summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTimothy Pearson <kb9vqf@pearsoncomputing.net>2012-06-06 13:04:14 -0500
committerTimothy Pearson <kb9vqf@pearsoncomputing.net>2012-06-06 13:04:14 -0500
commitc1419e3a4c17f30aa504d9277a7750ce0a6b6a5a (patch)
tree20418a065b2b7fcbdb1c3c10f1a1b35ed4a08773
parent4ada10136e07c59ea5e5ff2d06b7313cf098432c (diff)
downloadlibtdeldap-c1419e3a4c17f30aa504d9277a7750ce0a6b6a5a.tar.gz
libtdeldap-c1419e3a4c17f30aa504d9277a7750ce0a6b6a5a.zip
Preferentially use TLS when connecting to LDAP server
-rw-r--r--src/ldaplogindlgbase.ui8
-rw-r--r--src/libtdeldap.cpp78
-rw-r--r--src/libtdeldap.h5
3 files changed, 66 insertions, 25 deletions
diff --git a/src/ldaplogindlgbase.ui b/src/ldaplogindlgbase.ui
index 43ac9b4..a3e855b 100644
--- a/src/ldaplogindlgbase.ui
+++ b/src/ldaplogindlgbase.ui
@@ -80,6 +80,14 @@
<cstring>ldapAdminRealm</cstring>
</property>
</widget>
+ <widget class="TQCheckBox" row="4" column="0" colspan="3">
+ <property name="name">
+ <cstring>ldapUseTLS</cstring>
+ </property>
+ <property name="text">
+ <string>Use LDAP TLS to encrypt this connection (recommended)</string>
+ </property>
+ </widget>
</grid>
</widget>
<layoutdefaults spacing="3" margin="6"/>
diff --git a/src/libtdeldap.cpp b/src/libtdeldap.cpp
index 2bbacf4..47f5057 100644
--- a/src/libtdeldap.cpp
+++ b/src/libtdeldap.cpp
@@ -19,10 +19,13 @@
***************************************************************************/
#include <sys/types.h>
+#include <sys/stat.h>
#include <sys/socket.h>
#include <netdb.h>
+#include <pwd.h>
#include <tqfile.h>
+#include <tqcheckbox.h>
#include <klocale.h>
#include <kmessagebox.h>
@@ -44,7 +47,7 @@
// FIXME
// Connect this to CMake/Automake
#define KDE_CONFDIR "/etc/trinity"
-#define LDAP_FILE "/etc/ldap.conf"
+#define LDAP_FILE "/etc/ldap/ldap.conf"
int requested_ldap_version = LDAP_VERSION3;
int requested_ldap_auth_method = LDAP_AUTH_SIMPLE; // Is this safe and secure over an untrusted connection?
@@ -91,13 +94,21 @@ TQString ldapLikelyErrorCause(int errcode, int location) {
TQString ret;
if (location == ERRORCAUSE_LOCATION_BIND) {
+ if (errcode == LDAP_SERVER_DOWN) {
+ ret = " * LDAP server down<br> * Invalid LDAP Certificate Authority file on client";
+ }
if (LDAP_NAME_ERROR(errcode)) {
ret = "Unknown user name or incorrect user name format";
}
}
if (ret != "") {
- ret.prepend("<p>" + i18n("Likely cause") + ":<br>");
+ if (ret.contains("<br>")) {
+ ret.prepend("<p>" + i18n("Potential causes") + ":<br>");
+ }
+ else {
+ ret.prepend("<p>" + i18n("Potential cause") + ":<br>");
+ }
}
return ret;
@@ -109,7 +120,31 @@ printf("[RAJA DEBUG 600.0] In LDAPManager::bind(%p)\n\r", errstr); fflush(stdout
return 0;
}
- int use_secure_connection = 0;
+ bool using_ldapi = false;
+ if (m_host.startsWith("ldapi://")) {
+ using_ldapi = true;
+ }
+ bool havepass = false;
+ if (m_creds || using_ldapi) {
+ havepass = true;
+ }
+ else {
+printf("[RAJA DEBUG 660.1] using_ldapi: %d\n\r", using_ldapi); fflush(stdout);
+ LDAPPasswordDialog passdlg(0);
+ passdlg.m_base->ldapAdminRealm->setEnabled(false);
+ passdlg.m_base->ldapAdminRealm->insertItem(m_realm);
+ passdlg.m_base->ldapUseTLS->setChecked(true);
+ if (passdlg.exec() == TQDialog::Accepted) {
+ havepass = true;
+ if (!m_creds) {
+ m_creds = new LDAPCredentials();
+ m_creds->username = passdlg.m_base->ldapAdminUsername->text();
+ m_creds->password = passdlg.m_base->ldapAdminPassword->password();
+ m_creds->realm = passdlg.m_base->ldapAdminRealm->currentText();
+ m_creds->use_tls = passdlg.m_base->ldapUseTLS->isOn();
+ }
+ }
+ }
TQString uri;
if (m_host.contains("://")) {
@@ -122,7 +157,7 @@ printf("[RAJA DEBUG 600.0] In LDAPManager::bind(%p)\n\r", errstr); fflush(stdout
}
}
else {
- if (use_secure_connection == 1) {
+ if (m_creds->use_tls) {
m_port = LDAP_SECURE_PORT;
uri = TQString("ldaps://%1:%2").arg(m_host).arg(m_port);
}
@@ -148,25 +183,6 @@ printf("[RAJA DEBUG 600.1] URI: %s\n\r", uri.ascii()); fflush(stdout);
printf("[RAJA DEBUG 660.0]\n\r"); fflush(stdout);
TQString errorString;
- bool havepass = false;
- if (m_creds) {
- havepass = true;
- }
- else {
-printf("[RAJA DEBUG 660.1]\n\r"); fflush(stdout);
- LDAPPasswordDialog passdlg(0);
- passdlg.m_base->ldapAdminRealm->setEnabled(false);
- passdlg.m_base->ldapAdminRealm->insertItem(m_realm);
- if (passdlg.exec() == TQDialog::Accepted) {
- havepass = true;
- if (!m_creds) {
- m_creds = new LDAPCredentials();
- m_creds->username = passdlg.m_base->ldapAdminUsername->text();
- m_creds->password = passdlg.m_base->ldapAdminPassword->password();
- m_creds->realm = passdlg.m_base->ldapAdminRealm->currentText();
- }
- }
- }
if (havepass == true) {
char* mechanism = NULL;
struct berval cred;
@@ -175,7 +191,7 @@ printf("[RAJA DEBUG 660.1]\n\r"); fflush(stdout);
cred.bv_val = pass.data();
cred.bv_len = pass.length();
printf("[RAJA DEBUG 660.2]\n\r"); fflush(stdout);
- if (!uri.startsWith("ldapi://")) {
+ if (!using_ldapi) {
if (!ldap_dn.contains(",")) {
// Look for a POSIX account with anonymous bind and the specified account name
TQString uri;
@@ -184,7 +200,7 @@ printf("[RAJA DEBUG 660.2]\n\r"); fflush(stdout);
uri = m_host;
}
else {
- if (use_secure_connection == 1) {
+ if (m_creds->use_tls) {
m_port = LDAP_SECURE_PORT;
uri = TQString("ldaps://%1:%2").arg(m_host).arg(m_port);
}
@@ -1398,11 +1414,14 @@ void LDAPManager::writeLDAPConfFile(LDAPRealmConfig realmcfg) {
stream << "bind_policy " << m_bindPolicy.lower() << "\n";
stream << "pam_password " << m_passwordHash.lower() << "\n";
stream << "nss_initgroups_ignoreusers " << m_ignoredUsers << "\n";
+ stream << "tls_cacert /etc/trinity/ldap/tde-ca/public/argus5.starlink.edu.ldap.crt" << "\n";
}
file.close();
}
+ chmod(LDAP_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
+
delete systemconfig;
}
@@ -1473,6 +1492,15 @@ TQString LDAPManager::getMachineFQDN() {
//
// ===============================================================================================================
+LDAPCredentials::LDAPCredentials() {
+ // TQStrings are always initialized to TQString::null, so they don't need initialization here...
+ use_tls = true;
+}
+
+LDAPCredentials::~LDAPCredentials() {
+ //
+}
+
LDAPUserInfo::LDAPUserInfo() {
// TQStrings are always initialized to TQString::null, so they don't need initialization here...
informationValid = false;
diff --git a/src/libtdeldap.h b/src/libtdeldap.h
index 38ae847..bf0106a 100644
--- a/src/libtdeldap.h
+++ b/src/libtdeldap.h
@@ -66,9 +66,14 @@ typedef TQValueList<gid_t> GroupList;
class LDAPCredentials
{
public:
+ LDAPCredentials();
+ ~LDAPCredentials();
+
+ public:
TQString username;
TQCString password;
TQString realm;
+ bool use_tls;
};
// PRIVATE