| Age | Commit message (Collapse) | Author |
|---|
|
Change-Id: I06dd9ecca19315179bdd34d4b301548fe7604331
Reviewed-on: https://gerrit.stanford.edu/842
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Install the wallet schema files generated by DBIx::Class for the
various supported database engines into /usr/local/share/wallet
(by default, using pkgdatadir) on make install. Set the default
$DB_DDL_DIRECTORY value in Wallet::Config accordingly.
Change-Id: I7ec52b171bc6aca2c3e1040c037e7cf24553231f
Reviewed-on: https://gerrit.stanford.edu/794
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Moved all the Perl code to use DBIx::Class for the database interface.
This includes updating all database calls, how the schema is generated
and maintained, and the tests in places where some output has changed.
We also remove the schema.t test, as the tests for it are more covered
in the admin.t tests now.
Change-Id: Ie5083432d09a0d9fe364a61c31378b77aa7b3cb7
Reviewed-on: https://gerrit.stanford.edu/598
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
A copy/paste error from the file object configuration.
Change-Id: Ie3ee48ed7adcf3fa50a510f085e664c5b0c91300
Reviewed-on: https://gerrit.stanford.edu/712
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Fix a formatting error in Wallet::ACL::LDAP::Attribute and add new
stopwords required by the latest aspell.
|
|
This is very preliminary. There is no test suite yet, no
documentation, and the test suite currently doesn't pass for other
reasons.
|
|
A new ACL type, ldap-attr (Wallet::ACL::LDAP::Attribute), is now
supported. This ACL type grants access if the LDAP entry
corresponding to the principal contains the attribute name and value
specified in the ACL. The Net::LDAP and Authen::SASL Perl modules are
required to use this ACL type. New configuration settings are
required as well; see Wallet::Config for more information. To enable
this ACL type for an existing wallet database, use wallet-admin to
register the new verifier.
|
|
Parallel to objects name, add an acls name audit that returns all ACLs
that do not follow the site naming standard.
|
|
Wallet::Config now supports an additional local function,
verify_acl_name, which can be used to enforce ACL naming policies. If
set, it is called for any ACL creation or rename and can reject the
new ACL name.
|
|
Do this only in the main text, not in the SEE ALSO section, since the
latter is more for conventional man pages. This will produce better
results for some POD to HTML converters (although not mine, yet).
|
|
Add an audit command to wallet-report and one audit: objects name,
which returns all objects that do not pass the local naming policy.
The corresponding Wallet::Report method is audit().
Wallet::Config::verify_name may now be called with an undefined third
argument (normally the user attempting to create an object). This
calling convention is used when auditing, and the local policy
function should select the correct policy to apply for useful audit
results.
|
|
Heimdal supports retrieving a keytab containing the existing keys over
the kadmin protocol. Move the support for using remctl to retrieve an
existing keytab into Wallet::Kadmin::MIT and provide two separate
methods in the Wallet::Kadmin interface: one which rekeys and one which
doesn't. Implement the non-rekeying interface for Heimdal. Expand the
test suite for the unchanging keytabs to include tests for the Heimdal
method.
|
|
Also update the POD syntax check to the current version of that check
I use elsewhere. Since I'm touching all the POD anyway, also rewrap
all of the POD to 74 columns. Fix some references to MIT in the
Wallet::Kadmin::Heimdal module documentation.
|
|
KEYTAB_KRBTYPE wasn't documented in Wallet::Config. Add it and the
variable declaration. Also document the new mandatory setting in
NEWS and add the Heimdal::Kadm5 requirement to README. Remove some
of the language in README that implies that only MIT Kerberos is
supported.
Make the setting case-insensitive and improve the error message from
Wallet::Kadmin if it isn't set.
|
|
Remove kaserver synchronization support. It is no longer tested, and
retaining the code was increasing the complexity of wallet, and some
specific requirements (such as different realm names between kaserver
and Kerberos v5 and the kvno handling) were Stanford-specific. Rather
than using this support, AFS sites running kaserver will probably find
deploying Heimdal with its internal kaserver compatibility is probably
an easier transition approach.
|
|
|
|
|
|
environment variable WALLET_CONFIG and loads configuration from the
file specified there instead of /etc/wallet/wallet.conf if it is set.
|
|
function in the wallet server configuration file.
|
|
things in that directory as well.
|
|
created by a non-ADMIN user and using the default owner ACL returned
by that function provided that the calling user is authorized by that
ACL. This permits dynamic creation of new objects based on a default
owner ACL programmatically determined from the name of the object.
|
|
NetDB remctl interface.
|
|
and license statements in all files. Make sure that some files that were
missing copyright information now have them. Reference LICENSE rather
than README in all notices.
|
|
if synchronization is not set.
|
|
object implementation, extracting the DES key with Authen::Krb5 (since
ktutil doesn't work).
Rename the KEYTAB_CACHE variable to KEYTAB_REMCTL_CACHE to match the
rest of the keytab retrieval configuration and reorganize the
Wallet::Config documentation to group related configuration options for
the keytab backend.
Fix a column name in the keytab_enctypes table to be more consistent
with the rest of the schema.
|
|
keytabs via remctl from the KDC.
|
|
|
|
|
|
|
|
module which currently doesn't do anything useful except define some
variables so that I can do syntax checking.
|
