From 4c88bc4d11188499909fed9def7fad9c16afb84e Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Sun, 3 Jan 2016 15:53:35 -0800 Subject: Document requirements for the password object Change-Id: Ibff0602d5ff8bf4c625f3970130cce4c8c02720e --- README | 3 +++ 1 file changed, 3 insertions(+) (limited to 'README') diff --git a/README b/README index f21b9ad..d423983 100644 --- a/README +++ b/README @@ -111,6 +111,9 @@ REQUIREMENTS The Duo integration object support in the wallet server requires the Net::Duo Perl module. + The password object support in the wallet server requires the + Crypt::GeneratePassword Perl module. + To support the LDAP attribute ACL verifier, the Authen::SASL and Net::LDAP Perl modules must be installed on the server. This verifier only works with LDAP servers that support GSS-API binds. -- cgit v1.2.3 From cfff765a7a453fdab46a217c2adc48c958fdf739 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Sun, 3 Jan 2016 19:59:11 -0800 Subject: Document the Duo integration requires JSON and Perl6::Slurp Change-Id: I6249d2ea983959bc6c5ec03c2035a271228d4721 --- README | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'README') diff --git a/README b/README index d423983..75b1224 100644 --- a/README +++ b/README @@ -109,7 +109,7 @@ REQUIREMENTS WebAuth Perl module from WebAuth 4.4.0 or later. The Duo integration object support in the wallet server requires the - Net::Duo Perl module. + Net::Duo, JSON, and Perl6::Slurp Perl modules. The password object support in the wallet server requires the Crypt::GeneratePassword Perl module. -- cgit v1.2.3 From 269b5a2cdb9b2f2c65423081f532db42a2ec55e4 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Sat, 16 Jan 2016 16:13:03 -0800 Subject: Add documentation of the Active Directory support Also remove some configuration checks that aren't required, and unify handling of some configuration options. --- NEWS | 19 ++++++---- README | 23 ++++++++---- perl/lib/Wallet/Config.pm | 88 +++++++++++++++++++++++++++++++++++++++----- perl/lib/Wallet/Kadmin/AD.pm | 8 ++-- 4 files changed, 108 insertions(+), 30 deletions(-) (limited to 'README') diff --git a/NEWS b/NEWS index aa9cf47..9d5b1a6 100644 --- a/NEWS +++ b/NEWS @@ -2,6 +2,18 @@ wallet 1.3 (unreleased) + This release adds initial, experimental support for using Active + Directory as the KDC for keytab creation. The interface to Active + Directory uses a combination of direct LDAP queries and the msktutil + utility. This version does not support the wallet unchanging flag. + Unchanging requires that a keytab be retrieved without changing the + password/kvno which is not supported by msktutil. Active Directory + can be selected by setting KEYTAB_KRBTYPE to AD in the wallet + configuration. Multiple other configuration options must also be set; + see Wallet::Config for more information and README for the additional + Perl modules required. Thanks to Bill MacAllister for the + implementation. + A new ACL type, nested (Wallet::ACL::Nested), is now supported. The identifier of this ACL names another ACL, and access is granted if that ACL would grant access. This lets one combine multiple other @@ -63,13 +75,6 @@ wallet 1.3 (unreleased) Displays of ACLs and ACL entries are now sorted correctly. - Initial support for using Active Directory as the KDC for keytab - creation. The interface to Active Directory uses a combination of - direct LDAP queries and the msktutil utility. This version does - not support the wallet unchanging flag. Unchanging requires that - a keytab be retrieved without changing the password/kvno which is - not supported by msktutil. - wallet 1.2 (2014-12-08) The duo object type has been split into several sub-types, each for a diff --git a/README b/README index 75b1224..200f0eb 100644 --- a/README +++ b/README @@ -91,12 +91,15 @@ REQUIREMENTS on CPAN for older versions. The keytab support in the wallet server supports either Heimdal or MIT - Kerberos KDCs. The Heimdal support requires the Heimdal::Kadm5 Perl - module. The MIT Kerberos support requires the MIT Kerberos kadmin - client program be installed. In either case, wallet also requires that - the wallet server have a keytab for a principal with appropriate access - to create, modify, and delete principals from the KDC (as configured in - kadm5.acl on an MIT Kerberos KDC). + Kerberos KDCs and has exeprimental support for Active Directory. The + Heimdal support requires the Heimdal::Kadm5 Perl module. The MIT + Kerberos support requires the MIT Kerberos kadmin client program be + installed. The Active Directory support requires the Net::LDAP, + Authen::SASL, and IPC::Run Perl modules and the msktutil client program. + In all cases, wallet also requires that the wallet server have a keytab + for a principal with appropriate access to create, modify, and delete + principals from the KDC (as configured in kadm5.acl on an MIT Kerberos + KDC). To support the unchanging flag on keytab objects with an MIT Kerberos KDC, the Net::Remctl Perl module (shipped with remctl) must be installed @@ -339,8 +342,12 @@ THANKS security models. To Jon Robertson for the refactoring of Wallet::Kadmin, Heimdal support, - many of the wallet server-side reports, and the initial wallet-rekey - implementation. + many of the wallet server-side reports, the initial wallet-rekey + implementation, and lots of work on object and ACL types including + nested ACLs. + + To Bill MacAllister for Wallet::Kadmin::AD and the implementation of + keytab object types backed by Active Directory. LICENSE diff --git a/perl/lib/Wallet/Config.pm b/perl/lib/Wallet/Config.pm index e8bc00c..f4ebc0f 100644 --- a/perl/lib/Wallet/Config.pm +++ b/perl/lib/Wallet/Config.pm @@ -319,7 +319,8 @@ modify, inspect, and delete any principals that should be managed by the wallet. (In MIT Kerberos F parlance, this is C privileges.) -KEYTAB_FILE must be set to use keytab objects. +KEYTAB_FILE must be set to use keytab objects with any backend other than +Active Directory. =cut @@ -336,16 +337,18 @@ is generally pointless and may interact poorly with the way C works when third-party add-ons for password strength checking are used.) +This option is ignored when using Active Directory. + =cut our $KEYTAB_FLAGS = '-clearpolicy'; =item KEYTAB_HOST -Specifies the host on which the kadmin service is running. This setting -overrides the C setting in the [realms] section of -F and any DNS SRV records and allows the wallet to run on a -system that doesn't have a Kerberos configuration for the wallet's realm. +Specifies the host on which the kadmin or Active Directory service is running. +This setting overrides the C setting in the [realms] section of +F and any DNS SRV records and allows the wallet to run on a system +that doesn't have a Kerberos configuration for the wallet's realm. =cut @@ -357,13 +360,15 @@ The path to the B command-line client. The default value is C, which will cause the wallet to search for B on its default PATH. +This option is ignored when using Active Directory. + =cut our $KEYTAB_KADMIN = 'kadmin'; =item KEYTAB_KRBTYPE -The Kerberos KDC implementation type, either C or C +The Kerberos KDC implementation type, chosen from C, C, or C (case-insensitive). KEYTAB_KRBTYPE must be set to use keytab objects. =cut @@ -375,9 +380,9 @@ our $KEYTAB_KRBTYPE; The principal whose key is stored in KEYTAB_FILE. The wallet will authenticate as this principal to the kadmin service. -KEYTAB_PRINCIPAL must be set to use keytab objects, at least until -B is smart enough to use the first principal found in the keytab -it's using for authentication. +KEYTAB_PRINCIPAL must be set to use keytab objects unless Active Directory is +the backend, at least until B is smart enough to use the first +principal found in the keytab it's using for authentication. =cut @@ -391,7 +396,7 @@ installation and the keytab object names are stored without realm. KEYTAB_REALM is added when talking to the KDC via B. KEYTAB_REALM must be set to use keytab objects. C doesn't always -default to the local realm. +default to the local realm and the Active Directory integration requires it. =cut @@ -414,6 +419,69 @@ our $KEYTAB_TMP; =back +The following parameters are specific to generating keytabs from Active +Directory (KEYTAB_KRBTYPE is set to C). + +=over 4 + +=item AD_CACHE + +Specifies the ticket cache to use when manipulating Active Directory objects. +The ticket cache must be for a principal able to bind to Active Directory and +run B. + +AD_CACHE must be set to use Active Directory support. + +=cut + +our $AD_CACHE; + +=item AD_COMPUTER_DN + +The LDAP base DN for computer objects inside Active Directory. All keytabs of +the form host/ will be mapped to objects with a C of +the portion under this DN. + +AD_COMPUTER_DN must be set if using Active Directory as the keytab backend. + +=cut + +our $AD_COMPUTER_DN; + +=item AD_DEBUG + +If set to true, asks for some additional debugging information, such as the +B command, to be logged to syslog. These debugging messages will be +logged to the C facility. + +=cut + +our $AD_DEBUG = 0; + +=item AD_MSKTUTIL + +The path to the B command-line client. The default value is +C, which will cause the wallet to search for B on its +default PATH. + +=cut + +our $AD_MSKTUTIL = 'msktutil'; + +=item AD_USER_DN + +The LDAP base DN for user objects inside Active Directory. All keytabs of the +form service/ will be mapped to objects with a C +matching the wallet object name under this DN. + +AD_USER_DN must be set if using Active Directory as the keytab backend. + +=cut + +our $AD_USER_DN; + +=back + =head2 Retrieving Existing Keytabs Heimdal provides the choice, over the network protocol, of either diff --git a/perl/lib/Wallet/Kadmin/AD.pm b/perl/lib/Wallet/Kadmin/AD.pm index 4efc643..97bf2bf 100644 --- a/perl/lib/Wallet/Kadmin/AD.pm +++ b/perl/lib/Wallet/Kadmin/AD.pm @@ -130,16 +130,14 @@ sub get_ad_keytab { # that error output. sub msktutil { my ($self, $args_ref) = @_; - unless (defined($Wallet::Config::KEYTAB_PRINCIPAL) - and defined($Wallet::Config::KEYTAB_FILE) + unless (defined($Wallet::Config::KEYTAB_HOST) and defined($Wallet::Config::KEYTAB_REALM)) { die "keytab object implementation not configured\n"; } - unless (defined($Wallet::Config::AD_SERVER) + unless (defined($Wallet::Config::AD_CACHE) and defined($Wallet::Config::AD_COMPUTER_DN) - and defined($Wallet::Config::AD_USER_DN) - and defined($Wallet::Config::AD_KEYTAB_BUCKET)) + and defined($Wallet::Config::AD_USER_DN)) { die "Active Directory support not configured\n"; } -- cgit v1.2.3 From 22f5cf990ab74632950ae8ed986c8f89a7837e6e Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Sun, 17 Jan 2016 16:59:47 -0800 Subject: Release 1.3 --- LICENSE | 27 +++++++++++++++------------ NEWS | 2 +- README | 12 +++++++----- configure.ac | 3 ++- 4 files changed, 25 insertions(+), 19 deletions(-) (limited to 'README') diff --git a/LICENSE b/LICENSE index 8fdc976..d8b59a1 100644 --- a/LICENSE +++ b/LICENSE @@ -10,23 +10,25 @@ Copyright: 2006-2010, 2012-2013 License: Expat Files: * -Copyright: 2000-2002, 2004-2014 Russ Allbery - 2001-2014 The Board of Trustees of the Leland Stanford Junior University +Copyright: 2000-2002, 2004-2016 Russ Allbery + 2001-2015 The Board of Trustees of the Leland Stanford Junior University + 2015 Dropbox, Inc. License: Expat Files: Makefile.in -Copyright: 1994-2013 Free Software Foundation, Inc. +Copyright: 1994-2014 Free Software Foundation, Inc. 2006-2008, 2010, 2013-2014 The Board of Trustees of the Leland Stanford Junior University + 2016 Russ Allbery License: FSF-unlimited and Expat Files: aclocal.m4 -Copyright: 1996-2013 Free Software Foundation, Inc. +Copyright: 1996-2015 Free Software Foundation, Inc. License: FSF-unlimited Files: build-aux/ar-lib build-aux/compile build-aux/depcomp build-aux/missing -Copyright: 1996-2013 Free Software Foundation, Inc. +Copyright: 1996-2014 Free Software Foundation, Inc. License: GPL-2+ with Autoconf exception or Expat Files: build-aux/install-sh @@ -62,7 +64,7 @@ Files: client/wallet-rekey.1 client/wallet-rekey.pod client/wallet.1 docs/stanford-naming perl/t/data/README tests/HOWTO tests/config/README Copyright: 2006-2014 The Board of Trustees of the Leland Stanford Junior University - 2010 Russ Allbery + 2010, 2016 Russ Allbery License: all-permissive Copying and distribution of this file, with or without modification, are permitted in any medium without royalty provided the copyright notice and @@ -75,10 +77,12 @@ License: FSF-configure This script is free software; the Free Software Foundation gives unlimited permission to copy, distribute and modify it. -Files: m4/gssapi.m4 m4/krb5-config.m4 m4/krb5.m4 m4/lib-depends.m4 - m4/lib-pathname.m4 m4/remctl.m4 m4/snprintf.m4 m4/vamacros.m4 +Files: m4/clang.m4 m4/gssapi.m4 m4/krb5-config.m4 m4/krb5.m4 + m4/lib-depends.m4 m4/lib-pathname.m4 m4/remctl.m4 m4/snprintf.m4 + m4/vamacros.m4 Copyright: 2005-2014 The Board of Trustees of the Leland Stanford Junior University + 2015 Russ Allbery License: unlimited This file is free software; the authors give unlimited permission to copy and/or distribute it, with or without modifications, as long as this @@ -87,10 +91,8 @@ License: unlimited Files: portable/asprintf.c portable/dummy.c portable/krb5-extra.c portable/krb5.h portable/macros.h portable/mkstemp.c portable/reallocarray.c portable/setenv.c portable/stdbool.h - portable/strlcat.c portable/strlcpy.c portable/system.h portable/uio.h - tests/portable/asprintf-t.c tests/portable/mkstemp-t.c - tests/portable/setenv-t.c tests/portable/strlcat-t.c - tests/portable/strlcpy-t.c util/macros.h + portable/system.h portable/uio.h tests/portable/asprintf-t.c + tests/portable/mkstemp-t.c tests/portable/setenv-t.c util/macros.h Copyright: no copyright notice, see License License: rra-public-domain The authors hereby relinquish any claim to any copyright that they may @@ -116,6 +118,7 @@ Copyright: 1991, 1994-2003 The Internet Software Consortium and Rich Salz 2004-2006 Internet Systems Consortium, Inc. 2008-2010, 2012-2014 The Board of Trustees of the Leland Stanford Junior University + 2015 Russ Allbery License: ISC Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above diff --git a/NEWS b/NEWS index e493200..e299bc1 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,6 @@ User-Visible wallet Changes -wallet 1.3 (unreleased) +wallet 1.3 (2016-01-17) This release adds initial, experimental support for using Active Directory as the KDC for keytab creation. The interface to Active diff --git a/README b/README index 200f0eb..9dcd711 100644 --- a/README +++ b/README @@ -1,12 +1,13 @@ - wallet release 1.2 + wallet release 1.3 (secure data management system) Written by Russ Allbery - Copyright 2006, 2007, 2008, 2009, 2010, 2012, 2013, 2014 The Board of - Trustees of the Leland Stanford Junior University. This software is - distributed under a BSD-style license. Please see the section LICENSE - below for more information. + Copyright 2014, 2016 Russ Allbery . Copyright 2006, + 2007, 2008, 2009, 2010, 2012, 2013, 2014 The Board of Trustees of the + Leland Stanford Junior University. This software is distributed under a + BSD-style license. Please see the section LICENSE below for more + information. BLURB @@ -354,6 +355,7 @@ LICENSE The wallet distribution as a whole is covered by the following copyright statement and license: + Copyright 2014, 2016 Russ Allbery Copyright 2006, 2007, 2008, 2009, 2010, 2012, 2013, 2014 The Board of Trustees of the Leland Stanford Junior University diff --git a/configure.ac b/configure.ac index 6b177a3..4f56eb0 100644 --- a/configure.ac +++ b/configure.ac @@ -1,13 +1,14 @@ dnl Autoconf configuration for wallet. dnl dnl Written by Russ Allbery +dnl Copyright 2014, 2016 Russ Allbery dnl Copyright 2006, 2007, 2008, 2010, 2013, 2014 dnl The Board of Trustees of the Leland Stanford Junior University dnl dnl See LICENSE for licensing terms. AC_PREREQ([2.64]) -AC_INIT([wallet], [1.2], [eagle@eyrie.org]) +AC_INIT([wallet], [1.3], [eagle@eyrie.org]) AC_CONFIG_AUX_DIR([build-aux]) AC_CONFIG_LIBOBJ_DIR([portable]) AC_CONFIG_MACRO_DIR([m4]) -- cgit v1.2.3