| Age | Commit message (Collapse) | Author |
|---|
|
|
|
|
|
It turns out that the length limitations apply to all keytabs, not
just service keytabs. This change creates unique ids for hostnames
that exceed the AD length limit.
|
|
The account name for a service keytab cannot exceed 20 characters.
The routine that was generating a unique id incorrectly attempted to
perform an LDAP query. This change fixes that problem.
|
|
The account name for a service keytab cannot exceed 20 characters.
The routine that was generating a unique id incorrectly attempted to
perform an LDAP query. This change fixes that problem.
|
|
* Make sure userPrincipalName is created for all keytabs and use it to
search for entries in AD.
* Allow the creation of any service principal. This requires making
sure that the cn used to create AD entries for service accounts not
be any longer than 20 characters.
|
|
Correct a variable reference that was causing AD keytab creation to
fail. Update the debugging for shell command execution that makes
debugging more rebust and highlights problems.
|
|
* This ad-keytab is useful in the initial setup of AD as a keytab
store for wallet.
* Change configuration variables to correctly reflect that some values
are relative distinguished names.
* Add a configuration variable for the base distinguished name for
ActiveDirectory.
|
|
with multiple enctypes specified, only the last one will actually take effect. If you wish to provide support for more then one, you need to add the values (0x04 + 0x08 + 0x10 = 0x1C).
replacing the 3 lines with one line to enable all three. Note that the keytabs generated will have 3 line for each principal (one for each enctypes).
See msktutil man page for further details on enctypes.
|
|
|
|
The versions of all of the wallet Perl modules now match the overall
package version except for Wallet::Schema, which is used to version
the database schema.
Import the test from rra-c-util 5.10 and exclude Wallet::Schema from
the tests.
Go through all Perl modules and standardize the syntax for setting the
version and indicating the required version of Perl. Fix a few other
syntax issues while I'm in there.
|
|
|
|
Also remove some configuration checks that aren't required, and
unify handling of some configuration options.
|
|
Conflicts:
NEWS
|
|
Failed kadmin commands were deleting the wallet database in the
test suite due to an END block in the test programs. Use _exit
to avoid this.
|
|
|
|
The msktutil script does not always signal error conditions. This
change implements a check that examines the output from msktutil
and reports and error when the keytab creation fails to create
the keytab but does create a computer entry in the directory. If
an error is detected the directory entry is deleted leaving the
directory in a clean state.
Also, support has been added for output of debugging information
to syslog using the AD_DEBUG configuration variable.
Finally perltidy suggested changes were made to AD.pm.
|
|
This version implements Active Directory as the store for keytabs.
The interface to Active Directory uses a combination of direct LDAP
queries and the msktutil utility. This version does not support the
wallet unchanging flag. Unchanging requires that a keytab be
retrieved without changing the password/kvno which is not supported by
msktutil.
|
|
Fix strictness issues across the whole code base, and ensure that
all Perl scripts enable warnings. (Hopefully enabling warnings
won't cause problems for the server.)
Change-Id: I4dee49f7a6bcbeeee21d74bf61a1fd26514f832c
Reviewed-on: https://gerrit.stanford.edu/1532
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
The wallet server now requires Perl 5.8 or later (instead of 5.006 in
previous versions) and is now built with Module::Build instead of
ExtUtils::MakeMaker. This should be transparent to anyone not working
with the source code, since Perl 5.8 was released in 2002, but
Module::Build is now required to build the wallet server. It is
included in some versions of Perl, or can be installed separately from
CPAN, distribution packages, or other sources.
Also reorganize the test suite to use subdirectories.
Change-Id: Id06120ba2bad1ebbfee3d8a48ca2f25869463165
Reviewed-on: https://gerrit.stanford.edu/1530
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
