Branch: master

5f900798 2015-09-18 17:50:49 Timothy Pearson 
Add PKCS login setup controls
M cert-updater/main.cpp
M src/ldapbonding.cpp
M src/ldapconfigbase.ui
 
diff --git a/cert-updater/main.cpp b/cert-updater/main.cpp
index 78ad0dc..354d9de 100644
--- a/cert-updater/main.cpp
+++ b/cert-updater/main.cpp
@@ -155,6 +155,7 @@
 	int prevSecondsToExpiry = (7*24*60*60);
 
 	while (1) {
+		bool newCertDownloaded = false;
 		bool allDownloadsOK = true;
 		TQDateTime now = TQDateTime::currentDateTime();
 		TQDateTime earliestCertExpiry = now.addDays(14);	// Recheck every 7 days regardless of last expiry check results
@@ -174,7 +175,10 @@
 					printf("[INFO] Certificate %s expires %s\n", certificateFileName.ascii(), certExpiry.toString().ascii()); fflush(stdout);
 				}
 				if (immediate || (certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
-					if (get_certificate_from_server("publicRootCertificate", certificateFileName, realmcfg) != 0) {
+					if (get_certificate_from_server("publicRootCertificate", certificateFileName, realmcfg) == 0) {
+						newCertDownloaded = true;
+					}
+					else {
 						allDownloadsOK = false;
 					}
 				}
@@ -185,7 +189,10 @@
 			else {
 				mkdir(TDE_CERTIFICATE_DIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
 				mkdir(KERBEROS_PKI_PUBLICDIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
-				if (get_certificate_from_server("publicRootCertificate", certificateFileName, realmcfg) != 0) {
+				if (get_certificate_from_server("publicRootCertificate", certificateFileName, realmcfg) == 0) {
+					newCertDownloaded = true;
+				}
+				else {
 					allDownloadsOK = false;
 				}
 			}
@@ -196,7 +203,10 @@
 					printf("[INFO] CRL %s expires %s\n", crlFileName.ascii(), certExpiry.toString().ascii()); fflush(stdout);
 				}
 				if (immediate || (certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
-					if (get_certificate_from_server("publicRootCertificateRevocationList", crlFileName, realmcfg) != 0) {
+					if (get_certificate_from_server("publicRootCertificateRevocationList", crlFileName, realmcfg) == 0) {
+						newCertDownloaded = true;
+					}
+					else {
 						allDownloadsOK = false;
 					}
 				}
@@ -207,10 +217,19 @@
 			else {
 				mkdir(TDE_CERTIFICATE_DIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
 				mkdir(KERBEROS_PKI_PUBLICDIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
-				if (get_certificate_from_server("publicRootCertificateRevocationList", crlFileName, realmcfg) != 0) {
+				if (get_certificate_from_server("publicRootCertificateRevocationList", crlFileName, realmcfg) == 0) {
+					newCertDownloaded = true;
+				}
+				else {
 					allDownloadsOK = false;
 				}
 			}
+
+			if (newCertDownloaded) {
+				if (LDAPManager::rehashClientPKCSCertificates() != 0) {
+					printf("[WARNING] Unable to rehash client PKCS certificates\n"); fflush(stdout);
+				}
+			}
 		}
 		immediate = false;
 
diff --git a/src/ldapbonding.cpp b/src/ldapbonding.cpp
index bf20050..abe4e95 100644
--- a/src/ldapbonding.cpp
+++ b/src/ldapbonding.cpp
@@ -102,6 +102,9 @@
 	connect(base->passwordHash, TQT_SIGNAL(activated(int)), this, TQT_SLOT(changed()));
 	connect(base->ignoredUsers, TQT_SIGNAL(textChanged(const TQString&)), this, TQT_SLOT(changed()));
 
+	connect(base->pamEnablePKCS11Logons, TQT_SIGNAL(clicked()), this, TQT_SLOT(changed()));
+	connect(base->pamEnablePKCS11Logons, TQT_SIGNAL(clicked()), this, TQT_SLOT(processLockouts()));
+	connect(base->pamPKCS11LoginCardSlot, TQT_SIGNAL(valueChanged(int)), this, TQT_SLOT(changed()));
 	connect(base->pamEnableCachedLogons, TQT_SIGNAL(clicked()), this, TQT_SLOT(changed()));
 	connect(base->pamCreateHomeDirectory, TQT_SIGNAL(clicked()), this, TQT_SLOT(changed()));
 	connect(base->pamCreateHomeDirectory, TQT_SIGNAL(clicked()), this, TQT_SLOT(processLockouts()));
@@ -165,6 +168,8 @@
 	}
 	base->ignoredUsers->setText(m_clientRealmConfig.ignoredUsers);
 
+	base->pamEnablePKCS11Logons->setChecked(m_clientRealmConfig.pamConfig.enable_pkcs11_login);
+	base->pamPKCS11LoginCardSlot->setValue(m_clientRealmConfig.pamConfig.pkcs11_login_card_slot);
 	base->pamEnableCachedLogons->setChecked(m_clientRealmConfig.pamConfig.enable_cached_credentials);
 	base->pamCreateHomeDirectory->setChecked(m_clientRealmConfig.pamConfig.autocreate_user_directories_enable);
 	base->pamCreateHomeDirectoryUmask->setValue(m_clientRealmConfig.pamConfig.autocreate_user_directories_umask);
@@ -217,6 +222,8 @@
 	m_clientRealmConfig.passwordHash = base->passwordHash->currentText();
 	m_clientRealmConfig.ignoredUsers = base->ignoredUsers->text();
 
+	m_clientRealmConfig.pamConfig.enable_pkcs11_login = base->pamEnablePKCS11Logons->isChecked();
+	m_clientRealmConfig.pamConfig.pkcs11_login_card_slot = base->pamPKCS11LoginCardSlot->value();
 	m_clientRealmConfig.pamConfig.enable_cached_credentials = base->pamEnableCachedLogons->isChecked();
 	m_clientRealmConfig.pamConfig.autocreate_user_directories_enable = base->pamCreateHomeDirectory->isChecked();
 	m_clientRealmConfig.pamConfig.autocreate_user_directories_umask = base->pamCreateHomeDirectoryUmask->value();
@@ -343,6 +350,13 @@
 		base->pamCreateHomeDirectoryUmask->setEnabled(false);
 		base->pamCreateHomeDirectorySkelDir->setEnabled(false);
 	}
+
+	if (base->pamEnablePKCS11Logons->isChecked()) {
+		base->pamPKCS11LoginCardSlot->setEnabled(true);
+	}
+	else {
+		base->pamPKCS11LoginCardSlot->setEnabled(false);
+	}
 }
 
 void LDAPConfig::bondToNewRealm() {
diff --git a/src/ldapconfigbase.ui b/src/ldapconfigbase.ui
index a889ac9..8c9b2db 100644
--- a/src/ldapconfigbase.ui
+++ b/src/ldapconfigbase.ui
@@ -454,6 +454,14 @@
 									<string>&amp;Enable logon credentials cache</string>
 								</property>
 							</widget>
+							<widget class="TQCheckBox" row="2" column="0" colspan="2">
+								<property name="name">
+									<cstring>pamEnablePKCS11Logons</cstring>
+								</property>
+								<property name="text">
+									<string>&amp;Enable PKCS#11 card login</string>
+								</property>
+							</widget>
 							<widget class="TQLabel" row="0" column="2">
 								<property name="name">
 									<cstring>unnamed</cstring>
@@ -500,6 +508,33 @@
 									</sizepolicy>
 								</property>
 							</widget>
+							<widget class="TQLabel" row="2" column="2">
+								<property name="name">
+									<cstring>unnamed</cstring>
+								</property>
+								<property name="text">
+									<string>PKCS#11 certificate slot</string>
+								</property>
+								<property name="sizePolicy">
+									<sizepolicy>
+										<hsizetype>0</hsizetype>
+										<vsizetype>0</vsizetype>
+										<horstretch>0</horstretch>
+										<verstretch>0</verstretch>
+									</sizepolicy>
+								</property>
+							</widget>
+							<widget class="KIntNumInput" row="2" column="3" >
+								<property name="name">
+									<cstring>pamPKCS11LoginCardSlot</cstring>
+								</property>
+								<property name="minValue">
+									<number>0</number>
+								</property>
+								<property name="maxValue">
+									<number>999</number>
+								</property>
+							</widget>
 							<widget class="KURLRequester" row="1" column="3" >
 								<property name="name">
 									<cstring>pamCreateHomeDirectorySkelDir</cstring>