summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--src/libtdeldap.cpp127
1 files changed, 102 insertions, 25 deletions
diff --git a/src/libtdeldap.cpp b/src/libtdeldap.cpp
index de1ef0f..415a5a7 100644
--- a/src/libtdeldap.cpp
+++ b/src/libtdeldap.cpp
@@ -56,6 +56,7 @@
// This assumes Debian!
#define LDAP_FILE "/etc/ldap/ldap.conf"
#define LDAP_SECONDARY_FILE "/etc/ldap.conf"
+#define LDAP_TERTIARY_FILE "/etc/libnss-ldap.conf"
#define TDELDAP_SUDO_D_FILE "/etc/sudoers.d/tde-realm-admins"
#define CRON_UPDATE_NSS_FILE "/etc/cron.daily/upd-local-nss-db"
@@ -1019,7 +1020,13 @@ KerberosTicketInfoList LDAPManager::getKerberosTicketList(TQString cache, TQStri
TQString global_cachevers;
TQString line;
- FILE *output = popen("klist -v 2>&1", "r");
+ FILE *output;
+ if (cache != "") {
+ output = popen((TQString("klist --cache=%1 -v 2>&1").arg(cache)).ascii(), "r");
+ }
+ else {
+ output = popen("klist -v 2>&1", "r");
+ }
TQFile f;
f.open(IO_ReadOnly, output);
TQTextStream stream(&f);
@@ -1496,8 +1503,6 @@ int LDAPManager::addGroupInfo(LDAPGroupInfo group) {
}
int LDAPManager::addServiceInfo(LDAPServiceInfo service, TQString *errstr) {
- int retcode;
- int i;
LDAPGroupInfo serviceinfo;
if (bind() < 0) {
@@ -1907,7 +1912,6 @@ LDAPMachineInfoList LDAPManager::machines(int* mretcode) {
}
LDAPServiceInfoList LDAPManager::services(int* mretcode) {
- int retcode;
LDAPServiceInfoList services;
if (bind() < 0) {
@@ -2090,18 +2094,17 @@ int LDAPManager::moveKerberosEntries(TQString newSuffix, TQString* errstr) {
void LDAPManager::writeLDAPConfFile(LDAPRealmConfig realmcfg) {
KSimpleConfig* systemconfig;
TQString m_defaultRealm;
- int m_ticketLifetime;
int m_ldapVersion;
int m_ldapTimeout;
TQString m_bindPolicy;
int m_ldapBindTimeout;
TQString m_passwordHash;
TQString m_ignoredUsers;
+ TQString command;
systemconfig = new KSimpleConfig( TQString::fromLatin1( KDE_CONFDIR "/ldap/ldapconfigrc" ));
systemconfig->setGroup(NULL);
m_defaultRealm = systemconfig->readEntry("DefaultRealm", TQString::null);
- m_ticketLifetime = systemconfig->readNumEntry("TicketLifetime", 86400);
m_ldapVersion = systemconfig->readNumEntry("ConnectionLDAPVersion", 3);
m_ldapTimeout = systemconfig->readNumEntry("ConnectionLDAPTimeout", 2);
@@ -2134,9 +2137,32 @@ void LDAPManager::writeLDAPConfFile(LDAPRealmConfig realmcfg) {
file.close();
}
- chmod(LDAP_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
+ if (chmod(LDAP_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH) < 0) {
+ printf("ERROR: Unable to change permissions of \"%s\"\n\r", LDAP_FILE);
+ return;
+ }
- system(TQString("ln -s %1 %2").arg(LDAP_FILE).arg(LDAP_SECONDARY_FILE).ascii());
+ // Create symbolic link to secondary LDAP configuration file
+ if (unlink(LDAP_SECONDARY_FILE) < 0) {
+ printf("ERROR: Unable to unlink \"%s\"\n\r", LDAP_SECONDARY_FILE);
+ return;
+ }
+ command = TQString("ln -s %1 %2").arg(LDAP_FILE).arg(LDAP_SECONDARY_FILE);
+ if (system(command) < 0) {
+ printf("ERROR: Execution of \"%s\" failed!\n\r", command.ascii());
+ return;
+ }
+
+ // Create symbolic link to tertiary LDAP configuration file
+ if (unlink(LDAP_TERTIARY_FILE) < 0) {
+ printf("ERROR: Unable to unlink \"%s\"\n\r", LDAP_TERTIARY_FILE);
+ return;
+ }
+ command = TQString("ln -s %1 %2").arg(LDAP_FILE).arg(LDAP_TERTIARY_FILE);
+ if (system(command) < 0) {
+ printf("ERROR: Execution of \"%s\" failed!\n\r", command.ascii());
+ return;
+ }
delete systemconfig;
}
@@ -2306,8 +2332,14 @@ int LDAPManager::writeSudoersConfFile(TQString *errstr) {
file.close();
}
- chown(TDELDAP_SUDO_D_FILE, 0, 0);
- chmod(TDELDAP_SUDO_D_FILE, S_IRUSR|S_IRGRP);
+ if (chown(TDELDAP_SUDO_D_FILE, 0, 0) < 0) {
+ printf("ERROR: Unable to change owner of \"%s\"\n\r", TDELDAP_SUDO_D_FILE);
+ return -1;
+ }
+ if (chmod(TDELDAP_SUDO_D_FILE, S_IRUSR|S_IRGRP) < 0) {
+ printf("ERROR: Unable to change permissions of \"%s\"\n\r", TDELDAP_SUDO_D_FILE);
+ return -1;
+ }
return 0;
}
@@ -2326,7 +2358,10 @@ void LDAPManager::writeCronFiles() {
file.close();
}
- system(CRON_UPDATE_NSS_COMMAND);
+ if (system(CRON_UPDATE_NSS_COMMAND) < 0) {
+ printf("ERROR: Execution of \"%s\" failed!\n\r", CRON_UPDATE_NSS_COMMAND);
+ return;
+ }
}
void LDAPManager::writePrimaryRealmCertificateUpdateCronFile() {
@@ -2343,7 +2378,10 @@ void LDAPManager::writePrimaryRealmCertificateUpdateCronFile() {
file.close();
}
- system(CRON_UPDATE_PRIMARY_REALM_CERTIFICATES_COMMAND);
+ if (system(CRON_UPDATE_PRIMARY_REALM_CERTIFICATES_COMMAND) < 0) {
+ printf("ERROR: Execution of \"%s\" failed!\n\r", CRON_UPDATE_PRIMARY_REALM_CERTIFICATES_COMMAND);
+ return;
+ }
}
LDAPRealmConfigList LDAPManager::readTDERealmList(KSimpleConfig* config, bool disableAllBonds) {
@@ -2447,9 +2485,18 @@ int LDAPManager::generatePublicKerberosCACertificate(LDAPCertConfig certinfo) {
TQString command;
command = TQString("openssl req -key %1 -new -x509 -out %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(certinfo.commonName).arg(certinfo.emailAddress);
- system(command);
- chmod(KERBEROS_PKI_PEM_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
- chown(KERBEROS_PKI_PEM_FILE, 0, 0);
+ if (system(command) < 0) {
+ printf("ERROR: Execution of \"%s\" failed!\n\r", command.ascii());
+ return -1;
+ }
+ if (chmod(KERBEROS_PKI_PEM_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH) < 0) {
+ printf("ERROR: Unable to change permissions of \"%s\"\n\r", KERBEROS_PKI_PEM_FILE);
+ return -1;
+ }
+ if (chown(KERBEROS_PKI_PEM_FILE, 0, 0) < 0) {
+ printf("ERROR: Unable to change owner of \"%s\"\n\r", KERBEROS_PKI_PEM_FILE);
+ return -1;
+ }
return 0;
}
@@ -2465,12 +2512,27 @@ int LDAPManager::generatePublicKerberosCertificate(LDAPCertConfig certinfo, LDAP
kdc_reqfile.replace("@@@KDCSERVER@@@", realmcfg.kdc);
command = TQString("openssl req -new -out %1 -key %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(kdc_reqfile).arg(kdc_keyfile).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(certinfo.commonName).arg(certinfo.emailAddress);
- system(command);
+ if (system(command) < 0) {
+ printf("ERROR: Execution of \"%s\" failed!\n\r", command.ascii());
+ return -1;
+ }
command = TQString("openssl x509 -req -in %1 -CAkey %2 -CA %3 -out %4 -extfile %5 -extensions kdc_cert -CAcreateserial").arg(kdc_reqfile).arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(kdc_certfile).arg(OPENSSL_EXTENSIONS_FILE);
- system(command);
- chmod(kdc_certfile.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
- chown(kdc_certfile.ascii(), 0, 0);
- unlink(kdc_reqfile.ascii());
+ if (system(command) < 0) {
+ printf("ERROR: Execution of \"%s\" failed!\n\r", command.ascii());
+ return -1;
+ }
+ if (chmod(kdc_certfile.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH) < 0) {
+ printf("ERROR: Unable to change permissions of \"%s\"\n\r", kdc_certfile.ascii());
+ return -1;
+ }
+ if (chown(kdc_certfile.ascii(), 0, 0) < 0) {
+ printf("ERROR: Unable to change owner of \"%s\"\n\r", kdc_certfile.ascii());
+ return -1;
+ }
+ if (unlink(kdc_reqfile.ascii()) < 0) {
+ printf("ERROR: Unable to unlink \"%s\"\n\r", kdc_reqfile.ascii());
+ return -1;
+ }
return 0;
}
@@ -2486,12 +2548,27 @@ int LDAPManager::generatePublicLDAPCertificate(LDAPCertConfig certinfo, LDAPReal
ldap_reqfile.replace("@@@ADMINSERVER@@@", realmcfg.admin_server);
command = TQString("openssl req -new -out %1 -key %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(ldap_reqfile).arg(ldap_keyfile).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(realmcfg.admin_server).arg(certinfo.emailAddress);
- system(command);
+ if (system(command) < 0) {
+ printf("ERROR: Execution of \"%s\" failed!\n\r", command.ascii());
+ return -1;
+ }
command = TQString("openssl x509 -req -in %1 -CAkey %2 -CA %3 -out %4 -CAcreateserial").arg(ldap_reqfile).arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(ldap_certfile);
- system(command);
- chmod(ldap_certfile.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
- chown(ldap_certfile.ascii(), ldap_uid, ldap_gid);
- unlink(ldap_reqfile.ascii());
+ if (system(command) < 0) {
+ printf("ERROR: Execution of \"%s\" failed!\n\r", command.ascii());
+ return -1;
+ }
+ if (chmod(ldap_certfile.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH) < 0) {
+ printf("ERROR: Unable to change permissions of \"%s\"\n\r", ldap_certfile.ascii());
+ return -1;
+ }
+ if (chown(ldap_certfile.ascii(), ldap_uid, ldap_gid) < 0) {
+ printf("ERROR: Unable to change owner of \"%s\"\n\r", ldap_certfile.ascii());
+ return -1;
+ }
+ if (unlink(ldap_reqfile.ascii()) < 0) {
+ printf("ERROR: Unable to unlink \"%s\"\n\r", ldap_reqfile.ascii());
+ return -1;
+ }
return 0;
}