diff options
-rw-r--r-- | src/libtdeldap.cpp | 127 |
1 files changed, 102 insertions, 25 deletions
diff --git a/src/libtdeldap.cpp b/src/libtdeldap.cpp index de1ef0f..415a5a7 100644 --- a/src/libtdeldap.cpp +++ b/src/libtdeldap.cpp @@ -56,6 +56,7 @@ // This assumes Debian! #define LDAP_FILE "/etc/ldap/ldap.conf" #define LDAP_SECONDARY_FILE "/etc/ldap.conf" +#define LDAP_TERTIARY_FILE "/etc/libnss-ldap.conf" #define TDELDAP_SUDO_D_FILE "/etc/sudoers.d/tde-realm-admins" #define CRON_UPDATE_NSS_FILE "/etc/cron.daily/upd-local-nss-db" @@ -1019,7 +1020,13 @@ KerberosTicketInfoList LDAPManager::getKerberosTicketList(TQString cache, TQStri TQString global_cachevers; TQString line; - FILE *output = popen("klist -v 2>&1", "r"); + FILE *output; + if (cache != "") { + output = popen((TQString("klist --cache=%1 -v 2>&1").arg(cache)).ascii(), "r"); + } + else { + output = popen("klist -v 2>&1", "r"); + } TQFile f; f.open(IO_ReadOnly, output); TQTextStream stream(&f); @@ -1496,8 +1503,6 @@ int LDAPManager::addGroupInfo(LDAPGroupInfo group) { } int LDAPManager::addServiceInfo(LDAPServiceInfo service, TQString *errstr) { - int retcode; - int i; LDAPGroupInfo serviceinfo; if (bind() < 0) { @@ -1907,7 +1912,6 @@ LDAPMachineInfoList LDAPManager::machines(int* mretcode) { } LDAPServiceInfoList LDAPManager::services(int* mretcode) { - int retcode; LDAPServiceInfoList services; if (bind() < 0) { @@ -2090,18 +2094,17 @@ int LDAPManager::moveKerberosEntries(TQString newSuffix, TQString* errstr) { void LDAPManager::writeLDAPConfFile(LDAPRealmConfig realmcfg) { KSimpleConfig* systemconfig; TQString m_defaultRealm; - int m_ticketLifetime; int m_ldapVersion; int m_ldapTimeout; TQString m_bindPolicy; int m_ldapBindTimeout; TQString m_passwordHash; TQString m_ignoredUsers; + TQString command; systemconfig = new KSimpleConfig( TQString::fromLatin1( KDE_CONFDIR "/ldap/ldapconfigrc" )); systemconfig->setGroup(NULL); m_defaultRealm = systemconfig->readEntry("DefaultRealm", TQString::null); - m_ticketLifetime = systemconfig->readNumEntry("TicketLifetime", 86400); m_ldapVersion = systemconfig->readNumEntry("ConnectionLDAPVersion", 3); m_ldapTimeout = systemconfig->readNumEntry("ConnectionLDAPTimeout", 2); @@ -2134,9 +2137,32 @@ void LDAPManager::writeLDAPConfFile(LDAPRealmConfig realmcfg) { file.close(); } - chmod(LDAP_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); + if (chmod(LDAP_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH) < 0) { + printf("ERROR: Unable to change permissions of \"%s\"\n\r", LDAP_FILE); + return; + } - system(TQString("ln -s %1 %2").arg(LDAP_FILE).arg(LDAP_SECONDARY_FILE).ascii()); + // Create symbolic link to secondary LDAP configuration file + if (unlink(LDAP_SECONDARY_FILE) < 0) { + printf("ERROR: Unable to unlink \"%s\"\n\r", LDAP_SECONDARY_FILE); + return; + } + command = TQString("ln -s %1 %2").arg(LDAP_FILE).arg(LDAP_SECONDARY_FILE); + if (system(command) < 0) { + printf("ERROR: Execution of \"%s\" failed!\n\r", command.ascii()); + return; + } + + // Create symbolic link to tertiary LDAP configuration file + if (unlink(LDAP_TERTIARY_FILE) < 0) { + printf("ERROR: Unable to unlink \"%s\"\n\r", LDAP_TERTIARY_FILE); + return; + } + command = TQString("ln -s %1 %2").arg(LDAP_FILE).arg(LDAP_TERTIARY_FILE); + if (system(command) < 0) { + printf("ERROR: Execution of \"%s\" failed!\n\r", command.ascii()); + return; + } delete systemconfig; } @@ -2306,8 +2332,14 @@ int LDAPManager::writeSudoersConfFile(TQString *errstr) { file.close(); } - chown(TDELDAP_SUDO_D_FILE, 0, 0); - chmod(TDELDAP_SUDO_D_FILE, S_IRUSR|S_IRGRP); + if (chown(TDELDAP_SUDO_D_FILE, 0, 0) < 0) { + printf("ERROR: Unable to change owner of \"%s\"\n\r", TDELDAP_SUDO_D_FILE); + return -1; + } + if (chmod(TDELDAP_SUDO_D_FILE, S_IRUSR|S_IRGRP) < 0) { + printf("ERROR: Unable to change permissions of \"%s\"\n\r", TDELDAP_SUDO_D_FILE); + return -1; + } return 0; } @@ -2326,7 +2358,10 @@ void LDAPManager::writeCronFiles() { file.close(); } - system(CRON_UPDATE_NSS_COMMAND); + if (system(CRON_UPDATE_NSS_COMMAND) < 0) { + printf("ERROR: Execution of \"%s\" failed!\n\r", CRON_UPDATE_NSS_COMMAND); + return; + } } void LDAPManager::writePrimaryRealmCertificateUpdateCronFile() { @@ -2343,7 +2378,10 @@ void LDAPManager::writePrimaryRealmCertificateUpdateCronFile() { file.close(); } - system(CRON_UPDATE_PRIMARY_REALM_CERTIFICATES_COMMAND); + if (system(CRON_UPDATE_PRIMARY_REALM_CERTIFICATES_COMMAND) < 0) { + printf("ERROR: Execution of \"%s\" failed!\n\r", CRON_UPDATE_PRIMARY_REALM_CERTIFICATES_COMMAND); + return; + } } LDAPRealmConfigList LDAPManager::readTDERealmList(KSimpleConfig* config, bool disableAllBonds) { @@ -2447,9 +2485,18 @@ int LDAPManager::generatePublicKerberosCACertificate(LDAPCertConfig certinfo) { TQString command; command = TQString("openssl req -key %1 -new -x509 -out %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(certinfo.commonName).arg(certinfo.emailAddress); - system(command); - chmod(KERBEROS_PKI_PEM_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); - chown(KERBEROS_PKI_PEM_FILE, 0, 0); + if (system(command) < 0) { + printf("ERROR: Execution of \"%s\" failed!\n\r", command.ascii()); + return -1; + } + if (chmod(KERBEROS_PKI_PEM_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH) < 0) { + printf("ERROR: Unable to change permissions of \"%s\"\n\r", KERBEROS_PKI_PEM_FILE); + return -1; + } + if (chown(KERBEROS_PKI_PEM_FILE, 0, 0) < 0) { + printf("ERROR: Unable to change owner of \"%s\"\n\r", KERBEROS_PKI_PEM_FILE); + return -1; + } return 0; } @@ -2465,12 +2512,27 @@ int LDAPManager::generatePublicKerberosCertificate(LDAPCertConfig certinfo, LDAP kdc_reqfile.replace("@@@KDCSERVER@@@", realmcfg.kdc); command = TQString("openssl req -new -out %1 -key %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(kdc_reqfile).arg(kdc_keyfile).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(certinfo.commonName).arg(certinfo.emailAddress); - system(command); + if (system(command) < 0) { + printf("ERROR: Execution of \"%s\" failed!\n\r", command.ascii()); + return -1; + } command = TQString("openssl x509 -req -in %1 -CAkey %2 -CA %3 -out %4 -extfile %5 -extensions kdc_cert -CAcreateserial").arg(kdc_reqfile).arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(kdc_certfile).arg(OPENSSL_EXTENSIONS_FILE); - system(command); - chmod(kdc_certfile.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); - chown(kdc_certfile.ascii(), 0, 0); - unlink(kdc_reqfile.ascii()); + if (system(command) < 0) { + printf("ERROR: Execution of \"%s\" failed!\n\r", command.ascii()); + return -1; + } + if (chmod(kdc_certfile.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH) < 0) { + printf("ERROR: Unable to change permissions of \"%s\"\n\r", kdc_certfile.ascii()); + return -1; + } + if (chown(kdc_certfile.ascii(), 0, 0) < 0) { + printf("ERROR: Unable to change owner of \"%s\"\n\r", kdc_certfile.ascii()); + return -1; + } + if (unlink(kdc_reqfile.ascii()) < 0) { + printf("ERROR: Unable to unlink \"%s\"\n\r", kdc_reqfile.ascii()); + return -1; + } return 0; } @@ -2486,12 +2548,27 @@ int LDAPManager::generatePublicLDAPCertificate(LDAPCertConfig certinfo, LDAPReal ldap_reqfile.replace("@@@ADMINSERVER@@@", realmcfg.admin_server); command = TQString("openssl req -new -out %1 -key %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(ldap_reqfile).arg(ldap_keyfile).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(realmcfg.admin_server).arg(certinfo.emailAddress); - system(command); + if (system(command) < 0) { + printf("ERROR: Execution of \"%s\" failed!\n\r", command.ascii()); + return -1; + } command = TQString("openssl x509 -req -in %1 -CAkey %2 -CA %3 -out %4 -CAcreateserial").arg(ldap_reqfile).arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(ldap_certfile); - system(command); - chmod(ldap_certfile.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); - chown(ldap_certfile.ascii(), ldap_uid, ldap_gid); - unlink(ldap_reqfile.ascii()); + if (system(command) < 0) { + printf("ERROR: Execution of \"%s\" failed!\n\r", command.ascii()); + return -1; + } + if (chmod(ldap_certfile.ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH) < 0) { + printf("ERROR: Unable to change permissions of \"%s\"\n\r", ldap_certfile.ascii()); + return -1; + } + if (chown(ldap_certfile.ascii(), ldap_uid, ldap_gid) < 0) { + printf("ERROR: Unable to change owner of \"%s\"\n\r", ldap_certfile.ascii()); + return -1; + } + if (unlink(ldap_reqfile.ascii()) < 0) { + printf("ERROR: Unable to unlink \"%s\"\n\r", ldap_reqfile.ascii()); + return -1; + } return 0; } |