0fbc17ac | 2015-09-28 17:18:35 | Timothy Pearson |
Convert machine add to kadmin API |
||
M src/libtdeldap.cpp M src/libtdeldap.h |
||
diff --git a/src/libtdeldap.cpp b/src/libtdeldap.cpp index 9f5f9a5..a227582 100644 --- a/src/libtdeldap.cpp +++ b/src/libtdeldap.cpp @@ -46,34 +46,15 @@ #include <sys/time.h> #include <errno.h> -#if 0 - #include <sys/socket.h> - #include <sys/un.h> +#include <sys/socket.h> +#include <sys/un.h> + +extern "C" { #include <hdb.h> #include <kadm5/admin.h> #include <kadm5/private.h> #include <kadm5/kadm5-private.h> -#else - #include <kadm5/admin.h> - - extern "C" { - // The following declaration was taken from hdb-protos.h - const char * - hdb_db_dir (krb5_context /*context*/); - - // The following declaration was taken from kadm5-private.h - kadm5_ret_t - kadm5_s_init_with_password_ctx ( - krb5_context /*context*/, - const char */*client_name*/, - const char */*password*/, - const char */*service_name*/, - kadm5_config_params */*realm_params*/, - unsigned long /*struct_version*/, - unsigned long /*api_version*/, - void **/*server_handle*/); - } -#endif +} #include "libtdeldap.h" #include "ldaplogindlg.h" @@ -89,6 +70,9 @@ // FIXME // This assumes Debian! #define KRB5_FILE "/etc/krb5.conf" + +//#define KRB5_ANK_RANDOM_PASSWORD_LENGTH 1024 +#define KRB5_ANK_RANDOM_PASSWORD_LENGTH 512 #define NSSWITCH_FILE "/etc/nsswitch.conf" @@ -135,6 +119,19 @@ else { return true; } +} + +static kadm5_ret_t kadm5_get_default_principal_info(krb5_context context, void* handle, krb5_principal princ, kadm5_principal_ent_t def) { + kadm5_ret_t ret; + krb5_principal def_principal; + krb5_const_realm realm = krb5_principal_get_realm(context, princ); + ret = krb5_make_principal(context, &def_principal, realm, "default", NULL); + if (ret) { + return ret; + } + ret = kadm5_get_principal(handle, def_principal, def, KADM5_PRINCIPAL_NORMAL_MASK); + krb5_free_principal(context, def_principal); + return ret; } LDAPManager::LDAPManager(TQString realm, TQString host, TQObject *parent, const char *name) : TQObject(parent, name), m_realm(realm), m_host(host), m_port(0), m_creds(0), m_ldap(0), m_krb5admHandle(0), m_krb5admKeytabFilename(0), m_krb5admRealmName(0) @@ -196,9 +193,24 @@ return m_realm; } -LDAPCredentials LDAPManager::currentLDAPCredentials() { +LDAPCredentials LDAPManager::currentLDAPCredentials(bool inferGSSAPIData) { if (m_creds) { - return *m_creds; + if (inferGSSAPIData) { + LDAPCredentials credentials = *m_creds; + if ((credentials.username == "") && (credentials.password == "")) { + // Probably GSSAPI + // Get active ticket principal... + KerberosTicketInfoList tickets = LDAPManager::getKerberosTicketList(); + TQStringList principalParts = TQStringList::split("@", tickets[0].cachePrincipal, false); + credentials.username = principalParts[0]; + credentials.realm = principalParts[1]; + credentials.use_gssapi = true; + } + return credentials; + } + else { + return *m_creds; + } } else { return LDAPCredentials(); @@ -346,8 +358,9 @@ return -1; } struct berval anoncred; - anoncred.bv_val = ""; - anoncred.bv_len = strlen(""); + TQCString anonpass = ""; + anoncred.bv_val = anonpass.data(); + anoncred.bv_len = anonpass.length(); retcode = ldap_sasl_bind_s(ldapconn, "", mechanism, &anoncred, NULL, NULL, NULL); if (retcode == LDAP_SUCCESS ) { // Look for the DN for the specified user @@ -372,7 +385,7 @@ } // clean up ldap_msgfree(msg); - + // All done! ldap_unbind_ext_s(ldapconn, NULL, NULL); } @@ -727,10 +740,10 @@ for(entry = ldap_first_entry(m_ldap, msg); entry != NULL; entry = ldap_next_entry(m_ldap, entry)) { users.append(parseLDAPUserRecord(entry)); } - + // clean up ldap_msgfree(msg); - + if (mretcode) *mretcode = 0; return users; } @@ -743,7 +756,7 @@ LDAPControl* pageControl = NULL; LDAPControl* serverControls[2] = { NULL, NULL }; LDAPControl** returnedControls = NULL; - + do { retcode = ldap_create_page_control(m_ldap, pageSize, &cookie, pagingCriticality, &pageControl); if (retcode != LDAP_SUCCESS) { @@ -791,7 +804,7 @@ else { morePages = false; } - + if (returnedControls != NULL) { ldap_controls_free(returnedControls); returnedControls = NULL; @@ -799,17 +812,17 @@ serverControls[0] = NULL; ldap_control_free(pageControl); pageControl = NULL; - + // Iterate through the returned entries LDAPMessage* entry; for(entry = ldap_first_entry(m_ldap, msg); entry != NULL; entry = ldap_next_entry(m_ldap, entry)) { users.append(parseLDAPUserRecord(entry)); } - + // clean up ldap_msgfree(msg); } while (morePages); - + if (mretcode) *mretcode = 0; return users; } @@ -838,7 +851,7 @@ for(entry = ldap_first_entry(m_ldap, msg); entry != NULL; entry = ldap_next_entry(m_ldap, entry)) { userinfo = parseLDAPUserRecord(entry); } - + // clean up ldap_msgfree(msg); @@ -869,7 +882,7 @@ for(entry = ldap_first_entry(m_ldap, msg); entry != NULL; entry = ldap_next_entry(m_ldap, entry)) { groupinfo = parseLDAPGroupRecord(entry); } - + // clean up ldap_msgfree(msg); @@ -1127,7 +1140,7 @@ return result; } -int LDAPManager::bindKAdmin(LDAPUserInfo user, TQString *errstr) { +int LDAPManager::bindKAdmin(TQString *errstr) { int retcode = 1; kadm5_ret_t krb5adm_ret; @@ -1186,7 +1199,7 @@ krb5adm_ret = krb5_init_context(&m_krb5admContext); if (krb5adm_ret) { - if (errstr) *errstr = TQString("%1<p>Details:<br>Failed to execute kadm5_init_krb5_context (code %2)").arg(krb5_get_error_message(m_krb5admContext, krb5adm_ret)).arg(krb5adm_ret); + if (errstr) *errstr = i18n("%1<p>Details:<br>Failed to execute kadm5_init_krb5_context (code %2)").arg(krb5_get_error_message(m_krb5admContext, krb5adm_ret)).arg(krb5adm_ret); } else { if (use_local_socket) { @@ -1205,7 +1218,7 @@ if (krb5adm_ret) { if (errstr) *errstr = i18n("%1<p>Details:<br>Failed to execute krb5_prepend_config_files_default (code %2)").arg(krb5_get_error_message(m_krb5admContext, krb5adm_ret)).arg(krb5adm_ret); } - + krb5adm_ret = krb5_set_config_files(m_krb5admContext, files); krb5_free_config_files(files); if(krb5adm_ret) { @@ -1278,7 +1291,7 @@ int retcode; kadm5_ret_t krb5adm_ret; - retcode = bindKAdmin(user, errstr); + retcode = bindKAdmin(errstr); if (retcode == 0) { retcode = 1; krb5_principal user_kadm5_principal; @@ -1301,6 +1314,7 @@ } unbindKAdmin(); + unbind(true); // Using kadmin can disrupt our LDAP connection } return retcode; @@ -1833,6 +1847,147 @@ return -1; } else { + int retcode; + kadm5_ret_t krb5adm_ret; + int i; + char* password = NULL; + + retcode = bindKAdmin(errstr); + if (retcode == 0) { + retcode = 1; + bool generate_password; + if (machine.newPassword == "") { ** Diff limit reached (max: 250 lines) ** |