summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTimothy Pearson <kb9vqf@pearsoncomputing.net>2015-08-25 11:13:14 -0500
committerTimothy Pearson <kb9vqf@pearsoncomputing.net>2015-08-25 11:13:14 -0500
commitd6f004658dac16c19a6e4a6109b93b5b52adddc0 (patch)
treea37dc7f4df2a2460ddc93863a763eb91ad295a13
parentf4afc1290d29af023cef891b361cb34e11d229d8 (diff)
downloadlibtdeldap-d6f004658dac16c19a6e4a6109b93b5b52adddc0.tar.gz
libtdeldap-d6f004658dac16c19a6e4a6109b93b5b52adddc0.zip
Allow certificate expiry to be set
-rw-r--r--src/libtdeldap.cpp41
-rw-r--r--src/libtdeldap.h8
2 files changed, 45 insertions, 4 deletions
diff --git a/src/libtdeldap.cpp b/src/libtdeldap.cpp
index 0e551b4..f009297 100644
--- a/src/libtdeldap.cpp
+++ b/src/libtdeldap.cpp
@@ -2658,7 +2658,6 @@ int LDAPManager::writeCertificateFileIntoDirectory(TQByteArray cert, TQString at
TQString LDAPManager::getRealmCAMaster(TQString* errstr) {
int retcode;
- int i;
TQString realmCAMaster;
TQString dn = TQString("cn=certificate store,o=tde,cn=tde realm data,ou=master services,ou=core,ou=realm,%1").arg(m_basedc);
@@ -3743,6 +3742,8 @@ LDAPRealmConfigList LDAPManager::readTDERealmList(KSimpleConfig* config, bool di
}
int LDAPManager::writeTDERealmList(LDAPRealmConfigList realms, KSimpleConfig* config, TQString *errstr) {
+ Q_UNUSED(errstr)
+
LDAPRealmConfigList::Iterator it;
for (it = realms.begin(); it != realms.end(); ++it) {
LDAPRealmConfig realmcfg = it.data();
@@ -3805,8 +3806,9 @@ TQDateTime LDAPManager::getCertificateExpiration(TQString certfile) {
int LDAPManager::generatePublicKerberosCACertificate(LDAPCertConfig certinfo) {
TQString command;
TQString subject;
+
subject = TQString("\"/C=%1/ST=%2/L=%3/O=%4/OU=%5/CN=%6/emailAddress=%7\"").arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(certinfo.commonName).arg(certinfo.emailAddress);
- command = TQString("openssl req -days %1 -key %2 -new -x509 -out %3 -subj %4").arg(KERBEROS_PKI_PEMKEY_EXPIRY_DAYS).arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(subject);
+ command = TQString("openssl req -days %1 -key %2 -new -x509 -out %3 -subj %4").arg(certinfo.caExpiryDays).arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(subject);
if (system(command) < 0) {
printf("ERROR: Execution of \"%s\" failed!\n", command.ascii());
return -1;
@@ -3825,6 +3827,7 @@ int LDAPManager::generatePublicKerberosCACertificate(LDAPCertConfig certinfo) {
int LDAPManager::generatePublicKerberosCertificate(LDAPCertConfig certinfo, LDAPRealmConfig realmcfg) {
TQString command;
+ TQString subject;
TQString kdc_certfile = KERBEROS_PKI_KDC_FILE;
TQString kdc_keyfile = KERBEROS_PKI_KDCKEY_FILE;
@@ -3833,7 +3836,8 @@ int LDAPManager::generatePublicKerberosCertificate(LDAPCertConfig certinfo, LDAP
kdc_keyfile.replace("@@@KDCSERVER@@@", realmcfg.name.lower());
kdc_reqfile.replace("@@@KDCSERVER@@@", realmcfg.name.lower());
- command = TQString("openssl req -new -out %1 -key %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(kdc_reqfile).arg(kdc_keyfile).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(certinfo.commonName).arg(certinfo.emailAddress);
+ subject = TQString("\"/C=%1/ST=%2/L=%3/O=%4/OU=%5/CN=%6/emailAddress=%7\"").arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(certinfo.commonName).arg(certinfo.emailAddress);
+ command = TQString("openssl req -days %1 -new -out %2 -key %3 -subj %4").arg(certinfo.kerberosExpiryDays).arg(kdc_reqfile).arg(kdc_keyfile).arg(subject);
if (system(command) < 0) {
printf("ERROR: Execution of \"%s\" failed!\n", command.ascii());
return -1;
@@ -3863,6 +3867,7 @@ int LDAPManager::generatePublicKerberosCertificate(LDAPCertConfig certinfo, LDAP
int LDAPManager::generatePublicLDAPCertificate(LDAPCertConfig certinfo, LDAPRealmConfig realmcfg, uid_t ldap_uid, gid_t ldap_gid) {
TQString command;
+ TQString subject;
TQString ldap_certfile = LDAP_CERT_FILE;
TQString ldap_keyfile = LDAP_CERTKEY_FILE;
@@ -3871,7 +3876,8 @@ int LDAPManager::generatePublicLDAPCertificate(LDAPCertConfig certinfo, LDAPReal
ldap_keyfile.replace("@@@ADMINSERVER@@@", realmcfg.name.lower());
ldap_reqfile.replace("@@@ADMINSERVER@@@", realmcfg.name.lower());
- command = TQString("openssl req -new -out %1 -key %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(ldap_reqfile).arg(ldap_keyfile).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(realmcfg.admin_server).arg(certinfo.emailAddress);
+ subject = TQString("\"/C=%1/ST=%2/L=%3/O=%4/OU=%5/CN=%6/emailAddress=%7\"").arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(certinfo.commonName).arg(certinfo.emailAddress);
+ command = TQString("openssl req -days %1 -new -out %2 -key %3 -subj %4").arg(certinfo.ldapExpiryDays).arg(ldap_reqfile).arg(ldap_keyfile).arg(subject);
if (system(command) < 0) {
printf("ERROR: Execution of \"%s\" failed!\n", command.ascii());
return -1;
@@ -3957,6 +3963,8 @@ LDAPClientRealmConfig LDAPManager::loadClientRealmConfig(KSimpleConfig* config,
}
int LDAPManager::saveClientRealmConfig(LDAPClientRealmConfig clientRealmConfig, KSimpleConfig* config, TQString *errstr) {
+ Q_UNUSED(errstr)
+
config->setGroup(NULL);
config->writeEntry("EnableLDAP", clientRealmConfig.enable_bonding);
config->writeEntry("HostFQDN", clientRealmConfig.hostFQDN);
@@ -4030,6 +4038,11 @@ int LDAPManager::writeClientKrb5ConfFile(LDAPClientRealmConfig clientRealmConfig
file.close();
}
+ else {
+ if (errstr) {
+ *errstr = i18n("Could not open file '%1' for writing").arg(file.name());
+ }
+ }
return 0;
}
@@ -4058,6 +4071,11 @@ int LDAPManager::writeNSSwitchFile(TQString *errstr) {
file.close();
}
+ else {
+ if (errstr) {
+ *errstr = i18n("Could not open file '%1' for writing").arg(file.name());
+ }
+ }
return 0;
}
@@ -4076,6 +4094,11 @@ int LDAPManager::writePAMFiles(LDAPPamConfig pamConfig, TQString *errstr) {
file.close();
}
+ else {
+ if (errstr) {
+ *errstr = i18n("Could not open file '%1' for writing").arg(file.name());
+ }
+ }
TQFile file2(PAMD_DIRECTORY PAMD_COMMON_AUTH);
if (file2.open(IO_WriteOnly)) {
@@ -4095,6 +4118,11 @@ int LDAPManager::writePAMFiles(LDAPPamConfig pamConfig, TQString *errstr) {
file2.close();
}
+ else {
+ if (errstr) {
+ *errstr = i18n("Could not open file '%1' for writing").arg(file2.name());
+ }
+ }
TQFile file3(PAMD_DIRECTORY PAMD_COMMON_SESSION);
if (file3.open(IO_WriteOnly)) {
@@ -4126,6 +4154,11 @@ int LDAPManager::writePAMFiles(LDAPPamConfig pamConfig, TQString *errstr) {
file3.close();
}
+ else {
+ if (errstr) {
+ *errstr = i18n("Could not open file '%1' for writing").arg(file3.name());
+ }
+ }
return 0;
}
diff --git a/src/libtdeldap.h b/src/libtdeldap.h
index a1573c7..09db75d 100644
--- a/src/libtdeldap.h
+++ b/src/libtdeldap.h
@@ -65,6 +65,10 @@
// 1 year
#define KERBEROS_PKI_PEMKEY_EXPIRY_DAYS 365
+// 1 month
+#define KERBEROS_PKI_KRB_EXPIRY_DAYS 30
+#define KERBEROS_PKI_LDAP_EXPIRY_DAYS 30
+
// Values from hdb.asn1
enum LDAPKRB5Flags {
KRB5_INITIAL = 0x00000001,
@@ -190,6 +194,10 @@ class LDAPCertConfig
TQString provided_ldap_crt;
TQString provided_ldap_key;
+ int caExpiryDays;
+ int kerberosExpiryDays;
+ int ldapExpiryDays;
+
TQString countryName;
TQString stateOrProvinceName;
TQString localityName;