Author: jsuchome Date: Fri Mar 18 16:14:04 2011 New Revision: 63600 URL: http://svn.opensuse.org/viewcvs/yast?rev=63600&view=rev Log: - added UI for downloading CA certificates, enable editing of certificate directory (bnc#574704) Modified: branches/SuSE-Code-11-SP2-Branch/ldap-client/src/Ldap.ycp branches/SuSE-Code-11-SP2-Branch/ldap-client/src/ui.ycp branches/SuSE-Code-11-SP2-Branch/ldap-client/testsuite/tests/Export.out branches/SuSE-Code-11-SP2-Branch/ldap-client/testsuite/tests/Export.ycp branches/SuSE-Code-11-SP2-Branch/ldap-client/testsuite/tests/Read.out branches/SuSE-Code-11-SP2-Branch/ldap-client/testsuite/tests/Read.ycp Modified: branches/SuSE-Code-11-SP2-Branch/ldap-client/src/Ldap.ycp URL: http://svn.opensuse.org/viewcvs/yast/branches/SuSE-Code-11-SP2-Branch/ldap-client/src/Ldap.ycp?rev=63600&r1=63599&r2=63600&view=diff ============================================================================== --- branches/SuSE-Code-11-SP2-Branch/ldap-client/src/Ldap.ycp (original) +++ branches/SuSE-Code-11-SP2-Branch/ldap-client/src/Ldap.ycp Fri Mar 18 16:14:04 2011 @@ -111,6 +111,13 @@ global boolean ldap_v2 = false; global boolean ldap_tls = false; + // CA certificates for server certificate verification + // At least one of these are required if tls_checkpeer is "yes" + global string tls_cacertdir = ""; + global string tls_cacertfile = ""; + // Require and verify server certificate (yes/no) + global string tls_checkpeer = "yes"; + // Which crypt method should be used? global string pam_password = "exop"; @@ -423,6 +430,9 @@ create_ldap = settings ["create_ldap"]:false; login_enabled = settings ["login_enabled"]:true; _start_autofs = settings ["start_autofs"]:false; + tls_cacertdir = settings ["tls_cacertdir"]:""; + tls_cacertfile = settings ["tls_cacertfile"]:""; + tls_checkpeer = settings ["tls_checkpeer"]:"yes"; mkhomedir = settings ["mkhomedir"]:mkhomedir; if (_start_autofs) required_packages = (list<string>) union (required_packages, ["autofs"]); @@ -467,6 +477,12 @@ "login_enabled" : login_enabled, "mkhomedir" : mkhomedir ]; + if (tls_checkpeer != "yes") + e["tls_checkpeer"] = tls_checkpeer; + if (tls_cacertdir != "") + e["tls_cacertdir"] = tls_cacertdir; + if (tls_cacertfile != "") + e["tls_cacertfile"] = tls_cacertfile; if (nss_base_passwd != base_dn) e["nss_base_passwd"] = nss_base_passwd; if (nss_base_shadow != base_dn) @@ -712,6 +728,9 @@ ldap_v2 = (ReadLdapConfEntry ("ldap_version", "3") == "2"); ldap_tls = (ReadLdapConfEntry ("ssl", "no") == "start_tls"); + tls_cacertdir = ReadLdapConfEntry ("tls_cacertdir", ""); + tls_cacertfile = ReadLdapConfEntry ("tls_cacertfile", ""); + tls_checkpeer = ReadLdapConfEntry ("tls_checkpeer", "yes"); nss_base_passwd = ReadLdapConfEntry ("nss_base_passwd", base_dn); nss_base_shadow = ReadLdapConfEntry ("nss_base_shadow", base_dn); @@ -1896,10 +1915,6 @@ [server]); SCR::Write(.etc.ldap_conf.v."/etc/openldap/ldap.conf".base, [base_dn]); - if (ldap_tls) - { - SCR::Write(.etc.ldap_conf.v."/etc/openldap/ldap.conf".TLS_REQCERT, ["allow"]); - } y2milestone ("file /etc/openldap/ldap.conf was modified"); } return write_openldap_conf; @@ -2338,6 +2353,9 @@ else WriteLdapConfEntry ("ssl", "no"); + WriteLdapConfEntry ("tls_cacertdir", tls_cacertdir == "" ? nil : tls_cacertdir); + WriteLdapConfEntry ("tls_cacertfile", tls_cacertfile == "" ? nil : tls_cacertfile); + Pam::Set ("mkhomedir", mkhomedir); WriteLdapConfEntry ("pam_password", pam_password); @@ -2361,6 +2379,9 @@ WriteLdapConfEntry ("nss_base_group", (nss_base_group != base_dn && nss_base_group != "") ? nss_base_group : nil); + + // default value is 'yes' + WriteLdapConfEntry ("tls_checkpeer", tls_checkpeer == "yes" ? nil : tls_checkpeer); } if (start) // ldap used for authentocation { @@ -2378,8 +2399,6 @@ WriteLdapConfEntry ("pam_password", pam_password); } - // override LDAPNOINIT (#217701) - WriteLdapConfEntry ("tls_checkpeer", "no"); if (!oes) { @@ -2451,8 +2470,6 @@ { Pam::Remove ("ldap-account_only"); } - - WriteLdapConfEntry ("tls_checkpeer", nil); } Modified: branches/SuSE-Code-11-SP2-Branch/ldap-client/src/ui.ycp URL: http://svn.opensuse.org/viewcvs/yast/branches/SuSE-Code-11-SP2-Branch/ldap-client/src/ui.ycp?rev=63600&r1=63599&r2=63600&view=diff ============================================================================== --- branches/SuSE-Code-11-SP2-Branch/ldap-client/src/ui.ycp (original) +++ branches/SuSE-Code-11-SP2-Branch/ldap-client/src/ui.ycp Fri Mar 18 16:14:04 2011 @@ -15,6 +15,8 @@ import "Address"; import "Autologin"; + import "Directory"; + import "FileUtils"; import "Label"; import "Ldap"; import "LdapPopup"; @@ -200,13 +202,7 @@ // help text 6/9 _("<p>Some LDAP servers support StartTLS (RFC2830). If your server supports it and it is configured, activate <b>LDAP TLS/SSL</b> -to encrypt your communication with the LDAP server.</p> -") + - - // help text 7/9 - _("<p>Normally, the LDAP version 3 protocol is used. If you have -an LDAP server using protocol 2 (for example, OpenLDAP v1), activate -<b>LDAP Version 2</b>.</p> +to encrypt your communication with the LDAP server. You may download CA certificate file in PEM format from given URL.</p> ") + // help text 8/9 @@ -231,8 +227,9 @@ string base_dn = Ldap::GetBaseDN (); string server = Ldap::server; boolean ldap_tls = Ldap::ldap_tls; - boolean ldap_v2 = Ldap::ldap_v2; + string tls_checkpeer = Ldap::tls_checkpeer; boolean login_enabled = Ldap::login_enabled; + string certTmpFile = sformat ("%1/__LDAPcert.crt", Directory::tmpdir); boolean autofs = Ldap::_start_autofs; term autofs_con = `Empty (); @@ -300,14 +297,17 @@ `PushButton (`id(`fetch), _("F&etch DN")) ) ), - `VSpacing (0.2), - // check box label - `Left (`CheckBox (`id(`ldaps), _("LDAP &TLS/SSL"), ldap_tls)), - `VSpacing (0.2), - // check box label - `Left (`CheckBox (`id(`ldapv), _("LDAP &Version 2"), ldap_v2)), `VSpacing (0.4) ), `HSpacing (0.5))), + `Frame (_("Secure Connection"), `HBox (`HSpacing (0.5), `VBox( + `HBox ( + // check box label + `Left (`CheckBox (`id(`ldaps), `opt (`notify), _("LDAP &TLS/SSL"), ldap_tls)), + // push button label + `PushButton (`id(`import_cert), _("Download CA Certificate")) + ), + `VSpacing (0.2) + ), `HSpacing (0.5))), autofs_con, mkhomedir_term, `VSpacing(0.4), @@ -328,6 +328,7 @@ UI::ChangeWidget (`id(`server),`ValidChars, Address::ValidChars + " "); + UI::ChangeWidget (`id(`import_cert),`Enabled, ldap_tls); symbol result = `not_next; do { @@ -338,10 +339,11 @@ login_enabled = (rb != `ldapnologin); server = (string) UI::QueryWidget(`id(`server), `Value); - ldap_v2 = (boolean) UI::QueryWidget(`id(`ldapv), `Value); ldap_tls = (boolean) UI::QueryWidget(`id(`ldaps), `Value); mkhomedir = (boolean) UI::QueryWidget (`id(`mkhomedir),`Value); + UI::ChangeWidget (`id(`import_cert), `Enabled, ldap_tls); + if (result == `slp) { string srv = ""; @@ -365,7 +367,7 @@ LdapPopup::InitAndBrowseTree ("", $[ "hostname" : Ldap::GetFirstServer (server), "port" : Ldap::GetFirstPort (server), - "version" : ldap_v2 ? 2 : 3, + "version" : Ldap::ldap_v2 ? 2 : 3, "use_tls" : ldap_tls ? "yes" : "no" ]); if (dn != "") @@ -376,6 +378,75 @@ UI::ChangeWidget (`id (`ldaps), `Value, false); } } + if (result == `import_cert) + { + string dir = Ldap::tls_cacertdir; + if (Ldap::tls_cacertdir == "") + dir = "/etc/openldap/cacerts/"; + + UI::OpenDialog ( `opt(`decorated), `HBox( + `HSpacing(1), + `VBox ( + `HSpacing (75), + // InputField label + `InputField (`id (`url), `opt (`hstretch), + _("CA Certificate URL for Download")), + `HBox ( + `PushButton(`id(`ok),`opt(`default,`key_F10), Label::OKButton()), + `PushButton(`id(`cancel),`opt (`key_F9), Label::CancelButton()) + ) + ), + `HSpacing(1) + )); + UI::SetFocus (`id (`url)); + + any ret = nil; + boolean success = false; + string name = ""; + + while (true) + { + ret = UI::UserInput (); + if (ret == `cancel) + break; + if (ret == `ok) + { + string cert_url = (string) UI::QueryWidget (`id (`url), `Value); + string curlcmd = sformat("curl -f --connect-timeout 60 --max-time 120 '%1' -o %2", cert_url, certTmpFile); + + if (SCR::Execute(.target.bash, curlcmd) != 0) + { + // error message + Popup::Error (_("Could not download the certificate file from specified URL.")); + } + else if (FileUtils::CheckAndCreatePath (dir)) + { + list <string> l = splitstring (cert_url, "/"); + name = l[size(l) - 1]:"downloaded-by-yast2-ldap-client.pem"; + success = SCR::Execute (.target.bash, sformat ("/bin/cp -a '%1' '%2/%3'", certTmpFile, dir, name)) == 0; + break; + } + } + } + UI::CloseDialog (); + + if (ret == `cancel) + { + continue; + } + if (success) + { + // popup message, %1 is file name, %2 directory + Popup::Message (sformat (_("The downloaded certificate file + +'%1' + +was copied to '%2' directory"), name, dir)); + + Ldap::tls_cacertdir = dir; + Ldap::modified = true; + } + } if (result == `next || result == `advanced) { base_dn = (string) UI::QueryWidget(`id(`ldapbasedn), `Value); @@ -465,7 +536,7 @@ Ldap::nss_base_group = base_dn; } if (Ldap::start != start || Ldap::GetBaseDN() != base_dn || - Ldap::server != server || Ldap::ldap_v2 != ldap_v2 || + Ldap::server != server || Ldap::ldap_tls != ldap_tls || Ldap::_start_autofs != autofs || Ldap::login_enabled != login_enabled || Ldap::mkhomedir != mkhomedir) @@ -497,6 +568,13 @@ if (message != "") Popup::Message (message); } + if (ldap_tls && tls_checkpeer == "no") + { + // yes/no question + if (Popup::YesNo (_("The security connection is enabled, but server certificate verification is disabled. +Enable certificate checks now?"))) + Ldap::tls_checkpeer = "yes"; + } // check if user changed part of imported settings (#252094) if (start && Stage::cont () && size (Ldap::initial_defaults) > 0 && Ldap::create_ldap && @@ -512,7 +590,6 @@ Ldap::SetBaseDN (base_dn); Ldap::start = start; Ldap::server = server; - Ldap::ldap_v2 = ldap_v2; Ldap::ldap_tls = ldap_tls; Ldap::_start_autofs = autofs; Ldap::login_enabled = login_enabled; @@ -548,7 +625,16 @@ sformat (_("<p>Set the type of LDAP groups to use. The default value for <b>Group Member Attribute</b> is <i>%1</i>.</p> "), - "member"), + "member") + + + _("<p>If secure connection requires certificate checking, you may specify where is your certificate file located. It is possible to enter either directory with certificates, or the explicit path to one certificate file.</p>") + + + // help text 7/9 + _("<p>Normally, the LDAP version 3 protocol is used. If you have +an LDAP server using protocol 2 (for example, OpenLDAP v1), activate +<b>LDAP Version 2</b>.</p> +"), + `admin : // help text caption 2 @@ -606,6 +692,9 @@ string nss_base_shadow = Ldap::nss_base_shadow; string nss_base_group = Ldap::nss_base_group; string pam_password = Ldap::pam_password; + boolean ldap_v2 = Ldap::ldap_v2; + string tls_cacertdir = Ldap::tls_cacertdir; + string tls_cacertfile = Ldap::tls_cacertfile; list<term>member_attributes = [ `item (`id("member"), "member", member_attribute == "member"), @@ -747,7 +836,7 @@ `VBox ( `Label (""), // button label - `PushButton (`id(`br_shadow), _("Br&owse")) + `PushButton (`id(`br_shadow), _("Brow&se")) ) ), `HBox ( @@ -764,14 +853,39 @@ ), `HSpacing (1) )), - `VSpacing (0.5), + `VSpacing (0.4), `ComboBox (`id (`pam_password), `opt(`notify,`hstretch,`editable), // combobox label - _("Pa&ssword Change Protocol"), pam_password_items), - `VSpacing(0.5), + _("Passwor&d Change Protocol"), pam_password_items), + `VSpacing(0.4), `ComboBox (`id (`group_style), `opt (`notify, `hstretch), // combobox label - _("G&roup Member Attribute"), member_attributes) + _("Group Member &Attribute"), member_attributes), + // check box label + `VSpacing(0.4), + `HBox ( + `HWeight (1, `HBox ( + `InputField (`id (`tls_cacertdir), `opt (`hstretch), _("Certificate Directory"), + tls_cacertdir + ), + `VBox ( + `Label (""), + // button label + `PushButton (`id(`br_tls_cacertdir), _("B&rowse")) + ) + )), `HWeight (1, `HBox ( + `InputField (`id (`tls_cacertfile), `opt (`hstretch), _("CA Certificate File"), + tls_cacertfile + ), + `VBox ( + `Label (""), + // button label + `PushButton (`id(`br_tls_cacertfile), _("Brows&e")) + ) + )) + ), + `VSpacing(0.2), + `Left (`CheckBox (`id(`ldapv), _("LDAP &Version 2"), ldap_v2)) ), `HSpacing (5))); UI::ReplaceWidget (`tabContents, cont); @@ -879,6 +993,10 @@ nss_base_group = (string) UI::QueryWidget(`id(`nss_base_group),`Value); pam_password = (string) UI::QueryWidget(`id(`pam_password), `Value); + + tls_cacertfile = (string) UI::QueryWidget(`id(`tls_cacertfile), `Value); + tls_cacertdir = (string) UI::QueryWidget(`id(`tls_cacertdir), `Value); + ldap_v2 = (boolean) UI::QueryWidget(`id(`ldapv), `Value); } if (current == `admin) { @@ -928,6 +1046,24 @@ UI::ChangeWidget (`id(br2entry[result]:nil), `Value, dn); } } + if (result == `br_tls_cacertdir) + { + string dir = UI::AskForExistingDirectory (tls_cacertdir, _("Choose the directory with certificates")); + if (dir != nil) + { + tls_cacertdir = dir; + UI::ChangeWidget (`id (`tls_cacertdir), `Value, dir); + } + } + if (result == `br_tls_cacertfile) + { + string file = UI::AskForExistingFile (tls_cacertfile, "*.pem *.crt", _("Choose the certificate file")); + if (file != nil) + { + tls_cacertfile = file; + UI::ChangeWidget (`id (`tls_cacertfile), `Value, file); + } + } if (result == `add) { string suffix = base_dn; @@ -1091,7 +1227,10 @@ Ldap::pam_password != pam_password || Ldap::nss_base_passwd != nss_base_passwd || Ldap::nss_base_group != nss_base_group || - Ldap::nss_base_shadow != nss_base_shadow + Ldap::nss_base_shadow != nss_base_shadow || + Ldap::ldap_v2 != ldap_v2 || + Ldap::tls_cacertdir != tls_cacertdir || + Ldap::tls_cacertfile != tls_cacertfile ) { Ldap::bind_dn = bind_dn; @@ -1103,6 +1242,9 @@ Ldap::nss_base_passwd = nss_base_passwd; Ldap::nss_base_group = nss_base_group; Ldap::nss_base_shadow = nss_base_shadow; + Ldap::ldap_v2 = ldap_v2; + Ldap::tls_cacertdir = tls_cacertdir; + Ldap::tls_cacertfile = tls_cacertfile; Ldap::modified = true; } break; Modified: branches/SuSE-Code-11-SP2-Branch/ldap-client/testsuite/tests/Export.out URL: http://svn.opensuse.org/viewcvs/yast/branches/SuSE-Code-11-SP2-Branch/ldap-client/testsuite/tests/Export.out?rev=63600&r1=63599&r2=63600&view=diff ============================================================================== --- branches/SuSE-Code-11-SP2-Branch/ldap-client/testsuite/tests/Export.out (original) +++ branches/SuSE-Code-11-SP2-Branch/ldap-client/testsuite/tests/Export.out Fri Mar 18 16:14:04 2011 @@ -3,6 +3,9 @@ Read .etc.ldap_conf.v."/etc/ldap.conf"."base" "dc=suse,dc=cz" Read .etc.ldap_conf.v."/etc/ldap.conf"."ldap_version" nil Read .etc.ldap_conf.v."/etc/ldap.conf"."ssl" nil +Read .etc.ldap_conf.v."/etc/ldap.conf"."tls_cacertdir" "/etc/openldap/cacerts/" +Read .etc.ldap_conf.v."/etc/ldap.conf"."tls_cacertfile" nil +Read .etc.ldap_conf.v."/etc/ldap.conf"."tls_checkpeer" nil Read .etc.ldap_conf.v."/etc/ldap.conf"."nss_base_passwd" nil Read .etc.ldap_conf.v."/etc/ldap.conf"."nss_base_shadow" nil Read .etc.ldap_conf.v."/etc/ldap.conf"."nss_base_group" "ou=group,dc=suse,dc=cz" @@ -15,4 +18,4 @@ Read .passwd.passwd.pluslines ["+"] Return true Dump ============================================ -Return $["base_config_dn":"", "bind_dn":"uid=manager,dc=suse,dc=cz", "create_ldap":false, "file_server":false, "ldap_domain":"dc=suse,dc=cz", "ldap_server":"localhost", "ldap_tls":false, "ldap_v2":false, "login_enabled":true, "member_attribute":"member", "mkhomedir":true, "nss_base_group":"ou=group,dc=suse,dc=cz", "pam_password":"crypt", "start_autofs":false, "start_ldap":true] +Return $["base_config_dn":"", "bind_dn":"uid=manager,dc=suse,dc=cz", "create_ldap":false, "file_server":false, "ldap_domain":"dc=suse,dc=cz", "ldap_server":"localhost", "ldap_tls":false, "ldap_v2":false, "login_enabled":true, "member_attribute":"member", "mkhomedir":true, "nss_base_group":"ou=group,dc=suse,dc=cz", "pam_password":"crypt", "start_autofs":false, "start_ldap":true, "tls_cacertdir":"/etc/openldap/cacerts/"] Modified: branches/SuSE-Code-11-SP2-Branch/ldap-client/testsuite/tests/Export.ycp URL: http://svn.opensuse.org/viewcvs/yast/branches/SuSE-Code-11-SP2-Branch/ldap-client/testsuite/tests/Export.ycp?rev=63600&r1=63599&r2=63600&view=diff ============================================================================== --- branches/SuSE-Code-11-SP2-Branch/ldap-client/testsuite/tests/Export.ycp (original) +++ branches/SuSE-Code-11-SP2-Branch/ldap-client/testsuite/tests/Export.ycp Fri Mar 18 16:14:04 2011 @@ -29,6 +29,9 @@ "ldap_version": nil, "ssl": nil, "pam_password": "crypt", + "tls_cacertdir" : "/etc/openldap/cacerts/", + "tls_cacertfile": nil, + "tls_checkpeer" : nil ] ] ], Modified: branches/SuSE-Code-11-SP2-Branch/ldap-client/testsuite/tests/Read.out URL: http://svn.opensuse.org/viewcvs/yast/branches/SuSE-Code-11-SP2-Branch/ldap-client/testsuite/tests/Read.out?rev=63600&r1=63599&r2=63600&view=diff ============================================================================== --- branches/SuSE-Code-11-SP2-Branch/ldap-client/testsuite/tests/Read.out (original) +++ branches/SuSE-Code-11-SP2-Branch/ldap-client/testsuite/tests/Read.out Fri Mar 18 16:14:04 2011 @@ -3,6 +3,9 @@ Read .etc.ldap_conf.v."/etc/ldap.conf"."base" "dc=suse,dc=cz" Read .etc.ldap_conf.v."/etc/ldap.conf"."ldap_version" nil Read .etc.ldap_conf.v."/etc/ldap.conf"."ssl" nil +Read .etc.ldap_conf.v."/etc/ldap.conf"."tls_cacertdir" "/etc/openldap/cacerts/" +Read .etc.ldap_conf.v."/etc/ldap.conf"."tls_cacertfile" nil +Read .etc.ldap_conf.v."/etc/ldap.conf"."tls_checkpeer" "no" Read .etc.ldap_conf.v."/etc/ldap.conf"."nss_base_passwd" nil Read .etc.ldap_conf.v."/etc/ldap.conf"."nss_base_shadow" nil Read .etc.ldap_conf.v."/etc/ldap.conf"."nss_base_group" nil Modified: branches/SuSE-Code-11-SP2-Branch/ldap-client/testsuite/tests/Read.ycp URL: http://svn.opensuse.org/viewcvs/yast/branches/SuSE-Code-11-SP2-Branch/ldap-client/testsuite/tests/Read.ycp?rev=63600&r1=63599&r2=63600&view=diff ============================================================================== --- branches/SuSE-Code-11-SP2-Branch/ldap-client/testsuite/tests/Read.ycp (original) +++ branches/SuSE-Code-11-SP2-Branch/ldap-client/testsuite/tests/Read.ycp Fri Mar 18 16:14:04 2011 @@ -29,6 +29,9 @@ "ldap_version": nil, "ssl": nil, "pam_password": "crypt", + "tls_cacertdir" : "/etc/openldap/cacerts/", + "tls_cacertfile": nil, + "tls_checkpeer" : "no" ] ] ], -- To unsubscribe, e-mail: yast-commit+unsubscribe@opensuse.org For additional commands, e-mail: yast-commit+help@opensuse.org