From 766ba9295705be7c91593b6e7ce5db66bf88d453 Mon Sep 17 00:00:00 2001
From: Russ Allbery <rra@stanford.edu>
Date: Tue, 25 Sep 2007 20:57:06 +0000
Subject: Add support for synchronizing a key with an AFS kaserver in the
 keytab object implementation, extracting the DES key with Authen::Krb5 (since
 ktutil doesn't work).

Rename the KEYTAB_CACHE variable to KEYTAB_REMCTL_CACHE to match the
rest of the keytab retrieval configuration and reorganize the
Wallet::Config documentation to group related configuration options for
the keytab backend.

Fix a column name in the keytab_enctypes table to be more consistent
with the rest of the schema.
---
 perl/Wallet/Schema.pm | 26 ++++++++++++++++++++++----
 1 file changed, 22 insertions(+), 4 deletions(-)

(limited to 'perl/Wallet/Schema.pm')

diff --git a/perl/Wallet/Schema.pm b/perl/Wallet/Schema.pm
index d856433..352f497 100644
--- a/perl/Wallet/Schema.pm
+++ b/perl/Wallet/Schema.pm
@@ -322,7 +322,25 @@ oh_by stores the authenticated identity that made the change, oh_from stores
 the host from which they made the change, and oh_on stores the time the
 change was made.
 
-=head2 Storage Backend Data
+=head2 Keytab Backend Data
+
+The keytab backend supports synchronizing keys with an external system.  The
+permitted external systems are listed in a normalization table:
+
+  create table sync_targets
+     (st_name             varchar(255) primary key);
+  insert into sync_targets (st_name) values ('kaserver');
+
+and then the synchronization targets for a given keytab are stored in this
+table:
+
+  create table keytab_sync
+     (ks_name             varchar(255)
+          not null references objects(ob_name),
+      ks_target           varchar(255)
+          not null references sync_targets(st_name),
+      primary key (ks_name, ks_target));
+  create index ks_name on keytab_sync (ks_name);
 
 The keytab backend supports restricting the allowable enctypes for a given
 keytab.  The permitted enctypes are listed in a normalization table:
@@ -333,12 +351,12 @@ keytab.  The permitted enctypes are listed in a normalization table:
 and then the restrictions for a given keytab are stored in this table:
 
   create table keytab_enctypes
-     (ke_principal        varchar(255)
+     (ke_name             varchar(255)
           not null references objects(ob_name),
       ke_enctype          varchar(255)
           not null references enctypes(en_name),
-      primary key (ke_principal, ke_enctype));
-  create index ke_principal on keytab_enctypes (ke_principal);
+      primary key (ke_name, ke_enctype));
+  create index ke_name on keytab_enctypes (ke_name);
 
 To use this functionality, you will need to populate the enctypes table with
 the enctypes that a keytab may be restricted to.  Currently, there is no
-- 
cgit v1.2.3