| Age | Commit message (Collapse) | Author |
|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
A new ACL type, ldap-attr (Wallet::ACL::LDAP::Attribute), is now
supported. This ACL type grants access if the LDAP entry
corresponding to the principal contains the attribute name and value
specified in the ACL. The Net::LDAP and Authen::SASL Perl modules are
required to use this ACL type. New configuration settings are
required as well; see Wallet::Config for more information. To enable
this ACL type for an existing wallet database, use wallet-admin to
register the new verifier.
|
|
|
|
|
|
|
|
Add a missing TODO item for purging host-related objects that was
filed in JIRA.
|
|
|
|
Add a comment field to objects and corresponding commands to
wallet-backend and wallet to set and retrieve it. The comment field
can only be set by the owner or wallet administrators but can be seen
by anyone on the show ACL.
|
|
|
|
|
|
Hook the new upgrade method of Wallet::Schema into Wallet::Admin
and the wallet-admin wrapper script.
|
|
Version 0 is the version without the metadata table. Add a new
upgrade method to Wallet::Schema and support upgrading the database
to version 1. (Version 1 is not yet finalized.)
|
|
Add a metadata table whose only column, currently, is a version number.
We will store the version of the schema in this table and use that to
know what to do during upgrades.
|
|
|
|
|
|
|
|
Change how autogen generates man pages to use a loop, which will make
it easier to add more documentation in the future.
|
|
|
|
|
|
Also create the Wallet/ACL/Krb5 directory when copying the Perl
files for srcdir != builddir builds.
|
|
|
|
Add -Wformat=2 -Winit-self -Wswitch-enum -Wdeclaration-after-statement
-Wshadow to the set of gcc warnings. Stop passing -DDEBUG=1 since I no
longer use that define anywhere. Change -W to -Wextra since I'm
requiring a fairly new GCC anyway.
|
|
Update to C TAP Harness 1.5:
* Better reporting of fatal errors in the test suite.
* Summarize results at the end of test execution.
* Add tests/HOWTO from docs/writing-tests in C TAP Harness.
Update to rra-c-util 2.6:
* Fix portability to bundled Heimdal on OpenBSD.
* Improve checking for krb5_kt_free_entry with older MIT Kerberos.
* Fix portability for missing krb5_get_init_creds_opt_free.
* Fix header guard for util/xwrite.h.
* Restore default compiler configuration after GSS-API library probe.
|
|
|
|
Add the report of purge-eligible keytabs and the command to do the
purge. The command-line parsing still needs work.
|
|
|
|
This script now uses Wallet::Report, not Wallet::Admin.
|
|
Test partial rekeying, aboring due to failure to rekey, and skipping
a keytab because all principals were foreign.
|
|
Rekey the keytab in the same principal order as what's stored in the
keytab rather than reversing it, since that makes it easier to test.
Suppress the error message about no data from the server if the server
sent an error. Fix some coding style and spelling errors.
|
|
In wallet-rekey, if the keytab we're supposed to rekey has no rekeyable
principals, die rather than sysdie since there's no errno error to
report.
|
|
If we get a failure to rekey a principal before we've succeeded with
any principal, abort rather than continuing.
|
|
The loop handling finding principals to rekey was not correctly
coping with principals from foreign realms.
|
|
|
|
This confirms basic functionality, but doesn't test more interesting
things like rekeying multiple keys in the same keytab or skipping
principals that aren't from the local realm.
|
|
fake-keytab-old had a higher kvno than fake-keytab, which is going to
confuse matters for future tests. Rework them so that kvnos increase.
|
|
The check for whether we got the right keytab data was not being done
on Heimdal since it only knew how to run klist. Add a new ktutil_list
function to kerberos.sh that runs klist or ktutil list as appropriate.
|
|
|
|
|
|
Build a separate wallet-rekey client that rekeys every keytab given
on the command-line. Fix some coding style issues and add internal
prototypes. Build the shared source for both clients into an
uninstalled library to save compilation time.
|
|
|
|
Cleaned up several bugs preventing the rekey command from working (bad
calls to variables, matching on version of principal name already stripped
of realm), and removed debugging code.
|
|
First, testing version of wallet rekey code, committed in order to get
feedback from Russ. This code will eventually take an existing keytab
file, and for every principal belonging to our default realm in it, get
new versions of that keytab and merge them into the file. This allows
for quietly rekeying principals automatically.
|
|
|
|
|
