readFullLineFromPtyProcess(&kadminProc);
+		prompt = prompt.stripWhiteSpace();
+		if (prompt.contains("authentication failed")) {
+			if (errstr) *errstr = prompt;
+			kadminProc.writeLine("quit", true);
+			return 1;
+		}
+		else if (prompt.endsWith("Principal does not exist")) {
+			kadminProc.writeLine(TQCString("ank --random-key "+hoststring), true);
+			prompt = kadminProc.readLine(true);	// Discard our own input
+			prompt = readFullLineFromPtyProcess(&kadminProc);
+			prompt = prompt.stripWhiteSpace();
+			// Use all defaults
+			while (prompt != "kadmin>") {
+				if (prompt.contains("authentication failed")) {
+					if (errstr) *errstr = prompt;
+					kadminProc.writeLine("quit", true);
+					return 1;
+				}
+				else {
+					// Extract whatever default is in the [brackets] and feed it back to kadmin
+					TQString defaultParam;
+					int leftbracket = prompt.find("[");
+					int rightbracket = prompt.find("]");
+					if ((leftbracket >= 0) && (rightbracket >= 0)) {
+						leftbracket++;
+						defaultParam = prompt.mid(leftbracket, rightbracket-leftbracket);
+					}
+					kadminProc.writeLine(TQCString(defaultParam), true);
+					prompt = kadminProc.readLine(true);	// Discard our own input
+					prompt = kadminProc.readLine(true);
+					prompt = prompt.stripWhiteSpace();
+				}
+			}
+			kadminProc.writeLine(TQCString("ext "+hoststring), true);
+			prompt = kadminProc.readLine(true);	// Discard our own input
+			prompt = readFullLineFromPtyProcess(&kadminProc);
+			prompt = prompt.stripWhiteSpace();
+			if (prompt != "kadmin>") {
+				if (errstr) *errstr = prompt;
+				kadminProc.writeLine("quit", true);
+				return 1;
+			}
+
+			// Success!
+			kadminProc.writeLine("quit", true);
+			return 0;
+		}
+		else if (prompt == "kadmin>") {
+			// Success!
+			kadminProc.writeLine("quit", true);
+			return 0;
+		}
+
+		// Failure
+		if (errstr) *errstr = prompt;
+		kadminProc.writeLine("quit", true);
+		return 1;
+	}
+
+	if (errstr) *errstr = "Internal error.  Verify that kadmin exists and can be executed.";
+	return 1;	// Failure
+}
+
+int LDAPController::addLDAPEntryToKerberosRealm(TQString ldapProcessOwnerName, TQString ldapHost, TQString *errstr) {
+	TQCString command = "kadmin";
+	QCStringList args;
+	args << TQCString("-l");
+
+	TQString hoststring = ldapProcessOwnerName+"/"+ldapHost;
+
+	TQString prompt;
+	PtyProcess kadminProc;
+	kadminProc.exec(command, args);
+	prompt = kadminProc.readLine(true);
+	prompt = prompt.stripWhiteSpace();
+	if (prompt == "kadmin>") {
+		kadminProc.writeLine(TQCString("ext --keytab="+TQString(LDAP_KEYTAB_FILE)+" "+hoststring), true);
+		prompt = kadminProc.readLine(true);	// Discard our own input
+		prompt = readFullLineFromPtyProcess(&kadminProc);
+		prompt = prompt.stripWhiteSpace();
+		if (prompt.contains("authentication failed")) {
+			if (errstr) *errstr = prompt;
+			kadminProc.writeLine("quit", true);
+			return 1;
+		}
+		else if (prompt.endsWith("Principal does not exist")) {
+			kadminProc.writeLine(TQCString("ank --random-key "+hoststring), true);
+			prompt = kadminProc.readLine(true);	// Discard our own input
+			prompt = readFullLineFromPtyProcess(&kadminProc);
+			prompt = prompt.stripWhiteSpace();
+			// Use all defaults
+			while (prompt != "kadmin>") {
+				if (prompt.contains("authentication failed")) {
+					if (errstr) *errstr = prompt;
+					kadminProc.writeLine("quit", true);
+					return 1;
+				}
+				else {
+					// Extract whatever default is in the [brackets] and feed it back to kadmin
+					TQString defaultParam;
+					int leftbracket = prompt.find("[");
+					int rightbracket = prompt.find("]");
+					if ((leftbracket >= 0) && (rightbracket >= 0)) {
+						leftbracket++;
+						defaultParam = prompt.mid(leftbracket, rightbracket-leftbracket);
+					}
+					kadminProc.writeLine(TQCString(defaultParam), true);
+					prompt = kadminProc.readLine(true);	// Discard our own input
+					prompt = kadminProc.readLine(true);
+					prompt = prompt.stripWhiteSpace();
+				}
+			}
+			kadminProc.writeLine(TQCString("ext --keytab="+TQString(LDAP_KEYTAB_FILE)+" "+hoststring), true);
+			prompt = kadminProc.readLine(true);	// Discard our own input
+			prompt = readFullLineFromPtyProcess(&kadminProc);
+			prompt = prompt.stripWhiteSpace();
+			if (prompt != "kadmin>") {
+				if (errstr) *errstr = prompt;
+				kadminProc.writeLine("quit", true);
+				return 1;
+			}
+
+			// Success!
+			kadminProc.writeLine("quit", true);
+			return 0;
+		}
+		else if (prompt == "kadmin>") {
+			// Success!
+			kadminProc.writeLine("quit", true);
+			return 0;
+		}
+
+		// Failure
+		if (errstr) *errstr = prompt;
+		kadminProc.writeLine("quit", true);
+		return 1;
+	}
+
+	if (errstr) *errstr = "Internal error.  Verify that kadmin exists and can be executed.";
+	return 1;	// Failure
+}
+
+int LDAPController::setKerberosPasswordForUser(LDAPCredentials user, TQString *errstr) {
+	if (user.password == "") {
+		return 0;
+	}
+
+	TQCString command = "kadmin";
+	QCStringList args;
+	args << TQCString("-l") << TQCString("-r") << TQCString(user.realm.upper());
+
+	TQString prompt;
+	PtyProcess kadminProc;
+	kadminProc.exec(command, args);
+	prompt = kadminProc.readLine(true);
+	prompt = prompt.stripWhiteSpace();
+	if (prompt == "kadmin>") {
+		kadminProc.writeLine(TQCString("passwd "+user.username), true);
+		prompt = kadminProc.readLine(true);	// Discard our own input
+		prompt = readFullLineFromPtyProcess(&kadminProc);
+		prompt = prompt.stripWhiteSpace();
+		if (prompt.contains("authentication failed")) {
+			if (errstr) *errstr = prompt;
+			kadminProc.writeLine("quit", true);
+			return 1;
+		}
+		else if ((prompt.endsWith(" Password:")) && (prompt.startsWith(TQString(user.username + "@")))) {
+			kadminProc.writeLine(user.password, true);
+			prompt = kadminProc.readLine(true);	// Discard our own input
+			prompt = kadminProc.readLine(true);
+			prompt = prompt.stripWhiteSpace();
+			if ((prompt.endsWith(" Password:")) && (prompt.startsWith("Verify"))) {
+				kadminProc.writeLine(user.password, true);
+				prompt = kadminProc.readLine(true);	// Discard our own input
+				prompt = kadminProc.readLine(true);
+				prompt = prompt.stripWhiteSpace();
+			}
+			if (prompt != "kadmin>") {
+				if (errstr) *errstr = prompt;
+				kadminProc.writeLine("quit", true);
+				return 1;
+			}
+
+			// Success!
+			kadminProc.writeLine("quit", true);
+			return 0;
+		}
+		else if (prompt == "kadmin>") {
+			// Success!
+			kadminProc.writeLine("quit", true);
+			return 0;
+		}
+
+		// Failure
+		if (errstr) *errstr = prompt;
+		kadminProc.writeLine("quit", true);
+		return 1;
+	}
+
+	if (errstr) *errstr = "Internal error.  Verify that kadmin exists and can be executed.";
+	return 1;	// Failure
+}
+
 int LDAPController::createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig realmconfig, TQString adminUserName, TQString adminGroupName, TQString machineAdminGroupName, const char * adminPassword, TQString rootUserName, const char * rootPassword, TQString adminRealm, TQString *errstr) {
 	int ldifSchemaNumber;
 
@@ -449,6 +726,12 @@ configTempDir.setAutoDelete(false);	// RAJA DEBUG ONLY FIXME
 
 	pdialog.setStatusMessage(i18n("Stopping servers..."));
 
+	// Stop SASL
+	if (controlSASLServer(SC_STOP) != 0) {
+		if (errstr) *errstr = i18n("Unable to stop SASL server");
+		pdialog.closeDialog();
+		return -1;
+	}
 	// Stop Heimdal
 	if (controlHeimdalServer(SC_STOP) != 0) {
 		if (errstr) *errstr = i18n("Unable to stop Kerberos server");
@@ -464,6 +747,7 @@ configTempDir.setAutoDelete(false);	// RAJA DEBUG ONLY FIXME
 
 	pdialog.setStatusMessage(i18n("Purging existing LDAP database..."));
 	tqApp->processEvents();
+	controlHeimdalServer(SC_PURGE);
 	controlLDAPServer(SC_PURGE);
 
 	pdialog.setStatusMessage(i18n("Installing new LDAP schema..."));
@@ -475,24 +759,60 @@ configTempDir.setAutoDelete(false);	// RAJA DEBUG ONLY FIXME
 	mkdir(TQString(destDir + "ldap/slapd.d/cn=config").ascii(), S_IRUSR|S_IWUSR|S_IXUSR);
 	mkdir(TQString(destDir + "ldap/slapd.d/cn=config/cn=schema").ascii(), S_IRUSR|S_IWUSR|S_IXUSR);
 
-	replacePlaceholdersInFile(templateDir + "heimdal/heimdal.defaults", destDir + "heimdal.defaults", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword);
+	// Heimdal
+	replacePlaceholdersInFile(templateDir + "heimdal/heimdal.defaults", HEIMDAL_DEFAULT_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword);
 	replacePlaceholdersInFile(templateDir + "heimdal/kadmind.acl", destDir + "heimdal-kdc/kadmind.acl", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword);
 	replacePlaceholdersInFile(templateDir + "heimdal/kdc.conf", destDir + "heimdal-kdc/kdc.conf", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword);
 	replacePlaceholdersInFile(templateDir + "heimdal/krb5.conf", destDir + "krb5.conf", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword);
 
+// RAJA DEBUG
+// 	if (system("kstash --random-key") != 0) {
+// 		if (errstr) *errstr = i18n("Unable to create Kerberos foundational key");
+// 		pdialog.closeDialog();
+// 		return -1;
+// 	}
+
+	// OpenLDAP
 	replacePlaceholdersInFile(templateDir + "openldap/skel.ldif", configTempDir.name() + "skel.ldif", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword);
 // 	replacePlaceholdersInFile(templateDir + "openldap/ldap/slapd.conf", destDir + "ldap/slapd.conf", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword);
-	replacePlaceholdersInFile(templateDir + "openldap/ldap/slapd.defaults", destDir + "ldap/slapd.defaults", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword);
+	replacePlaceholdersInFile(templateDir + "openldap/ldap/slapd.defaults", LDAP_DEFAULT_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, -1, -1, -1, m_ldapUserName, m_ldapGroupName);
+
+	// SASL
+	replacePlaceholdersInFile(templateDir + "sasl/saslauthd.defaults", SASL_DEFAULT_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword);
+	replacePlaceholdersInFile(templateDir + "sasl/slapd.conf", SASL_CONTROL_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword);
+
+	// FIXME
+	// This assumes Debian!
+	// Grant LDAP access to SASL mux pipe
+	system("dpkg-statoverride --remove --quiet /var/run/saslauthd");
+	system(TQString("dpkg-statoverride --add root %1 710 /var/run/saslauthd").arg(m_ldapGroupName).ascii());
+
+	// FIXME
+	// This assumes Debian!
+	system("ln -s /etc/heimdal-kdc/kadmind.acl /var/lib/heimdal-kdc/kadmind.acl");
+	system("ln -s /etc/heimdal-kdc/kdc.conf /var/lib/heimdal-kdc/kdc.conf");
 
 	struct stat sb;
 	uid_t slapd_uid = 0;
 	gid_t slapd_gid = 0;
-	if (stat(destDir + "ldap/slapd.d/cn=config/cn=schema", &sb) == 0) {
-		slapd_uid = sb.st_uid;
-		slapd_gid = sb.st_gid;
-	}
+
+	// Get LDAP user uid/gid
+	struct passwd *pwd;
+	pwd = getpwnam(m_ldapUserName);
+	slapd_uid = pwd->pw_uid;
+	slapd_gid = pwd->pw_gid;
+
+// RAJA FIXME
+// SECURITY
+// The ldapi:/// socket in /var/run/ldap is world readable/writable
+// This means anyone with access to the server running LDAP can dump the KRB5 keys!!!!
 
 	// Base database configuration
+	replacePlaceholdersInFile(templateDir + "openldap/ldif/config.ldif", destDir + "ldap/slapd.d/" + TQString("cn=config.ldif"), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, -1, slapd_uid, slapd_gid);
+	replacePlaceholdersInFile(templateDir + "openldap/ldif/schema.ldif", destDir + "ldap/slapd.d/cn=config/" + TQString("cn=schema.ldif"), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, -1, slapd_uid, slapd_gid);
+	ldifSchemaNumber = 0;
+	replacePlaceholdersInFile(templateDir + "openldap/ldif/olcConfig.ldif", destDir + "ldap/slapd.d/cn=config/" + TQString("olcDatabase={%1}config.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
+	replacePlaceholdersInFile(templateDir + "openldap/ldif/moduleConfig.ldif", destDir + "ldap/slapd.d/cn=config/" + TQString("cn=module{%1}.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
 	ldifSchemaNumber = 1;
 	replacePlaceholdersInFile(templateDir + "openldap/ldif/olcDatabase.ldif", destDir + "ldap/slapd.d/cn=config/" + TQString("olcDatabase={%1}hdb.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
 
@@ -565,11 +885,31 @@ configTempDir.setAutoDelete(false);	// RAJA DEBUG ONLY FIXME
 
 	TQString errorstring;
 	if (initializeNewKerberosRealm(realmconfig.name.upper(), &errorstring) != 0) {
-		if (errstr) *errstr = i18n("Unable to initialize Kerberos database<p>").append(errorstring);
+		if (errstr) *errstr = i18n("Unable to initialize Kerberos database").append(errorstring);
 		pdialog.closeDialog();
 		return -1;
 	}
 
+	if (addHostEntryToKerberosRealm(realmconfig.kdc, &errorstring) != 0) {
+		if (errstr) *errstr = i18n("Unable to add KDC server entry to Kerberos database").arg(m_ldapUserName).append(errorstring);
+		pdialog.closeDialog();
+		return -1;
+	}
+
+	if (addLDAPEntryToKerberosRealm(m_ldapUserName, realmconfig.admin_server, &errorstring) != 0) {
+		if (errstr) *errstr = i18n("Unable to add %1 entry to Kerberos database").arg(m_ldapUserName).append(errorstring);
+		pdialog.closeDialog();
+		return -1;
+	}
+
+	if (addLDAPEntryToKerberosRealm("ldap", realmconfig.admin_server, &errorstring) != 0) {
+		if (errstr) *errstr = i18n("Unable to add LDAP entry to Kerberos database").append(errorstring);
+		pdialog.closeDialog();
+		return -1;
+	}
+
+	controlHeimdalServer(SC_SETDBPERMS, slapd_uid, slapd_gid);
+
 	// Move all those new Heimdal entries to the correct tree/branch
 	TQStringList domainChunks = TQStringList::split(".", realmconfig.name.lower());
 	TQString basedcname = "dc=" + domainChunks.join(",dc=");
@@ -588,6 +928,20 @@ configTempDir.setAutoDelete(false);	// RAJA DEBUG ONLY FIXME
 	delete ldap_mgr;
 	delete credentials;
 
+	// Set @@@ADMINUSER@@@ password in kadmin
+	LDAPCredentials adminuser;
+	adminuser.username = adminUserName;
+	adminuser.password = adminPassword;
+	adminuser.realm = realmconfig.name.upper();
+	if (setKerberosPasswordForUser(adminuser, &errorstring) != 0) {
+		if (errstr) *errstr = i18n("Unable to set user password in Kerberos database").append(errorstring);
+		pdialog.closeDialog();
+		return -1;
+	}
+
+	pdialog.setStatusMessage(i18n("Configuring local system..."));
+	tqApp->processEvents();
+
 	// Write the TDE realm configuration file
 	LDAPRealmConfigList realms;
 	realms.insert(realmconfig.name, realmconfig);
@@ -595,9 +949,31 @@ configTempDir.setAutoDelete(false);	// RAJA DEBUG ONLY FIXME
 	m_systemconfig->writeEntry("DefaultRealm", realmconfig.name);
 	m_systemconfig->sync();
 
-	pdialog.setStatusMessage(i18n("Configuring local system..."));
 	LDAPManager::writeLDAPConfFile(realmconfig);
 
+	pdialog.setStatusMessage(i18n("(Re)starting servers..."));
+	tqApp->processEvents();
+
+	// Restart slapd
+	if (controlLDAPServer(SC_RESTART) != 0) {
+		if (errstr) *errstr = i18n("Unable to restart LDAP server");
+		pdialog.closeDialog();
+		return -1;
+	}
+	// Restart Heimdal
+	if (controlHeimdalServer(SC_RESTART) != 0) {
+		if (errstr) *errstr = i18n("Unable to restart Kerberos server");
+		pdialog.closeDialog();
+		return -1;
+	}
+
+	// Start SASL
+	if (controlSASLServer(SC_START) != 0) {
+		if (errstr) *errstr = i18n("Unable to start SASL server");
+		pdialog.closeDialog();
+		return -1;
+	}
+
 	// RAJA FIXME
 	pdialog.closeDialog();
 }
author	Timothy Pearson <kb9vqf@pearsoncomputing.net>	2012-06-04 02:43:34 -0500
committer	Timothy Pearson <kb9vqf@pearsoncomputing.net>	2012-06-04 02:43:34 -0500
commit	ffa65c885b78a8d783f9e8cd51cf7c0b751207f9 (patch)
tree	5265da262e38753ddad75c7b9a98fb9119dd9215 /src/ldapcontroller.cpp
parent	c39d52d4c9425c45394105bebdd6f2fac29569ee (diff)
download	kcmldapcontroller-ffa65c885b78a8d783f9e8cd51cf7c0b751207f9.tar.gz kcmldapcontroller-ffa65c885b78a8d783f9e8cd51cf7c0b751207f9.zip