Add ad-keytab, update Wallet::Config

* This ad-keytab is useful in the initial setup of AD as a keytab
  store for wallet.
* Change configuration variables to correctly reflect that some values
  are relative distinguished names.
* Add a configuration variable for the base distinguished name for
  ActiveDirectory.

2 files changed, 81 insertions, 48 deletions

diff --git a/perl/lib/Wallet/Config.pm b/perl/lib/Wallet/Config.pm
index 6515756..2222aba 100644
--- a/perl/lib/Wallet/Config.pm
+++ b/perl/lib/Wallet/Config.pm
@@ -415,40 +415,39 @@ our $KEYTAB_TMP;
 
 =back
 
-The following parameters are specific to generating keytabs from Active
-Directory (KEYTAB_KRBTYPE is set to C<AD>).
+The following parameters are specific to generating keytabs from
+Active Directory (KEYTAB_KRBTYPE is set to C<AD>).
 
 =over 4
 
-=item AD_CACHE
-
-Specifies the ticket cache to use when manipulating Active Directory objects.
-The ticket cache must be for a principal able to bind to Active Directory and
-run B<msktutil>.
+=item AD_BASE_DN
 
-AD_CACHE must be set to use Active Directory support.
+The base distinguished name of the ActiveDirectory instance.  This is
+use when Wallet uses LDAP directly to examine objects in Active
+Directory.
 
 =cut
 
-our $AD_CACHE;
+our $AD_BASE_DN;
 
-=item AD_COMPUTER_DN
+=item AD_COMPUTER_RDN
 
-The LDAP base DN for computer objects inside Active Directory.  All keytabs of
-the form host/<hostname> will be mapped to objects with a C<samAccountName> of
-the <hostname> portion under this DN.
+The LDAP base DN for computer objects inside Active Directory.  All
+keytabs of the form host/<hostname> will be mapped to objects with a
+C<samAccountName> of the <hostname> portion under this DN.
 
-AD_COMPUTER_DN must be set if using Active Directory as the keytab backend.
+AD_COMPUTER_RDN must be set if using Active Directory as the keytab
+backend.
 
 =cut
 
-our $AD_COMPUTER_DN;
+our $AD_COMPUTER_RDN;
 
 =item AD_DEBUG
 
-If set to true, asks for some additional debugging information, such as the
-B<msktutil> command, to be logged to syslog.  These debugging messages will be
-logged to the C<local3> facility.
+If set to true, asks for some additional debugging information, such
+as the B<msktutil> command, to be logged to syslog.  These debugging
+messages will be logged to the C<local3> facility.
 
 =cut
 
@@ -464,17 +463,25 @@ default PATH.
 
 our $AD_MSKTUTIL = 'msktutil';
 
-=item AD_USER_DN
+=item AD_SERVER
+
+The hostname of the Active Directory Domain Controller.
+
+=cut
+
+our $AD_SERVER;
+
+=item AD_USER_RDN
 
 The LDAP base DN for user objects inside Active Directory.  All keytabs of the
 form service/<user> will be mapped to objects with a C<servicePrincipalName>
 matching the wallet object name under this DN.
 
-AD_USER_DN must be set if using Active Directory as the keytab backend.
+AD_USER_RDN must be set if using Active Directory as the keytab backend.
 
 =cut
 
-our $AD_USER_DN;
+our $AD_USER_RDN;
 
 =back
 
@@ -482,8 +489,9 @@ our $AD_USER_DN;
 
 Heimdal provides the choice, over the network protocol, of either
 downloading the existing keys for a principal or generating new random
-keys.  MIT Kerberos does not; downloading a keytab over the kadmin
-protocol always rekeys the principal.
+keys.  Neither MIT Kerberos or ActiveDirectory support retrieving an
+existing keytab; downloading a keytab over the kadmin protocol or
+using msktutil always rekeys the principal.
 
 For MIT Kerberos, the keytab object backend therefore optionally supports
 retrieving existing keys, and hence keytabs, for Kerberos principals by
@@ -491,6 +499,11 @@ contacting the KDC via remctl and talking to B<keytab-backend>.  This is
 enabled by setting the C<unchanging> flag on keytab objects.  To configure
 that support, set the following variables.
 
+For ActiveDirectory Kerberos, the keytab object backend supports
+storing the keytabs on the wallet server.  This functionality is
+enabled by setting the configuration variable AD_KEYTAB_BUCKET.  (This
+had not been implemented yet.)
+
 This is not required for Heimdal; for Heimdal, setting the C<unchanging>
 flag is all that's needed.
 
@@ -542,6 +555,25 @@ will be used.
 
 our $KEYTAB_REMCTL_PORT;
 
+=item AD_CACHE
+
+The ticket cache that hold credentials used to access the
+ActiveDirectory KDC.  This must be created and maintained externally.
+
+=cut
+
+our $AD_CACHE;
+
+=item AD_KEYTAB_BUCKET
+
+The path to store a copy of keytabs created.  This is required for the
+support of unchanging keytabs with an ActiveDirectory KDC.  (This has
+not been implemented yet.)
+
+=cut
+
+our $AD_KEYTAB_BUCKET = '/var/lib/wallet/keytabs';
+
 =back
 
 =head1 WEBAUTH KEYRING OBJECT CONFIGURATION
diff --git a/perl/lib/Wallet/Kadmin/AD.pm b/perl/lib/Wallet/Kadmin/AD.pm
index ec60af9..1c13ab6 100644
--- a/perl/lib/Wallet/Kadmin/AD.pm
+++ b/perl/lib/Wallet/Kadmin/AD.pm
@@ -1,8 +1,8 @@
 # Wallet::Kadmin::AD -- Wallet Kerberos administration API for AD
 #
-# Written by Bill MacAllister <bill@ca-zephyr.org>
+# Written by Bill MacAllister <whm@dropbox.com>
 # Copyright 2016 Russ Allbery <eagle@eyrie.org>
-# Copyright 2015 Dropbox, Inc.
+# Copyright 2015,2016 Dropbox, Inc.
 # Copyright 2007, 2008, 2009, 2010, 2014
 #     The Board of Trustees of the Leland Stanford Junior University
 #
@@ -100,17 +100,19 @@ sub ldap_base_filter {
         my $fqdn = $1;
         my $host = $fqdn;
         $host =~ s/[.].*//xms;
-        $base   = $Wallet::Config::AD_COMPUTER_DN;
         $filter = "(samAccountName=${host}\$)";
+        $base   = $Wallet::Config::AD_COMPUTER_RDN . ','
+          . $Wallet::Config::AD_BASE_DN;
     } elsif ($principal =~ m,^service/(\S+),xms) {
         my $id = $1;
-        $base   = $Wallet::Config::AD_USER_DN;
         $filter = "(servicePrincipalName=service/${id})";
+        $base
+          = $Wallet::Config::AD_USER_RDN . ',' . $Wallet::Config::AD_BASE_DN;
     }
     return ($base, $filter);
 }
 
-# TODO: Get a keytab from the keytab cache.
+# TODO: Get a keytab from the keytab bucket.
 sub get_ad_keytab {
     my ($self, $principal) = @_;
     return;
@@ -125,13 +127,16 @@ sub get_ad_keytab {
 sub msktutil {
     my ($self, $args_ref) = @_;
     unless (defined($Wallet::Config::KEYTAB_HOST)
+        and defined($Wallet::Config::KEYTAB_PRINCIPAL)
+        and defined($Wallet::Config::KEYTAB_FILE)
         and defined($Wallet::Config::KEYTAB_REALM))
     {
         die "keytab object implementation not configured\n";
     }
-    unless (defined($Wallet::Config::AD_CACHE)
-        and defined($Wallet::Config::AD_COMPUTER_DN)
-        and defined($Wallet::Config::AD_USER_DN))
+    unless (-e $Wallet::Config::AD_MSKTUTIL
+        and defined($Wallet::Config::AD_BASE_DN)
+        and defined($Wallet::Config::AD_COMPUTER_RDN)
+        and defined($Wallet::Config::AD_USER_RDN))
     {
         die "Active Directory support not configured\n";
     }
@@ -192,14 +197,16 @@ sub ad_create_update {
         my $fqdn = $1;
         my $host = $fqdn;
         $host =~ s/[.].*//xms;
+        push @cmd, '--base',          $Wallet::Config::COMPUTER_RDN;
         push @cmd, '--dont-expire-password';
         push @cmd, '--computer-name', $host;
-        push @cmd, '--upn', "host/$fqdn";
-        push @cmd, '--hostname', $fqdn;
+        push @cmd, '--upn',           "host/$fqdn";
+        push @cmd, '--hostname',      $fqdn;
     } elsif ($principal =~ m,^service/(\S+),xms) {
         my $service_id = $1;
+        push @cmd, '--base',         $Wallet::Config::USER_RDN;
         push @cmd, '--use-service-account';
-        push @cmd, '--service', "service/$service_id";
+        push @cmd, '--service',      "service/$service_id";
         push @cmd, '--account-name', "srv-${service_id}";
         push @cmd, '--no-pac';
     }
@@ -365,9 +372,15 @@ sub ad_delete {
         if ($k_type eq 'host') {
             my $host = $k_id;
             $host =~ s/[.].*//;
-            $dn = "cn=${host}," . $Wallet::Config::AD_COMPUTER_DN;
+            $dn
+              = "cn=${host},"
+              . $Wallet::Config::AD_COMPUTER_RDN . ','
+              . $Wallet::Config::AD_BASE_DN;
         } elsif ($k_type eq 'service') {
-            $dn = "cn=srv-${k_id}," . $Wallet::Config::AD_USER_DN;
+            $dn
+              = "cn=srv-${k_id},"
+              . $Wallet::Config::AD_USER_RDN . ','
+              . $Wallet::Config::AD_BASE_DN;
         }
     }
 
@@ -435,18 +448,6 @@ using a local keytab cache.
 To use this class, several configuration parameters must be set.  See
 L<Wallet::Config/"KEYTAB OBJECT CONFIGURATION"> for details.
 
-=head1 FILES
-
-=over 4
-
-=item KEYTAB_TMP/keytab.<pid>
-
-The keytab is created in this file and then read into memory.  KEYTAB_TMP
-is set in the wallet configuration, and <pid> is the process ID of the
-current process.  The file is unlinked after being read.
-
-=back
-
 =head1 LIMITATIONS
 
 Currently, this implementation calls an external B<msktutil> program rather