| Age | Commit message (Collapse) | Author |
|---|
|
Change-Id: I06dd9ecca19315179bdd34d4b301548fe7604331
Reviewed-on: https://gerrit.stanford.edu/842
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Fix a formatting error in Wallet::ACL::LDAP::Attribute and add new
stopwords required by the latest aspell.
|
|
Do this only in the main text, not in the SEE ALSO section, since the
latter is more for conventional man pages. This will produce better
results for some POD to HTML converters (although not mine, yet).
|
|
Change the API for keytab_rekey to match keytab, returning the keytab
as data instead of writing it to a file. This simplifies the wallet
object implementation and moves the logic for reading the temporary
file into Wallet::Kadmin and its child classes. (Eventually, there may
be a kadmin backend that doesn't require using a temporary file.)
Setting KEYTAB_TMP is now required to instantiate either the ::MIT or
::Heimdal Wallet::Kadmin classes.
|
|
Heimdal supports retrieving a keytab containing the existing keys over
the kadmin protocol. Move the support for using remctl to retrieve an
existing keytab into Wallet::Kadmin::MIT and provide two separate
methods in the Wallet::Kadmin interface: one which rekeys and one which
doesn't. Implement the non-rekeying interface for Heimdal. Expand the
test suite for the unchanging keytabs to include tests for the Heimdal
method.
|
|
Now that we support multiple versions of Kerberos, use generic names
for the functions in the Wallet::Kadmin interface rather than the
commands from the MIT kadmin interface.
|
|
Rather than duplicating the API documentation in both ::Heimdal and
::MIT, move it into Wallet::Kadmin and just reference that from the
subclasses. Add documentation for exists(), since that's part of the
public API. Move a few methods around and fix a few other minor
documentation differences.
|
|
Remove the separate kadmin_client method by combining it with the
constructor, since that was the only place it was called.
|
|
Take advantage of inheritance by providing the error method in
Wallet::Kadmin rather than separately in both the subclasses.
|
|
Only call fork_callback in Wallet::Kadmin::MIT if it's set, allowing
the module to work without setting it.
|
|
Move the stub fork_callback method into Wallet::Kadmin and make both
Wallet::Kadmin::Heimdal and Wallet::Kadmin::MIT inherit from
Wallet::Kadmin. Add POD documentation for fork_callback.
|
|
Also update the POD syntax check to the current version of that check
I use elsewhere. Since I'm touching all the POD anyway, also rewrap
all of the POD to 74 columns. Fix some references to MIT in the
Wallet::Kadmin::Heimdal module documentation.
|
|
Heimdal requires the full name and doesn't support the short name that
MIT has as an alias. Change the documentation to use the long name
uniformly.
|
|
All the Wallet::Kadmin::Heimdal functions were canonicalizing principals
using duplicate code, and that code assumed that all principal names
would be unqualified. Centralize that code in one helper routine and
support already-qualified principals so that we can use these functions
easily from the test suite.
|
|
If there is no kadmin host set in the configuration, it's supposed to
fall back on the krb5.conf setting, not hard-code localhost.
|
|
Introduced accidentally during the coding style cleanup.
|
|
Combine a long series of eval blocks into a single block and a single
error check. Remove trailing whitespace, and in some cases remove
trailing () on method calls where the parens aren't useful.
|
|
The MIT kadmin module currently directly runs the MIT kadmin program. Some
data needs to be cleaned during the forks for this. This provides a
callback that can be registered and is called during the fork process,
currently just to mark database handles inactive. It was added to both the
MIT and Heimdal modules, though it's only a stub in the Heimdal module.
Heimdal is not forking kadmin, but the stub is there in order to allow the
caller to not care which module is being used and just always register the
callbacks.
|
|
Improved error handling by adding an error function to the Kadmin sub-modules
which will copy errors down to the Wallet::Object::Keytab error function
rather than relying on too many dies and evals. There still needs to be more
cleanup here, but that will rely on work on Heimdal::Kadm5 as well, to clean
up its own error handling to not spam warnings when called without RaiseError.
Also caught a few more un-evaled error cases where Heimdal::Kadm5 was called,
and fixed an error where RaiseErrors was being set rather than RaiseError due
to an error in Heimdal::Kadm5 docs.
|
|
valid_principal has been removed from Wallet::Kadmin and
Wallet::Kadmin::Heimdal. An accessor for it in Wallet::Object::Keytab
has also been removed, as have the tests in perl/t/keytab.t for the
function. It still remains within Wallet::Kadmin::MIT and is used there,
but only as a private method for flagging what the kadmin command-line
interface cannot handle.
|
|
Strip trailing whitespace, convert tabs to spaces, add newlines to
exceptions, and remove a few stray blank lines and a few other minor
coding style oddities. Make the SQL style consistent.
|
|
randKeyPrincipal was added to the keytab file creation process, in order
to reset a principal to first have all possible enctypes. There is no
way for us to specify that we only want a specific number of fresh enctypes,
so we must reset to have all enctypes first, and then pare down from there
each time we create the keytab.
|
|
* Fixed keytab existence check to avoid failures when called by a principal
with permissions only on specific principals.
* Better error cases for non-existant keytabs in several places.
* Skipped limiting keytabs to certain enctypes when no enctypes are given.
|
|
Added support for Heimdal as an alternative to MIT Kerberos. This involved
separating out the kadmin-specific code into its own set of modules, and
changing the existing Wallet::Object::Keytab code to branch based on
which module is loaded.
|
