diff options
| author | Russ Allbery <rra@stanford.edu> | 2007-09-25 20:57:06 +0000 |
|---|---|---|
| committer | Russ Allbery <rra@stanford.edu> | 2007-09-25 20:57:06 +0000 |
| commit | 766ba9295705be7c91593b6e7ce5db66bf88d453 (patch) | |
| tree | e568ee88b65b3d1b592a74d32e34fd4f2f063847 /perl/Wallet/Schema.pm | |
| parent | 3242b66fbf8274991d3fbb0d02ca85e1e2ca60b6 (diff) | |
Add support for synchronizing a key with an AFS kaserver in the keytab
object implementation, extracting the DES key with Authen::Krb5 (since
ktutil doesn't work).
Rename the KEYTAB_CACHE variable to KEYTAB_REMCTL_CACHE to match the
rest of the keytab retrieval configuration and reorganize the
Wallet::Config documentation to group related configuration options for
the keytab backend.
Fix a column name in the keytab_enctypes table to be more consistent
with the rest of the schema.
Diffstat (limited to 'perl/Wallet/Schema.pm')
| -rw-r--r-- | perl/Wallet/Schema.pm | 26 |
1 files changed, 22 insertions, 4 deletions
diff --git a/perl/Wallet/Schema.pm b/perl/Wallet/Schema.pm index d856433..352f497 100644 --- a/perl/Wallet/Schema.pm +++ b/perl/Wallet/Schema.pm @@ -322,7 +322,25 @@ oh_by stores the authenticated identity that made the change, oh_from stores the host from which they made the change, and oh_on stores the time the change was made. -=head2 Storage Backend Data +=head2 Keytab Backend Data + +The keytab backend supports synchronizing keys with an external system. The +permitted external systems are listed in a normalization table: + + create table sync_targets + (st_name varchar(255) primary key); + insert into sync_targets (st_name) values ('kaserver'); + +and then the synchronization targets for a given keytab are stored in this +table: + + create table keytab_sync + (ks_name varchar(255) + not null references objects(ob_name), + ks_target varchar(255) + not null references sync_targets(st_name), + primary key (ks_name, ks_target)); + create index ks_name on keytab_sync (ks_name); The keytab backend supports restricting the allowable enctypes for a given keytab. The permitted enctypes are listed in a normalization table: @@ -333,12 +351,12 @@ keytab. The permitted enctypes are listed in a normalization table: and then the restrictions for a given keytab are stored in this table: create table keytab_enctypes - (ke_principal varchar(255) + (ke_name varchar(255) not null references objects(ob_name), ke_enctype varchar(255) not null references enctypes(en_name), - primary key (ke_principal, ke_enctype)); - create index ke_principal on keytab_enctypes (ke_principal); + primary key (ke_name, ke_enctype)); + create index ke_name on keytab_enctypes (ke_name); To use this functionality, you will need to populate the enctypes table with the enctypes that a keytab may be restricted to. Currently, there is no |