| d6f00465 | 2015-08-25 11:13:14 | Timothy Pearson |
Allow certificate expiry to be set |
||
|
M src/libtdeldap.cpp M src/libtdeldap.h |
||
diff --git a/src/libtdeldap.cpp b/src/libtdeldap.cpp
index 0e551b4..f009297 100644
--- a/src/libtdeldap.cpp
+++ b/src/libtdeldap.cpp
@@ -2658,7 +2658,6 @@
TQString LDAPManager::getRealmCAMaster(TQString* errstr) {
int retcode;
- int i;
TQString realmCAMaster;
TQString dn = TQString("cn=certificate store,o=tde,cn=tde realm data,ou=master services,ou=core,ou=realm,%1").arg(m_basedc);
@@ -3743,6 +3742,8 @@
}
int LDAPManager::writeTDERealmList(LDAPRealmConfigList realms, KSimpleConfig* config, TQString *errstr) {
+ Q_UNUSED(errstr)
+
LDAPRealmConfigList::Iterator it;
for (it = realms.begin(); it != realms.end(); ++it) {
LDAPRealmConfig realmcfg = it.data();
@@ -3805,8 +3806,9 @@
int LDAPManager::generatePublicKerberosCACertificate(LDAPCertConfig certinfo) {
TQString command;
TQString subject;
+
subject = TQString("\"/C=%1/ST=%2/L=%3/O=%4/OU=%5/CN=%6/emailAddress=%7\"").arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(certinfo.commonName).arg(certinfo.emailAddress);
- command = TQString("openssl req -days %1 -key %2 -new -x509 -out %3 -subj %4").arg(KERBEROS_PKI_PEMKEY_EXPIRY_DAYS).arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(subject);
+ command = TQString("openssl req -days %1 -key %2 -new -x509 -out %3 -subj %4").arg(certinfo.caExpiryDays).arg(KERBEROS_PKI_PEMKEY_FILE).arg(KERBEROS_PKI_PEM_FILE).arg(subject);
if (system(command) < 0) {
printf("ERROR: Execution of \"%s\" failed!\n", command.ascii());
return -1;
@@ -3825,6 +3827,7 @@
int LDAPManager::generatePublicKerberosCertificate(LDAPCertConfig certinfo, LDAPRealmConfig realmcfg) {
TQString command;
+ TQString subject;
TQString kdc_certfile = KERBEROS_PKI_KDC_FILE;
TQString kdc_keyfile = KERBEROS_PKI_KDCKEY_FILE;
@@ -3833,7 +3836,8 @@
kdc_keyfile.replace("@@@KDCSERVER@@@", realmcfg.name.lower());
kdc_reqfile.replace("@@@KDCSERVER@@@", realmcfg.name.lower());
- command = TQString("openssl req -new -out %1 -key %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(kdc_reqfile).arg(kdc_keyfile).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(certinfo.commonName).arg(certinfo.emailAddress);
+ subject = TQString("\"/C=%1/ST=%2/L=%3/O=%4/OU=%5/CN=%6/emailAddress=%7\"").arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(certinfo.commonName).arg(certinfo.emailAddress);
+ command = TQString("openssl req -days %1 -new -out %2 -key %3 -subj %4").arg(certinfo.kerberosExpiryDays).arg(kdc_reqfile).arg(kdc_keyfile).arg(subject);
if (system(command) < 0) {
printf("ERROR: Execution of \"%s\" failed!\n", command.ascii());
return -1;
@@ -3863,6 +3867,7 @@
int LDAPManager::generatePublicLDAPCertificate(LDAPCertConfig certinfo, LDAPRealmConfig realmcfg, uid_t ldap_uid, gid_t ldap_gid) {
TQString command;
+ TQString subject;
TQString ldap_certfile = LDAP_CERT_FILE;
TQString ldap_keyfile = LDAP_CERTKEY_FILE;
@@ -3871,7 +3876,8 @@
ldap_keyfile.replace("@@@ADMINSERVER@@@", realmcfg.name.lower());
ldap_reqfile.replace("@@@ADMINSERVER@@@", realmcfg.name.lower());
- command = TQString("openssl req -new -out %1 -key %2 -subj \"/C=%3/ST=%4/L=%5/O=%6/OU=%7/CN=%8/emailAddress=%9\"").arg(ldap_reqfile).arg(ldap_keyfile).arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(realmcfg.admin_server).arg(certinfo.emailAddress);
+ subject = TQString("\"/C=%1/ST=%2/L=%3/O=%4/OU=%5/CN=%6/emailAddress=%7\"").arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(certinfo.commonName).arg(certinfo.emailAddress);
+ command = TQString("openssl req -days %1 -new -out %2 -key %3 -subj %4").arg(certinfo.ldapExpiryDays).arg(ldap_reqfile).arg(ldap_keyfile).arg(subject);
if (system(command) < 0) {
printf("ERROR: Execution of \"%s\" failed!\n", command.ascii());
return -1;
@@ -3957,6 +3963,8 @@
}
int LDAPManager::saveClientRealmConfig(LDAPClientRealmConfig clientRealmConfig, KSimpleConfig* config, TQString *errstr) {
+ Q_UNUSED(errstr)
+
config->setGroup(NULL);
config->writeEntry("EnableLDAP", clientRealmConfig.enable_bonding);
config->writeEntry("HostFQDN", clientRealmConfig.hostFQDN);
@@ -4030,6 +4038,11 @@
file.close();
}
+ else {
+ if (errstr) {
+ *errstr = i18n("Could not open file '%1' for writing").arg(file.name());
+ }
+ }
return 0;
}
@@ -4058,6 +4071,11 @@
file.close();
}
+ else {
+ if (errstr) {
+ *errstr = i18n("Could not open file '%1' for writing").arg(file.name());
+ }
+ }
return 0;
}
@@ -4075,6 +4093,11 @@
stream << "account required pam_permit.so" << "\n";
file.close();
+ }
+ else {
+ if (errstr) {
+ *errstr = i18n("Could not open file '%1' for writing").arg(file.name());
+ }
}
TQFile file2(PAMD_DIRECTORY PAMD_COMMON_AUTH);
@@ -4094,6 +4117,11 @@
stream << "auth required pam_deny.so" << "\n";
file2.close();
+ }
+ else {
+ if (errstr) {
+ *errstr = i18n("Could not open file '%1' for writing").arg(file2.name());
+ }
}
TQFile file3(PAMD_DIRECTORY PAMD_COMMON_SESSION);
@@ -4126,6 +4154,11 @@
file3.close();
}
+ else {
+ if (errstr) {
+ *errstr = i18n("Could not open file '%1' for writing").arg(file3.name());
+ }
+ }
return 0;
}
diff --git a/src/libtdeldap.h b/src/libtdeldap.h
index a1573c7..09db75d 100644
--- a/src/libtdeldap.h
+++ b/src/libtdeldap.h
@@ -65,6 +65,10 @@
// 1 year
#define KERBEROS_PKI_PEMKEY_EXPIRY_DAYS 365
+// 1 month
+#define KERBEROS_PKI_KRB_EXPIRY_DAYS 30
+#define KERBEROS_PKI_LDAP_EXPIRY_DAYS 30
+
// Values from hdb.asn1
enum LDAPKRB5Flags {
KRB5_INITIAL = 0x00000001,
@@ -190,6 +194,10 @@
TQString provided_ldap_crt;
TQString provided_ldap_key;
+ int caExpiryDays;
+ int kerberosExpiryDays;
+ int ldapExpiryDays;
+
TQString countryName;
TQString stateOrProvinceName;
TQString localityName;
|
||