New upstream version 1.4

1 files changed, 95 insertions, 24 deletions

diff --git a/perl/lib/Wallet/Config.pm b/perl/lib/Wallet/Config.pm
index b8771c3..60f0e10 100644
--- a/perl/lib/Wallet/Config.pm
+++ b/perl/lib/Wallet/Config.pm
@@ -1,11 +1,11 @@
 # Wallet::Config -- Configuration handling for the wallet server
 #
 # Written by Russ Allbery <eagle@eyrie.org>
-# Copyright 2016 Russ Allbery <eagle@eyrie.org>
-# Copyright 2007, 2008, 2010, 2013, 2014, 2015
+# Copyright 2016, 2018 Russ Allbery <eagle@eyrie.org>
+# Copyright 2007-2008, 2010, 2013-2015
 #     The Board of Trustees of the Leland Stanford Junior University
 #
-# See LICENSE for licensing terms.
+# SPDX-License-Identifier: MIT
 
 package Wallet::Config;
 
@@ -13,7 +13,7 @@ use 5.008;
 use strict;
 use warnings;
 
-our $VERSION = '1.03';
+our $VERSION = '1.04';
 
 # Path to the config file to load.
 our $PATH = $ENV{WALLET_CONFIG} || '/etc/wallet/wallet.conf';
@@ -26,7 +26,7 @@ Wallet::Config - Configuration handling for the wallet server
 DBI DSN SQLite subdirectories KEYTAB keytab kadmind KDC add-ons kadmin DNS
 SRV kadmin keytabs remctl backend lowercased NETDB ACL NetDB unscoped
 usernames rekey hostnames Allbery wallet-backend keytab-backend Heimdal
-rekeys WebAuth WEBAUTH keyring LDAP DN GSS-API integrations msktutil
+rekeys WebAuth WEBAUTH keyring LDAP DN GSS-API integrations msktutil CN DIT
 
 =head1 SYNOPSIS
 
@@ -415,40 +415,48 @@ our $KEYTAB_TMP;
 
 =back
 
-The following parameters are specific to generating keytabs from Active
-Directory (KEYTAB_KRBTYPE is set to C<AD>).
+The following parameters are specific to generating keytabs from
+Active Directory (KEYTAB_KRBTYPE is set to C<AD>).
 
 =over 4
 
+=item AD_BASE_DN
+
+The base distinguished name of the Active Directory instance.  This is used
+when Wallet uses LDAP directly to examine objects in Active Directory.
+
+=cut
+
+our $AD_BASE_DN;
+
 =item AD_CACHE
 
 Specifies the ticket cache to use when manipulating Active Directory objects.
 The ticket cache must be for a principal able to bind to Active Directory and
 run B<msktutil>.
 
-AD_CACHE must be set to use Active Directory support.
-
 =cut
 
 our $AD_CACHE;
 
-=item AD_COMPUTER_DN
+=item AD_COMPUTER_RDN
 
-The LDAP base DN for computer objects inside Active Directory.  All keytabs of
-the form host/<hostname> will be mapped to objects with a C<samAccountName> of
-the <hostname> portion under this DN.
+The LDAP base DN for computer objects inside Active Directory.  All
+keytabs of the form host/<hostname> will be mapped to objects with a
+C<samAccountName> of the <hostname> portion under this DN.
 
-AD_COMPUTER_DN must be set if using Active Directory as the keytab backend.
+AD_COMPUTER_RDN must be set if using Active Directory as the keytab
+backend.
 
 =cut
 
-our $AD_COMPUTER_DN;
+our $AD_COMPUTER_RDN;
 
 =item AD_DEBUG
 
-If set to true, asks for some additional debugging information, such as the
-B<msktutil> command, to be logged to syslog.  These debugging messages will be
-logged to the C<local3> facility.
+If set to true, asks for some additional debugging information, such
+as the B<msktutil> command, to be logged to syslog.  These debugging
+messages will be logged to the C<local3> facility.
 
 =cut
 
@@ -464,17 +472,64 @@ default PATH.
 
 our $AD_MSKTUTIL = 'msktutil';
 
-=item AD_USER_DN
+=item AD_SERVICE_LENGTH
+
+The maximum length of a unique identifier, C<samAccountName>, for Active
+Directory keytab objects.  If the identifier exceeds this length then it will
+be truncated and an integer will be appended to the end of the identifier.
+This parameter is here in hopes that at some point in the future Microsoft
+will remove the limitation.
+
+=cut
+
+our $AD_SERVICE_LENGTH = '20';
+
+=item AD_SERVICE_LIMIT
+
+Used to limit the number of iterations used in attempting to find a
+unique account name for principals.  Defaults to 999.
+
+=cut
+
+our $AD_SERVICE_LIMIT = '999';
+
+=item AD_SERVICE_PREFIX
+
+For service principals the AD_SERVICE_PREFIX will be combined with the
+principal identifier to form the account name, i.e. the CN, used to
+store the keytab entry in the Active Directory.  Active Directory
+limits these CN's to a maximum of 20 characters.  If the resulting CN
+is greater than 20 characters the CN will be truncated and an integer
+will be appended to it.  The integer will be incremented until a
+unique CN is found.
+
+The AD_SERVICE_PREFIX is generally useful only prevent name collisions
+when the service keytabs are store in branch of the DIT that also
+contains other similar objects.
+
+=cut
+
+our $AD_SERVICE_PREFIX;
+
+=item AD_SERVER
+
+The hostname of the Active Directory Domain Controller.
+
+=cut
+
+our $AD_SERVER;
+
+=item AD_USER_RDN
 
 The LDAP base DN for user objects inside Active Directory.  All keytabs of the
 form service/<user> will be mapped to objects with a C<servicePrincipalName>
 matching the wallet object name under this DN.
 
-AD_USER_DN must be set if using Active Directory as the keytab backend.
+AD_USER_RDN must be set if using Active Directory as the keytab backend.
 
 =cut
 
-our $AD_USER_DN;
+our $AD_USER_RDN;
 
 =back
 
@@ -482,8 +537,9 @@ our $AD_USER_DN;
 
 Heimdal provides the choice, over the network protocol, of either
 downloading the existing keys for a principal or generating new random
-keys.  MIT Kerberos does not; downloading a keytab over the kadmin
-protocol always rekeys the principal.
+keys.  Neither MIT Kerberos or Active Directory support retrieving an
+existing keytab; downloading a keytab over the kadmin protocol or
+using msktutil always rekeys the principal.
 
 For MIT Kerberos, the keytab object backend therefore optionally supports
 retrieving existing keys, and hence keytabs, for Kerberos principals by
@@ -491,6 +547,11 @@ contacting the KDC via remctl and talking to B<keytab-backend>.  This is
 enabled by setting the C<unchanging> flag on keytab objects.  To configure
 that support, set the following variables.
 
+For Active Directory Kerberos, the keytab object backend supports
+storing the keytabs on the wallet server.  This functionality is
+enabled by setting the configuration variable AD_KEYTAB_BUCKET.  (This
+had not been implemented yet.)
+
 This is not required for Heimdal; for Heimdal, setting the C<unchanging>
 flag is all that's needed.
 
@@ -542,6 +603,16 @@ will be used.
 
 our $KEYTAB_REMCTL_PORT;
 
+=item AD_KEYTAB_BUCKET
+
+The path to store a copy of keytabs created.  This is required for the
+support of unchanging keytabs with an Active Directory KDC.  (This has
+not been implemented yet.)
+
+=cut
+
+our $AD_KEYTAB_BUCKET = '/var/lib/wallet/keytabs';
+
 =back
 
 =head1 WEBAUTH KEYRING OBJECT CONFIGURATION
@@ -984,7 +1055,7 @@ __END__
 DBI(3), Wallet::Object::Keytab(3), Wallet::Server(3), wallet-backend(8)
 
 This module is part of the wallet system.  The current version is
-available from L<http://www.eyrie.org/~eagle/software/wallet/>.
+available from L<https://www.eyrie.org/~eagle/software/wallet/>.
 
 =head1 AUTHOR