From 2393ffbc3c52c6552e00212d5209d6b870a55d4e Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 15 Nov 2007 05:42:29 +0000 Subject: Add an ACL verifier that checks access against NetDB roles using the NetDB remctl interface. --- perl/Wallet/Config.pm | 74 ++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 71 insertions(+), 3 deletions(-) (limited to 'perl/Wallet/Config.pm') diff --git a/perl/Wallet/Config.pm b/perl/Wallet/Config.pm index 1b36658..3bd2055 100644 --- a/perl/Wallet/Config.pm +++ b/perl/Wallet/Config.pm @@ -281,14 +281,15 @@ retrieve> via remctl on KEYTAB_REMCTL_HOST. =cut -our $KEYTAB_CACHE; +our $KEYTAB_REMCTL_CACHE; =item KEYTAB_REMCTL_HOST The host to which to connect with remctl to retrieve existing keytabs. This is only used to implement support for the C flag. This host -must provide the C command and KEYTAB_CACHE must also be -set to a ticket cache for a principal with access to run that command. +must provide the C command and KEYTAB_REMCTL_CACHE must +also be set to a ticket cache for a principal with access to run that +command. =cut @@ -397,6 +398,73 @@ our $KEYTAB_AFS_SRVTAB; =back +=head1 NETDB ACL CONFIGURATION + +These configuration variables are only needed if you intend to use the +C ACL type (the Wallet::ACL::NetDB class). They specify the remctl +connection information for retrieving user roles from NetDB and the local +realm to remove from principals (since NetDB normally expects unscoped local +usernames). + +=over 4 + +=item NETDB_REALM + +The wallet uses fully-qualified principal names (including the realm), but +NetDB normally expects local usernames without the realm. If this variable +is set, the given realm will be stripped from any principal names before +passing them to NetDB. Principals in other realms will be passed to NetDB +without modification. + +=cut + +our $NETDB_REALM; + +=item NETDB_REMCTL_CACHE + +Specifies the ticket cache to use when querying the NetDB remctl interface +for user roles. The ticket cache must be for a principal with access to run +C via remctl on KEYTAB_REMCTL_HOST. This variable must be +set to use NetDB ACLs. + +=cut + +our $NETDB_REMCTL_CACHE; + +=item NETDB_REMCTL_HOST + +The host to which to connect with remctl to query NetDB for user roles. +This host must provide the C command and +NETDB_REMCTL_CACHE must also be set to a ticket cache for a principal with +access to run that command. This variable must be set to use NetDB ACLs. + +=cut + +our $NETDB_REMCTL_HOST; + +=item NETDB_REMCTL_PRINCIPAL + +The service principal to which to authenticate when querying NetDB for user +roles. If this variable is not set, the default is formed by prepending +C to NETDB_REMCTL_HOST. (Note that NETDB_REMCTL_HOST is not +lowercased first.) + +=cut + +our $NETDB_REMCTL_PRINCIPAL; + +=item NETDB_REMCTL_PORT + +The port on NETDB_REMCTL_HOST to which to connect with remctl to query NetDB +for user roles. If this variable is not set, the default remctl port will +be used. + +=cut + +our $NETDB_REMCTL_PORT; + +=back + =cut # Now, load the configuration file so that it can override the defaults. -- cgit v1.2.3