| Age | Commit message (Collapse) | Author |
|---|
|
|
|
|
|
|
|
Add the krb5-regex ACL type and corresponding Wallet::ACL::Krb5::Regex
module. This ACL is identical to krb5 except that it takes a regular
expression matching principals instead of a string that must match
exactly.
|
|
|
|
|
|
The check for the enctypes of created keytabs tries klist for MIT
first and then Heimdal ktutil. The klist options are invalid for
Heimdal. Suppress the resulting complaining to standard error.
|
|
Add an acls duplicate report to wallet-report and Wallet::Report,
returning sets of ACLs that have exactly the same entries.
|
|
Add a objects unused report to wallet-report and Wallet::Report,
returning all objects that have never been downloaded (in other words,
have never been the target of a get command).
|
|
The previous wording implied that <group>-<server>-tivoli-key was only
used for encryption keys. Allow for either passwords or encryption keys,
and remove the note that it should be base64-encoded since wallet now
supports binary files.
|
|
|
|
|
|
|
|
|
|
We got lucky since client/internal.h includes this anyway, but include
the portability layer properly.
|
|
Parallel to objects name, add an acls name audit that returns all ACLs
that do not follow the site naming standard.
|
|
|
|
Wallet::Config now supports an additional local function,
verify_acl_name, which can be used to enforce ACL naming policies. If
set, it is called for any ACL creation or rename and can reject the
new ACL name.
|
|
Add the acls unused report to wallet-report and Wallet::Report,
returning all ACLs not referenced by any database objects.
|
|
|
|
|
|
|
|
The front-end still had the commands and documentation that had been
moved to wallet-report. Pull them out of wallet-admin to avoid being
confusing.
|
|
|
|
Do this only in the main text, not in the SEE ALSO section, since the
latter is more for conventional man pages. This will produce better
results for some POD to HTML converters (although not mine, yet).
|
|
|
|
Add an audit command to wallet-report and one audit: objects name,
which returns all objects that do not pass the local naming policy.
The corresponding Wallet::Report method is audit().
Wallet::Config::verify_name may now be called with an undefined third
argument (normally the user attempting to create an object). This
calling convention is used when auditing, and the local policy
function should select the correct policy to apply for useful audit
results.
|
|
When deleting an ACL on the server, verify that the ACL is not
referenced by any object first. Database referential integrity should
also catch this, but not all database backends may enforce referential
integrity. This also allows us to return a better error message
naming an object that's still using that ACL.
|
|
Coding style update. Don't prefix the file short description with the
file name; it's not needed.
|
|
Fix portability to older Kerberos libraries without
krb5_free_error_message.
|
|
|
|
|
|
|
|
The test created krb5.conf first thing, but didn't delete it if
skipping all of the tests.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Now that the wallet client uses struct iovec, it needs to include the
relevant header file. Import the portability layer for possible future
Windows support.
|
|
|
|
Update the wallet client, wallet-backend, and Wallet::Object::File
documentation for the support for storing data containing nul
characters using the new stdin support in remctld. Add this to NEWS.
|
|
|
|
|
|
If there is no third argument to store, read it from standard input
instead. This is the preferred way of running wallet-backend, using
stdin=last support from remctl 2.14 and later. Receiving the third
argument as a regular argument continues to be supported for backward
compatibility.
|
|
Refactor the wallet client code to use remctl_commandv and send stores
with data containing nul.
|
|
Remove some TODO items that are no longer relevant, either because they've
been implemented or because we no longer care about Kerberos v4 principal
name conversion.
|
|
|
