diff --git a/src/libtdeldap.cpp b/src/libtdeldap.cpp
index 5be4ce6..66a1397 100644
--- a/src/libtdeldap.cpp
+++ b/src/libtdeldap.cpp
@@ -3859,10 +3859,10 @@
TQString common_name = TQString::null;
if (realmcfg.kdc != "") {
- common_name = TQString("/CN=%1").arg(common_name);
+ common_name = TQString("/CN=%1").arg(realmcfg.kdc);
}
- subject = TQString("\"/C=%1/ST=%2/L=%3/O=%4/OU=%5/%6%7\"").arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(common_name).arg(openssldcForRealm(realmcfg.name));
+ subject = TQString("\"/C=%1/ST=%2/L=%3/O=%4/OU=%5%6%7\"").arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(common_name).arg(openssldcForRealm(realmcfg.name));
command = TQString("openssl req -days %1 -new -out %2 -key %3 -config %4 -subj %5").arg(certinfo.kerberosExpiryDays).arg(kdc_reqfile).arg(kdc_keyfile).arg(OPENSSL_EXTENSIONS_FILE).arg(subject);
if (system(command) < 0) {
printf("ERROR: Execution of \"%s\" failed!\n", command.ascii());
@@ -3910,10 +3910,10 @@
TQString common_name = TQString::null;
if (realmcfg.kdc != "") {
- common_name = TQString("/CN=%1").arg(common_name);
+ common_name = TQString("/CN=%1").arg(realmcfg.kdc);
}
- subject = TQString("\"/C=%1/ST=%2/L=%3/O=%4/OU=%5/%6%7\"").arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(common_name).arg(openssldcForRealm(realmcfg.name));
+ subject = TQString("\"/C=%1/ST=%2/L=%3/O=%4/OU=%5%6%7\"").arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(common_name).arg(openssldcForRealm(realmcfg.name));
command = TQString("openssl req -days %1 -new -out %2 -key %3 -config %4 -subj %5").arg(certinfo.ldapExpiryDays).arg(ldap_reqfile).arg(ldap_keyfile).arg(OPENSSL_EXTENSIONS_FILE).arg(subject);
if (system(command) < 0) {
printf("ERROR: Execution of \"%s\" failed!\n", command.ascii());
@@ -4201,6 +4201,12 @@
}
int LDAPManager::writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, TQString *errstr) {
+ TQString crl_url = realmcfg.certificate_revocation_list_url;
+ if (crl_url == "") {
+ // Use a default to preserve certificate validity
+ // crl_url = TQString("http://%1/%2.crl").arg(realmcfg.name).arg(realmcfg.kdc);
+ }
+
TQDir tde_cert_dir(TDE_CERTIFICATE_DIR);
if (!tde_cert_dir.exists()) {
TQString command = TQString("mkdir -p %1").arg(TDE_CERTIFICATE_DIR);
@@ -4299,7 +4305,7 @@
stream << "string_mask = utf8only" << "\n";
stream << "\n";
stream << "[v3_ca]" << "\n";
- stream << "subjectKeyIdentifier=hash" << "\n";
+ stream << "subjectKeyIdentifier = hash" << "\n";
stream << "authorityKeyIdentifier=keyid:always,issuer:always" << "\n";
stream << "basicConstraints = CA:true" << "\n";
stream << "keyUsage = critical, cRLSign, keyCertSign, keyEncipherment, nonRepudiation, digitalSignature" << "\n";
@@ -4307,19 +4313,19 @@
stream << "[usr_cert]" << "\n";
stream << "basicConstraints=CA:FALSE" << "\n";
stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n";
- stream << TQString("crlDistributionPoints=URI:http://%1/crl.pem").arg(realmcfg.certificate_revocation_list_url);
+ stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n";
stream << "subjectKeyIdentifier = hash" << "\n";
stream << "\n";
stream << "[usr_cert_ke]" << "\n";
stream << "basicConstraints=CA:FALSE" << "\n";
stream << "keyUsage = critical, nonRepudiation, keyEncipherment" << "\n";
- stream << TQString("crlDistributionPoints=URI:http://%1/crl.pem").arg(realmcfg.certificate_revocation_list_url);
+ stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n";
stream << "subjectKeyIdentifier = hash" << "\n";
stream << "\n";
stream << "[proxy_cert]" << "\n";
stream << "basicConstraints=CA:FALSE" << "\n";
stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n";
- stream << TQString("crlDistributionPoints=URI:http://%1/crl.pem").arg(realmcfg.certificate_revocation_list_url);
+ stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n";
stream << "subjectKeyIdentifier = hash" << "\n";
// stream << "proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:0,policy:text:foo" << "\n";
stream << "\n";
@@ -4337,7 +4343,7 @@
stream << "[pkinit_client_cert]" << "\n";
stream << "basicConstraints=CA:FALSE" << "\n";
stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n";
- stream << TQString("crlDistributionPoints=URI:http://%1/crl.pem").arg(realmcfg.certificate_revocation_list_url);
+ stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n";
stream << "subjectKeyIdentifier = hash" << "\n";
stream << "authorityKeyIdentifier=keyid,issuer" << "\n";
stream << "issuerAltName=issuer:copy" << "\n";
@@ -4346,14 +4352,14 @@
stream << "[https_cert]" << "\n";
stream << "basicConstraints=CA:FALSE" << "\n";
stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n";
- stream << TQString("crlDistributionPoints=URI:http://%1/crl.pem").arg(realmcfg.certificate_revocation_list_url);
+ stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n";
// stream << "extendedKeyUsage = https-server XXX" << "\n";
stream << "subjectKeyIdentifier = hash" << "\n";
stream << "\n";
stream << "[pkinit_kdc_cert]" << "\n";
stream << "basicConstraints=CA:FALSE" << "\n";
stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n";
- stream << TQString("crlDistributionPoints=URI:http://%1/crl.pem").arg(realmcfg.certificate_revocation_list_url);
+ stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n";
stream << "extendedKeyUsage = 1.3.6.1.5.2.3.5" << "\n";
stream << "subjectKeyIdentifier = hash" << "\n";
stream << "authorityKeyIdentifier=keyid,issuer" << "\n";
@@ -4375,20 +4381,20 @@
stream << "[proxy10_cert]" << "\n";
stream << "basicConstraints=CA:FALSE" << "\n";
stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n";
- stream << TQString("crlDistributionPoints=URI:http://%1/crl.pem").arg(realmcfg.certificate_revocation_list_url);
+ stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n";
stream << "subjectKeyIdentifier = hash" << "\n";
// stream << "proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:10,policy:text:foo" << "\n";
stream << "\n";
stream << "[usr_cert_ds]" << "\n";
stream << "basicConstraints=CA:FALSE" << "\n";
stream << "keyUsage = critical, nonRepudiation, digitalSignature" << "\n";
- stream << TQString("crlDistributionPoints=URI:http://%1/crl.pem").arg(realmcfg.certificate_revocation_list_url);
+ stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n";
stream << "subjectKeyIdentifier = hash" << "\n";
stream << "\n";
stream << "[ocsp_cert]" << "\n";
stream << "basicConstraints=CA:FALSE" << "\n";
stream << "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment" << "\n";
- stream << TQString("crlDistributionPoints=URI:http://%1/crl.pem").arg(realmcfg.certificate_revocation_list_url);
+ stream << TQString("crlDistributionPoints = URI:%1").arg(crl_url) << "\n";
// stream << "ocsp-nocheck and kp-OCSPSigning" << "\n";
stream << "extendedKeyUsage = 1.3.6.1.5.5.7.48.1.5, 1.3.6.1.5.5.7.3.9" << "\n";
stream << "subjectKeyIdentifier = hash" << "\n";
|
diff --git a/src/libtdeldap.cpp b/src/libtdeldap.cpp
index 66a1397..d0022f9 100644
--- a/src/libtdeldap.cpp
+++ b/src/libtdeldap.cpp
@@ -126,8 +126,12 @@
}
TQString LDAPManager::openssldcForRealm(TQString realm) {
+ TQStringList reversedDomainChunks;
TQStringList domainChunks = TQStringList::split(".", realm.lower());
- TQString basedc = "DC=" + domainChunks.join("/DC=");
+ for (TQStringList::Iterator it = domainChunks.begin(); it != domainChunks.end(); it++) {
+ reversedDomainChunks.prepend(*it);
+ }
+ TQString basedc = "DC=" + reversedDomainChunks.join("/DC=");
basedc = "/" + basedc;
return basedc;
}
@@ -3862,7 +3866,7 @@
common_name = TQString("/CN=%1").arg(realmcfg.kdc);
}
- subject = TQString("\"/C=%1/ST=%2/L=%3/O=%4/OU=%5%6%7\"").arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(common_name).arg(openssldcForRealm(realmcfg.name));
+ subject = TQString("\"/C=%1/ST=%2/L=%3/O=%4/OU=%5%6%7\"").arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(openssldcForRealm(realmcfg.name)).arg(common_name);
command = TQString("openssl req -days %1 -new -out %2 -key %3 -config %4 -subj %5").arg(certinfo.kerberosExpiryDays).arg(kdc_reqfile).arg(kdc_keyfile).arg(OPENSSL_EXTENSIONS_FILE).arg(subject);
if (system(command) < 0) {
printf("ERROR: Execution of \"%s\" failed!\n", command.ascii());
@@ -3913,7 +3917,7 @@
common_name = TQString("/CN=%1").arg(realmcfg.kdc);
}
- subject = TQString("\"/C=%1/ST=%2/L=%3/O=%4/OU=%5%6%7\"").arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(common_name).arg(openssldcForRealm(realmcfg.name));
+ subject = TQString("\"/C=%1/ST=%2/L=%3/O=%4/OU=%5%6%7\"").arg(certinfo.countryName).arg(certinfo.stateOrProvinceName).arg(certinfo.localityName).arg(certinfo.organizationName).arg(certinfo.orgUnitName).arg(openssldcForRealm(realmcfg.name)).arg(common_name);
command = TQString("openssl req -days %1 -new -out %2 -key %3 -config %4 -subj %5").arg(certinfo.ldapExpiryDays).arg(ldap_reqfile).arg(ldap_keyfile).arg(OPENSSL_EXTENSIONS_FILE).arg(subject);
if (system(command) < 0) {
printf("ERROR: Execution of \"%s\" failed!\n", command.ascii());
|