From e0f6e1222ede4a7545ca995a8aacaae0b591cb9c Mon Sep 17 00:00:00 2001
From: Russ Allbery <rra@stanford.edu>
Date: Thu, 27 Sep 2007 03:22:46 +0000
Subject: Initial cut at srvtab support in the wallet client.  This still
 requires additional work and cleanup, particularly support for the sync
 attribute.

---
 server/wallet-backend | 39 +++++++++++++++++++++++++++++++++++++--
 1 file changed, 37 insertions(+), 2 deletions(-)

(limited to 'server/wallet-backend')

diff --git a/server/wallet-backend b/server/wallet-backend
index 2ab3daf..b6c0dfb 100755
--- a/server/wallet-backend
+++ b/server/wallet-backend
@@ -238,6 +238,8 @@ object that change data except the C<flags> commands, nor can the C<get>
 command be used on that object.  C<show>, C<getacl>, and C<owner> or
 C<expires> without an argument can still be used on that object.
 
+For more information on attributes, see L<ATTRIBUTES>.
+
 =over 4
 
 =item acl add <id> <scheme> <identifier>
@@ -359,8 +361,6 @@ particular object type, and <attr> must be an attribute type known to the
 underlying object implementation.  To clear the attribute for this object,
 pass in a <value> of the empty string (C<''>).
 
-Currently, no object attributes are implemented.
-
 =item show <type> <name>
 
 Displays the current object metadata for the object identified by <type>
@@ -381,6 +381,41 @@ will be lifted in the future.
 
 =back
 
+=head1 ATTRIBUTES
+
+Object attributes store additional properties and configuration
+information for objects stored in the wallet.  They are displayed as part
+of the object data with C<show>, retrieved with C<getattr>, and set with
+C<setattr>.
+
+=head1 Keytab Attributes
+
+Keytab objects support the following attributes:
+
+=over 4
+
+=item sync
+
+Sets the external systems to which the key of a given principal is
+synchronized.  The only supported value for this attribute is C<kaserver>,
+which says to synchronize the key with an AFS Kerberos v4 kaserver.
+
+If this attribute is set on a keytab, whenever the C<get> command is run for
+that keytab, the DES key will be extracted from that keytab and set in the
+configured AFS kaserver.  The Kerberos v4 principal name will be the same as
+the Kerberos v5 principal name except that the components are separated by
+C<.> instead of C</>; the second component is truncated after the first C<.>
+if the first component is one of C<host>, C<ident>, C<imap>, C<pop>, or
+C<smtp>; and the first component is C<rcmd> if the Kerberos v5 principal
+component is C<host>.  The principal name must not contain more than two
+components.
+
+If this attribute is set, calling C<destroy> will also destroy the
+principal from the AFS kaserver, with a principal mapping determined as
+above.
+
+=back
+
 =head1 SEE ALSO
 
 Wallet::Server(3), remctld(8)
-- 
cgit v1.2.3