| Age | Commit message (Collapse) | Author |
|---|
|
Move all reporting from Wallet::Admin to Wallet::Report and simplify
the method names since they're now part of a dedicated reporting
class. Similarly, create a new wallet-report script to wrap
Wallet::Report, moving all reporting commands to it from wallet-admin,
and simplify the commands since they're for a dedicated reporting
script.
Remove the contrib script wallet-report to wallet-summary so that it
doesn't conflict with the new reporting backend script.
|
|
Change the API for keytab_rekey to match keytab, returning the keytab
as data instead of writing it to a file. This simplifies the wallet
object implementation and moves the logic for reading the temporary
file into Wallet::Kadmin and its child classes. (Eventually, there may
be a kadmin backend that doesn't require using a temporary file.)
Setting KEYTAB_TMP is now required to instantiate either the ::MIT or
::Heimdal Wallet::Kadmin classes.
|
|
Heimdal supports retrieving a keytab containing the existing keys over
the kadmin protocol. Move the support for using remctl to retrieve an
existing keytab into Wallet::Kadmin::MIT and provide two separate
methods in the Wallet::Kadmin interface: one which rekeys and one which
doesn't. Implement the non-rekeying interface for Heimdal. Expand the
test suite for the unchanging keytabs to include tests for the Heimdal
method.
|
|
Pull the sync code out into separate methods to avoid a really long and
awkward attr method. Document the limited object support for the sync
attribute.
|
|
|
|
|
|
Now that we support multiple versions of Kerberos, use generic names
for the functions in the Wallet::Kadmin interface rather than the
commands from the MIT kadmin interface.
|
|
Rather than duplicating the API documentation in both ::Heimdal and
::MIT, move it into Wallet::Kadmin and just reference that from the
subclasses. Add documentation for exists(), since that's part of the
public API. Move a few methods around and fix a few other minor
documentation differences.
|
|
Remove the separate kadmin_client method by combining it with the
constructor, since that was the only place it was called.
|
|
Take advantage of inheritance by providing the error method in
Wallet::Kadmin rather than separately in both the subclasses.
|
|
|
|
Only call fork_callback in Wallet::Kadmin::MIT if it's set, allowing
the module to work without setting it.
|
|
Move the stub fork_callback method into Wallet::Kadmin and make both
Wallet::Kadmin::Heimdal and Wallet::Kadmin::MIT inherit from
Wallet::Kadmin. Add POD documentation for fork_callback.
|
|
The wallet client documentation said that you always needed an existing
ticket. Mention that -u will work as well.
|
|
Add a POD spelling test to the non-Perl-module part of the code and
move the documentation tests into a separate directory. Merge the
POD syntax tests between client and server into one test.
Reformat all of the POD documentation to use 74 columns. Fix a few
revealed spelling errors or weird wordings.
|
|
Add .placeholder to the file list, fix the location of the Automake
support files that are now in build-aux, and remove an old reference
to TEST_FILES.
|
|
|
|
Also update the POD syntax check to the current version of that check
I use elsewhere. Since I'm touching all the POD anyway, also rewrap
all of the POD to 74 columns. Fix some references to MIT in the
Wallet::Kadmin::Heimdal module documentation.
|
|
Simplify the build rules for the test suite to take advantage of the
improved runtests support for builddir != srcdir. Stop doing Autoconf
substitution on full.conf now that we have that support.
|
|
Anything that only was using substitution for the paths to the build
tree now uses $SOURCE and $BUILD instead. Stop doing substitution.
Also fix tests/data/cmd-wrapper to use the environment variables.
|
|
Now that runtests has been updated to a version that sets $SOURCE and
$BUILD, use that in the test cases rather than Autoconf substitutions.
|
|
|
|
|
|
|
|
* Update portable and util tests for C TAP Harness 1.1.
* Remove the need for Autoconf substitution in test programs.
* Support running a single test program with runtests -o.
* Properly handle test cases that are skipped in their entirety.
* Much improved C TAP library more closely matching Test::More.
Rewrite client/basic-t to use the new test library functions and my
current test case coding style.
|
|
Use the Kerberos portability layer from rra-c-util 3.0 and avoid
Kerberos API calls deprecated on Heimdal. Break util/util.h into
separate header files and update all source files accordingly.
The test suite is not yet updated. That will come in subsequent
commits.
|
|
Add replacements for mkstemp and setenv, since we now use them when
obtaining credentials in the client. Fix the bool type with Sun Studio
12 on Solaris 10.
|
|
|
|
Also use set -e in autogen and add --force to autoreconf.
|
|
|
|
* Sanity-check the results of krb5-config before proceeding.
* Fall back on manual probing if krb5-config results don't work.
* Add --with-krb5-include and --with-krb5-lib configure options.
* Add --with-remctl-include and --with-remctl-lib configure options.
* Add --with-gssapi-include and --with-gssapi-lib configure options.
* Don't break if the user clobbers CPPFLAGS at build time.
* Suppress error output from krb5-config probes.
* Prefer KRB5_CONFIG over a path constructed from --with-*.
* Update GSS-API probes for Solaris 10's native implementation.
* Change AC_TRY_* to AC_*_IFELSE as recommended by Autoconf.
Also strip out more outdated AFS kaserver instructions from README.
|
|
The wallet client now uses a temporary disk ticket cache when
obtaining tickets with the -u option rather than an in-memory cache,
allowing for a libremctl built against a different Kerberos
implementation than the wallet client. This primarily helps with
testing.
|
|
|
|
|
|
The code to support the attribute is still present in case we add a
system with which to synchronize later on.
|
|
Heimdal requires the full name and doesn't support the short name that
MIT has as an alias. Change the documentation to use the long name
uniformly.
|
|
The wallet client no longer enables kaserver synchronization when a
srvtab is requested with -S. Instead, it just extracts the DES key
from the keytab and writes it to a srvtab. It no longer forces the
kvno of the srvtab to 0 (a Stanford-specific action) and instead
preserves the kvno from the key in the keytab. This should now do the
right thing for sites that use a KDC that serves both Kerberos v4 and
Kerberos v5 from the same database.
|
|
|
|
|
|
KEYTAB_KRBTYPE wasn't documented in Wallet::Config. Add it and the
variable declaration. Also document the new mandatory setting in
NEWS and add the Heimdal::Kadm5 requirement to README. Remove some
of the language in README that implies that only MIT Kerberos is
supported.
Make the setting case-insensitive and improve the error message from
Wallet::Kadmin if it isn't set.
|
|
Remove kaserver synchronization support. It is no longer tested, and
retaining the code was increasing the complexity of wallet, and some
specific requirements (such as different realm names between kaserver
and Kerberos v5 and the kvno handling) were Stanford-specific. Rather
than using this support, AFS sites running kaserver will probably find
deploying Heimdal with its internal kaserver compatibility is probably
an easier transition approach.
|
|
|
|
|
|
Map the AES enctype to the full enctype name, which will work for both
MIT and Heimdal. Fix the test count. Really test rollback from invalid
enctypes (what we did before made no sense). Skip tests that will just
fail if the enctype stuff is not working, since otherwise it confuses
matters.
|
|
We may have a different userspace than the Kerberos type, so always
try klist -ke first and then fall back on ktutil if it fails.
Also display the error message in a few more places if things fail,
discovered as useful when debugging other problems.
|
|
All the Wallet::Kadmin::Heimdal functions were canonicalizing principals
using duplicate code, and that code assumed that all principal names
would be unqualified. Centralize that code in one helper routine and
support already-qualified principals so that we can use these functions
easily from the test suite.
|
|
Now that we have Wallet::Kadmin, use it, rather than running the kadmin
client program. We may not have the same kadmin client program as the
server that we're testing against.
|
|
Just get the client code to compile with Heimdal. This will need more
work later to use my regular Kerberos portability layer.
|
|
|
|
Don't use kadmin to check for principal existence. We want to verify
that we can get tickets, not just look at kadmin. Use whatever is found
on the user's PATH, not something based on the Kerberos type, since our
userspace may not match the server implementation.
|
