diff options
| -rw-r--r-- | confskel/Makefile.am | 5 | ||||
| -rw-r--r-- | confskel/heimdal/kdc.conf | 4 | ||||
| -rw-r--r-- | confskel/heimdal/krb5.conf | 2 | ||||
| -rw-r--r-- | confskel/openldap/ldap/slapd.conf | 4 | ||||
| -rw-r--r-- | confskel/openldap/ldif/config.ldif | 4 | ||||
| -rw-r--r-- | confskel/openldap/ldif/tde-core.ldif | 5 | ||||
| -rw-r--r-- | confskel/openldap/skel.ldif | 39 | ||||
| -rw-r--r-- | confskel/openssl/pki_extensions | 61 | ||||
| -rw-r--r-- | src/certconfigpage.cpp | 36 | ||||
| -rw-r--r-- | src/certconfigpagedlg.ui | 137 | ||||
| -rw-r--r-- | src/ldapcontroller.cpp | 212 | ||||
| -rw-r--r-- | src/ldapcontroller.h | 26 | ||||
| -rw-r--r-- | src/realmwizard.cpp | 33 | ||||
| -rw-r--r-- | src/realmwizard.h | 3 |
14 files changed, 526 insertions, 45 deletions
diff --git a/confskel/Makefile.am b/confskel/Makefile.am index c97578a..42f25a9 100644 --- a/confskel/Makefile.am +++ b/confskel/Makefile.am @@ -13,4 +13,7 @@ ldapldifskeldir = $(ldapskeldir)/ldif ldapldifskel_DATA = openldap/ldif/* saslskeldir = $(confskeldir)/sasl -saslskel_DATA = sasl/*
\ No newline at end of file +saslskel_DATA = sasl/* + +sslskeldir = $(confskeldir)/openssl +sslskel_DATA = openssl/*
\ No newline at end of file diff --git a/confskel/heimdal/kdc.conf b/confskel/heimdal/kdc.conf index d3ba9c8..d7141a1 100644 --- a/confskel/heimdal/kdc.conf +++ b/confskel/heimdal/kdc.conf @@ -1,8 +1,8 @@ [kdc] logging = FILE:/var/log/heimdal-kdc.log enable-pkinit = yes - pkinit_identity = FILE:/etc/trinity/ldap/tde-ca/public/@@@KDCSERVER@@@.pki.crt,/etc/trinity/ldap/tde-ca/private/@@@KDCSERVER@@@.pki.key - pkinit_anchors = FILE:/etc/trinity/ldap/tde-ca/anchors/tdeca.pem + pkinit_identity = FILE:@@@KRBKDCPEMFILE@@@,@@@KRBKDCPEMKEYFILE@@@ + pkinit_anchors = FILE:@@@KRBPKIPEMFILE@@@ pkinit_allow-proxy-certificate = false acl_file = /etc/heimdal-kdc/kadmind.acl diff --git a/confskel/heimdal/krb5.conf b/confskel/heimdal/krb5.conf index e76a90f..4678173 100644 --- a/confskel/heimdal/krb5.conf +++ b/confskel/heimdal/krb5.conf @@ -3,7 +3,7 @@ default_realm = @@@REALM_UCNAME@@@ [appdefaults] - pkinit_anchors = FILE:/etc/trinity/ldap/tde-ca/anchors/tdeca.pem + pkinit_anchors = FILE:@@@KRBPKIPEMFILE@@@ [realms] @@@REALM_UCNAME@@@ = { diff --git a/confskel/openldap/ldap/slapd.conf b/confskel/openldap/ldap/slapd.conf index 3dce739..9263350 100644 --- a/confskel/openldap/ldap/slapd.conf +++ b/confskel/openldap/ldap/slapd.conf @@ -72,8 +72,8 @@ index gidNumber eq lastmod on unique_attributes mail uid uidNumber -TLSCertificateFile /etc/trinity/ldap/tde-ca/public/@@@ADMINSERVER@@@.crt -TLSCertificateKeyFile /etc/trinity/ldap/tde-ca/private/@@@ADMINSERVER@@@.key +TLSCertificateFile @@@LDAPPEMFILE@@@ +TLSCertificateKeyFile @@@LDAPPEMKEYFILE@@@ sasl-realm @@@REALM_UCNAME@@@ sasl-host @@@ADMINSERVER@@@ diff --git a/confskel/openldap/ldif/config.ldif b/confskel/openldap/ldif/config.ldif index 9e05b86..8df7bdc 100644 --- a/confskel/openldap/ldif/config.ldif +++ b/confskel/openldap/ldif/config.ldif @@ -28,8 +28,8 @@ olcSaslSecProps: noplain,noanonymous olcSockbufMaxIncoming: 262143 olcSockbufMaxIncomingAuth: 16777215 olcThreads: 16 -#olcTLSCertificateFile: /etc/trinity/ldap/tde-ca/public/@@@ADMINSERVER@@@.crt -#olcTLSCertificateKeyFile: /etc/trinity/ldap/tde-ca/private/@@@ADMINSERVER@@@.key +olcTLSCertificateFile: @@@LDAPPEMFILE@@@ +olcTLSCertificateKeyFile: @@@LDAPPEMKEYFILE@@@ olcTLSVerifyClient: never olcToolThreads: 1 olcWriteTimeout: 0 diff --git a/confskel/openldap/ldif/tde-core.ldif b/confskel/openldap/ldif/tde-core.ldif index 52f7a80..0644264 100644 --- a/confskel/openldap/ldif/tde-core.ldif +++ b/confskel/openldap/ldif/tde-core.ldif @@ -15,6 +15,9 @@ olcAttributeTypes: {9} ( 1.3.6.1.4.1.99999.1.1.10 NAME 'badPwdCount' DESC 'Bad p olcAttributeTypes: {10} ( 1.3.6.1.4.1.99999.1.1.11 NAME 'badPasswordTime' DESC 'Time of the last bad password attempt' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {11} ( 1.3.6.1.4.1.99999.1.1.12 NAME 'lastLogon' DESC 'Timestamp of last logon' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {12} ( 1.3.6.1.4.1.99999.1.1.13 NAME 'lastLogoff' DESC 'Timestamp of last logoff' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +# Used for storing sharable certificates and keys +olcAttributeTypes: {13} ( 1.3.6.1.4.1.99999.1.1.14 NAME 'publicRootCertificate' DESC 'Certificate authority root certificate' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 SINGLE-VALUE ) olcObjectClasses: {0} ( 1.3.6.1.4.1.99999.1.2.1 NAME 'tdeExtendedUserData' SUP top AUXILIARY MAY ( website URL $ managerName $ secretaryName $ teletexId $ preferredDelivery $ locallyUniqueID $ notes $ pwdLastSet $ badPwdCount $ badPasswordTime $ lastLogon $ lastLogoff ) ) -olcObjectClasses: {1} ( 1.3.6.1.4.1.99999.1.2.2 NAME 'tdeAccountObject' SUP top AUXILIARY MAY tdeBuiltinAccount )
\ No newline at end of file +olcObjectClasses: {1} ( 1.3.6.1.4.1.99999.1.2.2 NAME 'tdeAccountObject' SUP top AUXILIARY MAY tdeBuiltinAccount ) +olcObjectClasses: {2} ( 1.3.6.1.4.1.99999.1.2.3 NAME 'tdeCertificateStore' SUP top AUXILIARY MAY ( tdeBuiltinAccount $ publicRootCertificate ) )
\ No newline at end of file diff --git a/confskel/openldap/skel.ldif b/confskel/openldap/skel.ldif index 34d615b..0d17c6c 100644 --- a/confskel/openldap/skel.ldif +++ b/confskel/openldap/skel.ldif @@ -88,6 +88,16 @@ entryCSN: @@@TIMESTAMP@@@.000000Z#000000#000#000000 modifiersName: cn=@@@ROOTUSER@@@,@@@REALM_DCNAME@@@ modifyTimestamp: @@@TIMESTAMP@@@Z +dn: cn=tde realm data,ou=master services,ou=core,ou=realm,@@@REALM_DCNAME@@@ +objectClass: namedObject +cn: TDE Realm Data +structuralObjectClass: namedObject +creatorsName: cn=@@@ROOTUSER@@@,@@@REALM_DCNAME@@@ +createTimestamp: @@@TIMESTAMP@@@Z +entryCSN: @@@TIMESTAMP@@@.000000Z#000000#000#000000 +modifiersName: cn=@@@ROOTUSER@@@,@@@REALM_DCNAME@@@ +modifyTimestamp: @@@TIMESTAMP@@@Z + dn: o=kerberos,cn=kerberos control,ou=master services,ou=core,ou=realm,@@@REALM_DCNAME@@@ cn: kerberos emsdescription: Kerberos Registry @@ -104,6 +114,22 @@ entryCSN: @@@TIMESTAMP@@@.000000Z#000000#000#000000 modifiersName: cn=@@@ROOTUSER@@@,@@@REALM_DCNAME@@@ modifyTimestamp: @@@TIMESTAMP@@@Z +dn: o=tde,cn=tde realm data,ou=master services,ou=core,ou=realm,@@@REALM_DCNAME@@@ +cn: tde +emsdescription: TDE Realm Data +emsmodelclass: EMSSecurityObject +emstype: ServicePlugin +o: tde +objectClass: organization +objectClass: emsSecurityObject +objectClass: emsIgnore +structuralObjectClass: organization +creatorsName: cn=@@@ROOTUSER@@@,@@@REALM_DCNAME@@@ +createTimestamp: @@@TIMESTAMP@@@Z +entryCSN: @@@TIMESTAMP@@@.000000Z#000000#000#000000 +modifiersName: cn=@@@ROOTUSER@@@,@@@REALM_DCNAME@@@ +modifyTimestamp: @@@TIMESTAMP@@@Z + dn: ou=groups,ou=core,ou=realm,@@@REALM_DCNAME@@@ emscontainertype: EGroupContainer emsdescription: EMS Group Container @@ -227,3 +253,16 @@ krb5EncryptionType: 23 entryCSN: @@@TIMESTAMP@@@.000000Z#000000#000#000000 modifiersName: cn=@@@ROOTUSER@@@,@@@REALM_DCNAME@@@ modifyTimestamp: @@@TIMESTAMP@@@Z + +dn: cn=certificate store,o=tde,cn=tde realm data,ou=master services,ou=core,ou=realm,@@@REALM_DCNAME@@@ +cn: certificate store +description: TDE Certificate Store +objectClass: tdeCertificateStore +objectClass: applicationProcess +tdeBuiltinAccount: TRUE +structuralObjectClass: applicationProcess +creatorsName: cn=@@@ROOTUSER@@@,@@@REALM_DCNAME@@@ +createTimestamp: @@@TIMESTAMP@@@Z +entryCSN: @@@TIMESTAMP@@@.000000Z#000000#000#000000 +modifiersName: cn=@@@ROOTUSER@@@,@@@REALM_DCNAME@@@ +modifyTimestamp: @@@TIMESTAMP@@@Z
\ No newline at end of file diff --git a/confskel/openssl/pki_extensions b/confskel/openssl/pki_extensions new file mode 100644 index 0000000..d841890 --- /dev/null +++ b/confskel/openssl/pki_extensions @@ -0,0 +1,61 @@ +[ kdc_cert ] +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement + +#Pkinit EKU +extendedKeyUsage = 1.3.6.1.5.2.3.5 + +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# Copy subject details + +issuerAltName=issuer:copy + +# Add id-pkinit-san (pkinit subjectAlternativeName) +subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name + +[kdc_princ_name] +realm = EXP:0, GeneralString:@@@REALM_UCNAME@@@ +principal_name = EXP:1, SEQUENCE:kdc_principal_seq + +[kdc_principal_seq] +name_type = EXP:0, INTEGER:1 +name_string = EXP:1, SEQUENCE:kdc_principals + +[kdc_principals] +princ1 = GeneralString:krbtgt +princ2 = GeneralString:@@@REALM_UCNAME@@@ + +[ client_cert ] + +# These extensions are added when 'ca' signs a request. + +basicConstraints=CA:FALSE + +keyUsage = digitalSignature, keyEncipherment, keyAgreement + +extendedKeyUsage = 1.3.6.1.5.2.3.4 +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + + +subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name + + +# Copy subject details + +issuerAltName=issuer:copy + +[princ_name] +realm = EXP:0, GeneralString:@@@REALM_UCNAME@@@ +principal_name = EXP:1, SEQUENCE:principal_seq + +[principal_seq] +name_type = EXP:0, INTEGER:1 +name_string = EXP:1, SEQUENCE:principals + +[principals] +princ1 = GeneralString:@@@KDCSERVER@@@ diff --git a/src/certconfigpage.cpp b/src/certconfigpage.cpp index 1e94336..2a5b6e6 100644 --- a/src/certconfigpage.cpp +++ b/src/certconfigpage.cpp @@ -48,11 +48,20 @@ CertConfigPage::CertConfigPage(TQWidget *parent, const char *name ) : CertConfig connect(generateKeysDisabled, TQT_SIGNAL(stateChanged(int)), this, TQT_SLOT(setUseProvidedKeys(int))); connect(kerberosPEM, TQT_SIGNAL(textChanged(const TQString&)), this, TQT_SLOT(validateEntries())); + connect(kerberosPEMKEY, TQT_SIGNAL(textChanged(const TQString&)), this, TQT_SLOT(validateEntries())); connect(kerberosCRT, TQT_SIGNAL(textChanged(const TQString&)), this, TQT_SLOT(validateEntries())); connect(kerberosKEY, TQT_SIGNAL(textChanged(const TQString&)), this, TQT_SLOT(validateEntries())); connect(ldapCRT, TQT_SIGNAL(textChanged(const TQString&)), this, TQT_SLOT(validateEntries())); connect(ldapKEY, TQT_SIGNAL(textChanged(const TQString&)), this, TQT_SLOT(validateEntries())); + connect(organizationName, TQT_SIGNAL(textChanged(const TQString&)), this, TQT_SLOT(validateEntries())); + connect(orgUnitName, TQT_SIGNAL(textChanged(const TQString&)), this, TQT_SLOT(validateEntries())); + connect(commonName, TQT_SIGNAL(textChanged(const TQString&)), this, TQT_SLOT(validateEntries())); + connect(localityName, TQT_SIGNAL(textChanged(const TQString&)), this, TQT_SLOT(validateEntries())); + connect(stateOrProvinceName, TQT_SIGNAL(textChanged(const TQString&)), this, TQT_SLOT(validateEntries())); + connect(countryName, TQT_SIGNAL(textChanged(const TQString&)), this, TQT_SLOT(validateEntries())); + connect(emailAddress, TQT_SIGNAL(textChanged(const TQString&)), this, TQT_SLOT(validateEntries())); + m_parentWizard = dynamic_cast<KWizard*>(parent); m_parentDialog = dynamic_cast<KDialogBase*>(parent); } @@ -81,19 +90,33 @@ void CertConfigPage::setUseProvidedKeys(int state) { void CertConfigPage::processLockouts() { kerberosPEM->setEnabled(generateKeysDisabled->isOn()); + kerberosPEMKEY->setEnabled(generateKeysDisabled->isOn()); kerberosCRT->setEnabled(generateKeysDisabled->isOn()); kerberosKEY->setEnabled(generateKeysDisabled->isOn()); ldapCRT->setEnabled(generateKeysDisabled->isOn()); ldapKEY->setEnabled(generateKeysDisabled->isOn()); + + organizationName->setEnabled(generateKeysEnabled->isOn()); + orgUnitName->setEnabled(generateKeysEnabled->isOn()); + commonName->setEnabled(generateKeysEnabled->isOn()); + localityName->setEnabled(generateKeysEnabled->isOn()); + stateOrProvinceName->setEnabled(generateKeysEnabled->isOn()); + countryName->setEnabled(generateKeysEnabled->isOn()); + emailAddress->setEnabled(generateKeysEnabled->isOn()); } void CertConfigPage::validateEntries() { if (m_parentWizard) { if (generateKeysEnabled->isOn()) { - m_parentWizard->nextButton()->setEnabled(true); + if ((organizationName->text() != "") && (orgUnitName->text() != "") && (commonName->text() != "") && (localityName->text() != "") && (stateOrProvinceName->text() != "") && (countryName->text() != "") && (emailAddress->text() != "")) { + m_parentWizard->nextButton()->setEnabled(true); + } + else { + m_parentWizard->nextButton()->setEnabled(false); + } } else { - if ((kerberosPEM->url() != "") && (kerberosCRT->url() != "") && (kerberosKEY->url() != "") && (ldapCRT->url() != "") && (ldapKEY->url() != "")) { + if ((kerberosPEM->url() != "") && (kerberosPEMKEY->url() != "") && (kerberosCRT->url() != "") && (kerberosKEY->url() != "") && (ldapCRT->url() != "") && (ldapKEY->url() != "")) { m_parentWizard->nextButton()->setEnabled(true); } else { @@ -103,10 +126,15 @@ void CertConfigPage::validateEntries() { } if (m_parentDialog) { if (generateKeysEnabled->isOn()) { - m_parentDialog->enableButton(KDialogBase::Ok, true); + if ((organizationName->text() != "") && (orgUnitName->text() != "") && (commonName->text() != "") && (localityName->text() != "") && (stateOrProvinceName->text() != "") && (countryName->text() != "") && (emailAddress->text() != "")) { + m_parentDialog->enableButton(KDialogBase::Ok, true); + } + else { + m_parentDialog->enableButton(KDialogBase::Ok, false); + } } else { - if ((kerberosPEM->url() != "") && (kerberosCRT->url() != "") && (kerberosKEY->url() != "") && (ldapCRT->url() != "") && (ldapKEY->url() != "")) { + if ((kerberosPEM->url() != "") && (kerberosPEMKEY->url() != "") && (kerberosCRT->url() != "") && (kerberosKEY->url() != "") && (ldapCRT->url() != "") && (ldapKEY->url() != "")) { m_parentDialog->enableButton(KDialogBase::Ok, true); } else { diff --git a/src/certconfigpagedlg.ui b/src/certconfigpagedlg.ui index 80d64da..bd71535 100644 --- a/src/certconfigpagedlg.ui +++ b/src/certconfigpagedlg.ui @@ -66,7 +66,101 @@ <string>Generate New Certificates and Keys</string> </property> </widget> - <widget class="TQRadioButton" row="1" column="0"> + <widget class="TQLabel" row="1" column="0"> + <property name="name"> + <cstring>unnamed</cstring> + </property> + <property name="text"> + <string>Organization</string> + </property> + </widget> + <widget class="TQLineEdit" row="1" column="1" colspan="3"> + <property name="name"> + <cstring>organizationName</cstring> + </property> + </widget> + <widget class="TQLabel" row="2" column="0"> + <property name="name"> + <cstring>unnamed</cstring> + </property> + <property name="text"> + <string>Division/Unit</string> + </property> + </widget> + <widget class="TQLineEdit" row="2" column="1" colspan="3"> + <property name="name"> + <cstring>orgUnitName</cstring> + </property> + </widget> + <widget class="TQLabel" row="3" column="0"> + <property name="name"> + <cstring>unnamed</cstring> + </property> + <property name="text"> + <string>Certificate Owner</string> + </property> + </widget> + <widget class="TQLineEdit" row="3" column="1" colspan="3"> + <property name="name"> + <cstring>commonName</cstring> + </property> + </widget> + <widget class="TQLabel" row="4" column="0"> + <property name="name"> + <cstring>unnamed</cstring> + </property> + <property name="text"> + <string>City/Locality</string> + </property> + </widget> + <widget class="TQLineEdit" row="4" column="1" colspan="3"> + <property name="name"> + <cstring>localityName</cstring> + </property> + </widget> + <widget class="TQLabel" row="5" column="0"> + <property name="name"> + <cstring>unnamed</cstring> + </property> + <property name="text"> + <string>State/Province</string> + </property> + </widget> + <widget class="TQLineEdit" row="5" column="1" colspan="1"> + <property name="name"> + <cstring>stateOrProvinceName</cstring> + </property> + </widget> + <widget class="TQLabel" row="5" column="2"> + <property name="name"> + <cstring>unnamed</cstring> + </property> + <property name="text"> + <string>Country</string> + </property> + </widget> + <widget class="TQLineEdit" row="5" column="3" colspan="1"> + <property name="name"> + <cstring>countryName</cstring> + </property> + <property name="maxLength"> + <number>2</number> + </property> + </widget> + <widget class="TQLabel" row="6" column="0"> + <property name="name"> + <cstring>unnamed</cstring> + </property> + <property name="text"> + <string>Administrative Email</string> + </property> + </widget> + <widget class="TQLineEdit" row="6" column="1" colspan="3"> + <property name="name"> + <cstring>emailAddress</cstring> + </property> + </widget> + <widget class="TQRadioButton" row="10" column="0"> <property name="name"> <cstring>generateKeysDisabled</cstring> </property> @@ -74,15 +168,15 @@ <string>Install Provided Certificates and Keys</string> </property> </widget> - <widget class="TQLabel" row="2" column="0"> + <widget class="TQLabel" row="11" column="0"> <property name="name"> <cstring>unnamed</cstring> </property> <property name="text"> - <string>Kerberos PKI Anchor</string> + <string>Kerberos PKI CA Public Certificate</string> </property> </widget> - <widget class="KURLRequester" row="2" column="1" colspan="1"> + <widget class="KURLRequester" row="11" column="1" colspan="3"> <property name="name"> <cstring>kerberosPEM</cstring> </property> @@ -93,7 +187,26 @@ <cstring>*.pem|PKI Anchor Files (*.pem)</cstring> </property> </widget> - <widget class="TQLabel" row="3" column="0"> + <widget class="TQLabel" row="12" column="0"> + <property name="name"> + <cstring>unnamed</cstring> + </property> + <property name="text"> + <string>Kerberos PKI CA Private Key</string> + </property> + </widget> + <widget class="KURLRequester" row="12" column="1" colspan="3"> + <property name="name"> + <cstring>kerberosPEMKEY</cstring> + </property> + <property name="mode"> + <number>25</number> + </property> + <property name="filter"> + <cstring>*.key|Private Key (*.key)</cstring> + </property> + </widget> + <widget class="TQLabel" row="13" column="0"> <property name="name"> <cstring>unnamed</cstring> </property> @@ -101,7 +214,7 @@ <string>Kerberos Public Certificate</string> </property> </widget> - <widget class="KURLRequester" row="3" column="1" colspan="1"> + <widget class="KURLRequester" row="13" column="1" colspan="3"> <property name="name"> <cstring>kerberosCRT</cstring> </property> @@ -112,7 +225,7 @@ <cstring>*.crt|Public Certificate (*.crt)</cstring> </property> </widget> - <widget class="TQLabel" row="4" column="0"> + <widget class="TQLabel" row="14" column="0"> <property name="name"> <cstring>unnamed</cstring> </property> @@ -120,7 +233,7 @@ <string>Kerberos Private Key</string> </property> </widget> - <widget class="KURLRequester" row="4" column="1" colspan="1"> + <widget class="KURLRequester" row="14" column="1" colspan="3"> <property name="name"> <cstring>kerberosKEY</cstring> </property> @@ -131,7 +244,7 @@ <cstring>*.key|Private Key (*.key)</cstring> </property> </widget> - <widget class="TQLabel" row="5" column="0"> + <widget class="TQLabel" row="15" column="0"> <property name="name"> <cstring>unnamed</cstring> </property> @@ -139,7 +252,7 @@ <string>LDAP TLS Public Certificate</string> </property> </widget> - <widget class="KURLRequester" row="5" column="1" colspan="1"> + <widget class="KURLRequester" row="15" column="1" colspan="3"> <property name="name"> <cstring>ldapCRT</cstring> </property> @@ -150,7 +263,7 @@ <cstring>*.crt|Public Certificate (*.crt)</cstring> </property> </widget> - <widget class="TQLabel" row="6" column="0"> + <widget class="TQLabel" row="16" column="0"> <property name="name"> <cstring>unnamed</cstring> </property> @@ -158,7 +271,7 @@ <string>LDAP TLS Private Key</string> </property> </widget> - <widget class="KURLRequester" row="6" column="1" colspan="1"> + <widget class="KURLRequester" row="16" column="1" colspan="3"> <property name="name"> <cstring>ldapKEY</cstring> </property> diff --git a/src/ldapcontroller.cpp b/src/ldapcontroller.cpp index 58cfff1..a23e5cf 100644 --- a/src/ldapcontroller.cpp +++ b/src/ldapcontroller.cpp @@ -63,13 +63,35 @@ // RedHat would be "/etc/sysconfig/ldap" #define LDAP_DEFAULT_FILE "/etc/default/slapd" #define HEIMDAL_DEFAULT_FILE "/etc/default/heimdal-kdc" -#define HEIMDAL_ACL_FILE "/etc/heimdal-kdc/kadmind.acl" #define SASL_DEFAULT_FILE "/etc/default/saslauthd" #define SASL_CONTROL_FILE "/etc/ldap/sasl2/slapd.conf" +#define HEIMDAL_ACL_FILE "/etc/heimdal-kdc/kadmind.acl" +#define TDE_CERTIFICATE_DIR "/etc/trinity/ldap/tde-ca/" +#define KERBEROS_PKI_ANCHORDIR "/etc/trinity/ldap/tde-ca/anchors/" +#define KERBEROS_PKI_PRIVATEDIR "/etc/trinity/ldap/tde-ca/private/" +#define KERBEROS_PKI_PUBLICDIR "/etc/trinity/ldap/tde-ca/public/" +#define KERBEROS_PKI_PEM_FILE KERBEROS_PKI_ANCHORDIR "tdeca.pem" +#define KERBEROS_PKI_PEMKEY_FILE KERBEROS_PKI_ANCHORDIR "tdeca.key.pem" +#define KERBEROS_PKI_KDC_FILE KERBEROS_PKI_PUBLICDIR "@@@KDCSERVER@@@.pki.crt" +#define KERBEROS_PKI_KDCKEY_FILE KERBEROS_PKI_PRIVATEDIR "@@@KDCSERVER@@@.pki.key" +#define KERBEROS_PKI_KDCREQ_FILE KERBEROS_PKI_PRIVATEDIR "@@@KDCSERVER@@@.pki.req" + +#define LDAP_CERT_FILE KERBEROS_PKI_PUBLICDIR "@@@ADMINSERVER@@@.ldap.crt" +#define LDAP_CERTKEY_FILE KERBEROS_PKI_PRIVATEDIR "@@@ADMINSERVER@@@.ldap.key" +#define LDAP_CERTREQ_FILE KERBEROS_PKI_PRIVATEDIR "@@@ADMINSERVER@@@.ldap.req" + +#define OPENSSL_EXTENSIONS_FILE TDE_CERTIFICATE_DIR "pki_extensions" + #define ROLE_WORKSTATION 0 #define ROLE_REALM_CONTROLLER 1 +#define KEY_STRENGTH 2048 + +// RAJA FIXME +// Provide a way to change the LDAP root password +// in the olcDatabase (field olcRootPW) after installation! + typedef KGenericFactory<LDAPController, TQWidget> ldapFactory; K_EXPORT_COMPONENT_FACTORY( kcm_ldapcontroller, ldapFactory("kcmldapcontroller")) @@ -145,7 +167,7 @@ void LDAPController::systemRoleChanged() { // Something will probably change save(); - RealmWizard realmwizard(this, m_fqdn, this); + RealmWizard realmwizard(this, m_fqdn, m_certconfig, this); if (realmwizard.exec() < 0) { // Wizard was cancelled // Back out all changes! @@ -191,6 +213,18 @@ void LDAPController::load() { m_base->systemRole->setCurrentItem(ROLE_WORKSTATION); } m_prevRole = m_base->systemRole->currentItem(); + + // Load cert config + m_systemconfig->setGroup("Certificates"); + m_certconfig.countryName = m_systemconfig->readEntry("countryName"); + m_certconfig.stateOrProvinceName = m_systemconfig->readEntry("stateOrProvinceName"); + m_certconfig.localityName = m_systemconfig->readEntry("localityName"); + m_certconfig.organizationName = m_systemconfig->readEntry("organizationName"); + m_certconfig.orgUnitName = m_systemconfig->readEntry("orgUnitName"); + m_certconfig.commonName = m_systemconfig->readEntry("commonName"); + m_certconfig.emailAddress = m_systemconfig->readEntry("emailAddress"); + + m_systemconfig->setGroup(NULL); } void LDAPController::defaults() { @@ -202,6 +236,18 @@ void LDAPController::save() { m_systemconfig->writeEntry("EnableLDAP", m_base->systemEnableSupport->isChecked()); m_systemconfig->writeEntry("LDAPRole", m_base->systemRole->currentText()); + // Write cert config + m_systemconfig->setGroup("Certificates"); + m_systemconfig->writeEntry("countryName", m_certconfig.countryName); + m_systemconfig->writeEntry("stateOrProvinceName", m_certconfig.stateOrProvinceName); + m_systemconfig->writeEntry("localityName", m_certconfig.localityName); + m_systemconfig->writeEntry("organizationName", m_certconfig.organizationName); + m_systemconfig->writeEntry("orgUnitName", m_certconfig.orgUnitName); + m_systemconfig->writeEntry("commonName", m_certconfig.commonName); + m_systemconfig->writeEntry("emailAddress", m_certconfig.emailAddress); + + m_systemconfig->setGroup(NULL); + m_systemconfig->sync(); if (m_base->systemEnableSupport->isChecked()) { @@ -228,8 +274,6 @@ void replacePlaceholdersInFile(TQString infile, TQString outfile, LDAPRealmConfi sha.process(adminPassword, strlen(rootPassword)); TQString adminpw_hash = sha.base64Hash(); - // RAJA FIXME - // Created needed strings TQStringList domainChunks = TQStringList::split(".", realmconfig.name.lower()); TQString basedcname = "dc=" + domainChunks.join(",dc="); @@ -241,6 +285,15 @@ void replacePlaceholdersInFile(TQString infile, TQString outfile, LDAPRealmConfi timestamp.replace(":", ""); timestamp.replace("T", ""); + TQString kdc_certfile = KERBEROS_PKI_KDC_FILE; + TQString kdc_keyfile = KERBEROS_PKI_KDCKEY_FILE; + TQString ldap_certfile = LDAP_CERT_FILE; + TQString ldap_keyfile = LDAP_CERTKEY_FILE; + kdc_certfile.replace("@@@KDCSERVER@@@", realmconfig.kdc); + kdc_keyfile.replace("@@@KDCSERVER@@@", realmconfig.kdc); + ldap_certfile.replace("@@@ADMINSERVER@@@", realmconfig.admin_server); + ldap_keyfile.replace("@@@ADMINSERVER@@@", realmconfig.admin_server); + TQFile ifile(infile); TQFile ofile(outfile); if (ifile.open(IO_ReadOnly)) { @@ -275,6 +328,12 @@ void replacePlaceholdersInFile(TQString infile, TQString outfile, LDAPRealmConfi line.replace("@@@LDAP_GROUP_NAME@@@", ldapgroupname); line.replace("@@@TDELIBDIR@@@", TDE_LIBDIR); line.replace("@@@HEIMDALACLFILE@@@", HEIMDAL_ACL_FILE); + line.replace("@@@KRBPKIPEMFILE@@@", KERBEROS_PKI_PEM_FILE); + line.replace("@@@KRBPKIPEMKEYFILE@@@", KERBEROS_PKI_PEMKEY_FILE); + line.replace("@@@KRBKDCPEMFILE@@@", kdc_certfile); + line.replace("@@@KRBKDCPEMKEYFILE@@@", kdc_keyfile); + line.replace("@@@LDAPPEMFILE@@@", ldap_certfile); + line.replace("@@@LDAPPEMKEYFILE@@@", ldap_keyfile); if (ldifSchemaNumber >= 0) { line.replace("@@@LDIFSCHEMANUMBER@@@", TQString("%1").arg(ldifSchemaNumber)); } @@ -683,7 +742,64 @@ int LDAPController::setKerberosPasswordForUser(LDAPCredentials user, TQString *e return 1; // Failure } -int LDAPController::createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig realmconfig, TQString adminUserName, TQString adminGroupName, TQString machineAdminGroupName, const char * adminPassword, TQString rootUserName, const char * rootPassword, TQString adminRealm, TQString *errstr) { +int LDAPController::createRealmCertificates(LDAPCertConfig certinfo, LDAPRealmConfig realmconfig, uid_t ldap_uid, gid_t ldap_gid) { + // Certificate authority certificate + TQString command; + command = TQString("openssl genrsa -out %1 %2").arg(KERBEROS_PKI_PEMKEY_FILE).arg(KEY_STRENGTH); + system(command); + chmod(KERBEROS_PKI_PEMKEY_FILE, S_IRUSR|S_IWUSR); + chown(KERBEROS_PKI_PEMKEY_FILE, 0, 0); + + command = TQString("openssl req -key %1 -new -x509 -out %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(certinfo.commonName).arg(certinfo.emailAddress); + system(command); + chmod(KERBEROS_PKI_PEM_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); + chown(KERBEROS_PKI_PEM_FILE, 0, 0); + + // KDC certificate + TQString kdc_certfile = KERBEROS_PKI_KDC_FILE; + TQString kdc_keyfile = KERBEROS_PKI_KDCKEY_FILE; + TQString kdc_reqfile = KERBEROS_PKI_KDCREQ_FILE; + kdc_certfile.replace("@@@KDCSERVER@@@", realmconfig.kdc); + kdc_keyfile.replace("@@@KDCSERVER@@@", realmconfig.kdc); + kdc_reqfile.replace("@@@KDCSERVER@@@", realmconfig.kdc); + command = TQString("openssl genrsa -out %1 %2").arg(kdc_keyfile).arg(KEY_STRENGTH); + system(command); + chmod(kdc_keyfile.ascii(), S_IRUSR|S_IWUSR); + chown(kdc_keyfile.ascii(), 0, 0); + + command = TQString("openssl req -new -out %1 -key %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(kdc_reqfile).arg(kdc_keyfile).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(certinfo.commonName).arg(certinfo.emailAddress); + system(command); + command = TQString("openssl x509 -req -in %1 -CAkey %2 -CA %3 -out %4 -extfile %5 -extensions kdc_cert -CAcreateserial").arg(kdc_reqfile).arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(kdc_certfile).arg(OPENSSL_EXTENSIONS_FILE); + system(command); + chmod(kdc_certfile.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); + chown(kdc_certfile.ascii(), 0, 0); + unlink(kdc_reqfile.ascii()); + unlink(OPENSSL_EXTENSIONS_FILE); + + // LDAP certificate + TQString ldap_certfile = LDAP_CERT_FILE; + TQString ldap_keyfile = LDAP_CERTKEY_FILE; + TQString ldap_reqfile = LDAP_CERTREQ_FILE; + ldap_certfile.replace("@@@ADMINSERVER@@@", realmconfig.admin_server); + ldap_keyfile.replace("@@@ADMINSERVER@@@", realmconfig.admin_server); + ldap_reqfile.replace("@@@ADMINSERVER@@@", realmconfig.admin_server); + command = TQString("openssl genrsa -out %1 %2").arg(ldap_keyfile).arg(KEY_STRENGTH); + system(command); + chmod(ldap_keyfile.ascii(), S_IRUSR|S_IWUSR); + chown(ldap_keyfile.ascii(), ldap_uid, ldap_gid); + + command = TQString("openssl req -new -out %1 -key %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(ldap_reqfile).arg(ldap_keyfile).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(realmconfig.admin_server).arg(certinfo.emailAddress); + system(command); + command = TQString("openssl x509 -req -in %1 -CAkey %2 -CA %3 -out %4 -CAcreateserial").arg(ldap_reqfile).arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(ldap_certfile); + system(command); + chmod(ldap_certfile.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); + chown(ldap_certfile.ascii(), ldap_uid, ldap_gid); + unlink(ldap_reqfile.ascii()); + + return 0; +} + +int LDAPController::createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig realmconfig, TQString adminUserName, TQString adminGroupName, TQString machineAdminGroupName, const char * adminPassword, TQString rootUserName, const char * rootPassword, TQString adminRealm, LDAPCertConfig certinfo, TQString *errstr) { int ldifSchemaNumber; ProcessingDialog pdialog(dialogparent); @@ -747,19 +863,17 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME mkdir(TQString(destDir + "ldap/slapd.d/cn=config").ascii(), S_IRUSR|S_IWUSR|S_IXUSR); mkdir(TQString(destDir + "ldap/slapd.d/cn=config/cn=schema").ascii(), S_IRUSR|S_IWUSR|S_IXUSR); + mkdir(TDE_CERTIFICATE_DIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH); + mkdir(KERBEROS_PKI_ANCHORDIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH); + mkdir(KERBEROS_PKI_PRIVATEDIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH); + mkdir(KERBEROS_PKI_PUBLICDIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH); + // Heimdal replacePlaceholdersInFile(templateDir + "heimdal/heimdal.defaults", HEIMDAL_DEFAULT_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword); replacePlaceholdersInFile(templateDir + "heimdal/kadmind.acl", HEIMDAL_ACL_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword); replacePlaceholdersInFile(templateDir + "heimdal/kdc.conf", destDir + "heimdal-kdc/kdc.conf", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword); replacePlaceholdersInFile(templateDir + "heimdal/krb5.conf", destDir + "krb5.conf", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword); -// RAJA DEBUG -// if (system("kstash --random-key") != 0) { -// if (errstr) *errstr = i18n("Unable to create Kerberos foundational key"); -// pdialog.closeDialog(); -// return -1; -// } - // OpenLDAP replacePlaceholdersInFile(templateDir + "openldap/skel.ldif", configTempDir.name() + "skel.ldif", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword); // replacePlaceholdersInFile(templateDir + "openldap/ldap/slapd.conf", destDir + "ldap/slapd.conf", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword); @@ -769,6 +883,9 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME replacePlaceholdersInFile(templateDir + "sasl/saslauthd.defaults", SASL_DEFAULT_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword); replacePlaceholdersInFile(templateDir + "sasl/slapd.conf", SASL_CONTROL_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword); + // OpenSSL + replacePlaceholdersInFile(templateDir + "openssl/pki_extensions", OPENSSL_EXTENSIONS_FILE, realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword); + // FIXME // This assumes Debian! // Grant LDAP access to SASL mux pipe @@ -839,7 +956,62 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME chmod(TQString(LDAP_DEFAULT_FILE).ascii(), S_IRUSR|S_IWUSR|S_IRGRP); chmod(TQString(SASL_DEFAULT_FILE).ascii(), S_IRUSR|S_IWUSR|S_IRGRP); - chmod(TQString(SASL_CONTROL_FILE).ascii(), S_IRUSR|S_IWUSR|S_IRGRP); + chmod(TQString(SASL_CONTROL_FILE).ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); + + pdialog.setStatusMessage(i18n("Installing realm certificates...")); + tqApp->processEvents(); + + if (certinfo.generate_certs) { + // Generate certificates + if (createRealmCertificates(certinfo, realmconfig, slapd_uid, slapd_gid) != 0) { + if (errstr) *errstr = i18n("Unable to install realm certificates"); + pdialog.closeDialog(); + return -1; + } + m_certconfig = certinfo; + } + else { + // Copy certificates + TQString kdc_certfile = KERBEROS_PKI_KDC_FILE; + TQString kdc_keyfile = KERBEROS_PKI_KDCKEY_FILE; + kdc_certfile.replace("@@@KDCSERVER@@@", realmconfig.kdc); + kdc_keyfile.replace("@@@KDCSERVER@@@", realmconfig.kdc); + TQString ldap_certfile = LDAP_CERT_FILE; + TQString ldap_keyfile = LDAP_CERTKEY_FILE; + ldap_certfile.replace("@@@ADMINSERVER@@@", realmconfig.admin_server); + ldap_keyfile.replace("@@@ADMINSERVER@@@", realmconfig.admin_server); + + // Copy files + // FIXME + // There has GOT to be a better way to do this than system()!!! + TQString command; + command = TQString("cp %1 %2").arg(certinfo.provided_kerberos_pem).arg(KERBEROS_PKI_PEMKEY_FILE); + system(command); + command = TQString("cp %1 %2").arg(certinfo.provided_kerberos_pemkey).arg(KERBEROS_PKI_PEM_FILE); + system(command); + command = TQString("cp %1 %2").arg(certinfo.provided_kerberos_crt).arg(kdc_certfile); + system(command); + command = TQString("cp %1 %2").arg(certinfo.provided_kerberos_key).arg(kdc_keyfile); + system(command); + command = TQString("cp %1 %2").arg(certinfo.provided_ldap_crt).arg(ldap_certfile); + system(command); + command = TQString("cp %1 %2").arg(certinfo.provided_ldap_key).arg(ldap_keyfile); + system(command); + + // Set permissions + chmod(KERBEROS_PKI_PEMKEY_FILE, S_IRUSR|S_IWUSR); + chown(KERBEROS_PKI_PEMKEY_FILE, 0, 0); + chmod(KERBEROS_PKI_PEM_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); + chown(KERBEROS_PKI_PEM_FILE, 0, 0); + chmod(kdc_keyfile.ascii(), S_IRUSR|S_IWUSR); + chown(kdc_keyfile.ascii(), 0, 0); + chmod(kdc_certfile.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); + chown(kdc_certfile.ascii(), 0, 0); + chmod(ldap_keyfile.ascii(), S_IRUSR|S_IWUSR); + chown(ldap_keyfile.ascii(), slapd_uid, slapd_gid); + chmod(ldap_certfile.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); + chown(ldap_certfile.ascii(), slapd_uid, slapd_gid); + } pdialog.setStatusMessage(i18n("Loading initial database into LDAP...")); tqApp->processEvents(); @@ -920,6 +1092,20 @@ configTempDir.setAutoDelete(false); // RAJA DEBUG ONLY FIXME pdialog.closeDialog(); return -1; } + + // Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server + TQFile cafile(KERBEROS_PKI_PEM_FILE); + if (cafile.open(IO_ReadOnly)) { + TQByteArray cafiledata = cafile.readAll(); + if (ldap_mgr->writeCertificateFileIntoDirectory(cafiledata, "publicRootCertificate", &errorstring) != 0) { + delete ldap_mgr; + delete credentials; + if (errstr) *errstr = errorstring; + pdialog.closeDialog(); + return -1; + } + } + delete ldap_mgr; delete credentials; diff --git a/src/ldapcontroller.h b/src/ldapcontroller.h index a15c8d2..4c8c5a9 100644 --- a/src/ldapcontroller.h +++ b/src/ldapcontroller.h @@ -42,6 +42,27 @@ enum sc_command { SC_SETDBPERMS }; +// PRIVATE +class LDAPCertConfig +{ + public: + bool generate_certs; + TQString provided_kerberos_pem; + TQString provided_kerberos_pemkey; + TQString provided_kerberos_crt; + TQString provided_kerberos_key; + TQString provided_ldap_crt; + TQString provided_ldap_key; + + TQString countryName; + TQString stateOrProvinceName; + TQString localityName; + TQString organizationName; + TQString orgUnitName; + TQString commonName; + TQString emailAddress; +}; + class LDAPController: public KCModule { Q_OBJECT @@ -58,7 +79,7 @@ class LDAPController: public KCModule virtual const KAboutData *aboutData() const { return myAboutData; }; public: - int createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig realmconfig, TQString adminUserName, TQString adminGroupName, TQString machineAdminGroupName, const char * adminPassword, TQString rootUserName, const char * rootPassword, TQString adminRealm, TQString *errstr); + int createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig realmconfig, TQString adminUserName, TQString adminGroupName, TQString machineAdminGroupName, const char * adminPassword, TQString rootUserName, const char * rootPassword, TQString adminRealm, LDAPCertConfig certinfo, TQString *errstr); private slots: void systemRoleChanged(); @@ -73,6 +94,7 @@ class LDAPController: public KCModule int addLDAPEntryToKerberosRealm(TQString ldapProcessOwnerName, TQString ldapHost, TQString *errstr); int addHostEntryToKerberosRealm(TQString kerberosHost, TQString *errstr); int setKerberosPasswordForUser(LDAPCredentials user, TQString *errstr); + int createRealmCertificates(LDAPCertConfig certinfo, LDAPRealmConfig realmconfig, uid_t ldap_uid, gid_t ldap_gid); private: KAboutData *myAboutData; @@ -84,6 +106,8 @@ class LDAPController: public KCModule int m_prevRole; TQString m_ldapUserName; TQString m_ldapGroupName; + + LDAPCertConfig m_certconfig; }; #endif // _LDAPCONTROLLER_H_ diff --git a/src/realmwizard.cpp b/src/realmwizard.cpp index 1676ca5..4d517ee 100644 --- a/src/realmwizard.cpp +++ b/src/realmwizard.cpp @@ -45,6 +45,7 @@ #include <klineedit.h> #include <ktextedit.h> #include <kpassdlg.h> +#include <kurlrequester.h> #include <stdlib.h> @@ -58,8 +59,8 @@ #include "realmwizard.h" #include "realmwizard.moc" -RealmWizard::RealmWizard(LDAPController* controller, TQString fqdn, TQWidget *parent, const char *name) - : KWizard(parent, name, true), m_controller(controller), m_fqdn(fqdn) { +RealmWizard::RealmWizard(LDAPController* controller, TQString fqdn, LDAPCertConfig certinfo, TQWidget *parent, const char *name) + : KWizard(parent, name, true), m_controller(controller), m_fqdn(fqdn), m_certconfig(certinfo) { setCaption(i18n("LDAP Realm Wizard")); @@ -98,6 +99,15 @@ RealmWizard::RealmWizard(LDAPController* controller, TQString fqdn, TQWidget *pa finishpage->ldapAdminGroupname->setText("realmadmins"); finishpage->ldapMachineAdminGroupname->setText("machineadmins"); + // Load certificate info + certpage->organizationName->setText(m_certconfig.organizationName); + certpage->orgUnitName->setText(m_certconfig.orgUnitName); + certpage->commonName->setText(m_certconfig.commonName); + certpage->localityName->setText(m_certconfig.localityName); + certpage->stateOrProvinceName->setText(m_certconfig.stateOrProvinceName); + certpage->countryName->setText(m_certconfig.countryName); + certpage->emailAddress->setText(m_certconfig.emailAddress); + // Other setup finishpage->ldapAdminRealm->setEnabled(false); @@ -140,8 +150,21 @@ void RealmWizard::next() { certpage->validateEntries(); } else if (currentPage()==certpage) { - // RAJA FIXME - // What to do with the certificate information? + // Save certificate information + m_certconfig.generate_certs = certpage->generateKeysEnabled->isOn(); + m_certconfig.provided_kerberos_pem = certpage->kerberosPEM->url(); + m_certconfig.provided_kerberos_pemkey = certpage->kerberosPEMKEY->url(); + m_certconfig.provided_kerberos_crt = certpage->kerberosCRT->url(); + m_certconfig.provided_kerberos_key = certpage->kerberosKEY->url(); + m_certconfig.provided_ldap_crt = certpage->ldapCRT->url(); + m_certconfig.provided_ldap_key = certpage->ldapKEY->url(); + m_certconfig.organizationName = certpage->organizationName->text(); + m_certconfig.orgUnitName = certpage->orgUnitName->text(); + m_certconfig.commonName = certpage->commonName->text(); + m_certconfig.localityName = certpage->localityName->text(); + m_certconfig.stateOrProvinceName = certpage->stateOrProvinceName->text(); + m_certconfig.countryName = certpage->countryName->text(); + m_certconfig.emailAddress = certpage->emailAddress->text(); TQWizard::next(); finishpage->validateEntries(); @@ -221,7 +244,7 @@ void RealmWizard::accept() { nextButton()->setEnabled(false); finishButton()->setEnabled(false); cancelButton()->setEnabled(false); - if (m_controller->createNewLDAPRealm(this, m_realmconfig, finishpage->ldapAdminUsername->text(), finishpage->ldapAdminGroupname->text(), finishpage->ldapMachineAdminGroupname->text(), finishpage->ldapAdminPassword->password(), "admin", finishpage->ldapAdminPassword->password(), finishpage->ldapAdminRealm->text(), &errorString) == 0) { + if (m_controller->createNewLDAPRealm(this, m_realmconfig, finishpage->ldapAdminUsername->text(), finishpage->ldapAdminGroupname->text(), finishpage->ldapMachineAdminGroupname->text(), finishpage->ldapAdminPassword->password(), "admin", finishpage->ldapAdminPassword->password(), finishpage->ldapAdminRealm->text(), m_certconfig, &errorString) == 0) { done(0); } else { diff --git a/src/realmwizard.h b/src/realmwizard.h index f913a02..34de72b 100644 --- a/src/realmwizard.h +++ b/src/realmwizard.h @@ -42,7 +42,7 @@ class RealmWizard : public KWizard { Q_OBJECT public: /** construtor */ - RealmWizard(LDAPController* controller, TQString fqdn, TQWidget* parent=0, const char *name=0); + RealmWizard(LDAPController* controller, TQString fqdn, LDAPCertConfig certinfo, TQWidget* parent=0, const char *name=0); /** destructor */ ~RealmWizard(); @@ -76,6 +76,7 @@ private: LDAPController* m_controller; LDAPRealmConfig m_realmconfig; TQString m_fqdn; + LDAPCertConfig m_certconfig; protected: // Protected methods // the close button on the titlebar sets e->accept() which we don't want. |