User-Visible krb5-sync Changes
-krb5-sync 2.4 (unreleased)
+krb5-sync 3.0 (unreleased)
+
+ The meaning of the ad_ldap_base configuration option has changed, and
+ it's now mandatory for status synchronization. This setting should
+ now contain the full DN of the tree in Active Directory where account
+ information is stored (such as cn=Accounts,dc=example,dc=com).
+ Previously, the dc components should be omitted and were derived from
+ the realm; this is no longer done. If this configuration option is
+ not set, principal status will not be synchronized to Active
+ Directory.
Drop support for MIT Kerberos versions prior to 1.9. All major
distributions are now shipping with a newer version of MIT Kerberos
ad_principal = service/sync@WINDOWS.EXAMPLE.COM
ad_realm = WINDOWS.EXAMPLE.COM
ad_admin_server = dc1.windows.example.com
- ad_ldap_base = ou=People
+ ad_ldap_base = ou=People,dc=windows,dc=example,dc=com
ad_instances = root ipass
ad_base_instance = windows
ad_queue_only = false
principal. In other words, it's not possible to have multiple
configurations based on the realm of the principal affected.
- The ad_keytab option specifies the location of a srvtab or keytab for
+ The ad_keytab option specifies the location of a keytab for
authenticating to the other realm, the ad_principal option specifies the
principal to authenticate as (using the key in the srvtab or keytab),
- and the ad_realm option specifies the foreign realm. ad_admin_server is
- the host to contact via LDAP to push account status changes.
- ad_ldap_base specifies the base tree inside Active Directory where
- account information is stored. Omit the trailing "dc=" part; it will be
- added automatically from ad_realm. The default is "dc=Accounts".
+ and the ad_realm option specifies the foreign realm. These options must
+ be set.
+
+ ad_admin_server is the host to contact via LDAP to push account status
+ changes. ad_ldap_base specifies the root of the tree inside Active
+ Directory where account information is stored. These options must be
+ set in order to synchronize status changes, but can be omitted to only
+ synchronize passwords.
The ad_instances option specifies which instances have passwords and
- account status propagated to that environment. By default, all
- principals with non-empty instances are not propagated. You can list a
- specific set of instances (space-separated) which are propagated to the
- AD environment. The ad_instances option is only used by the plugin and
- is not used by the command-line utility. Any principals passed to the
- command-line utility will be acted on, even if they have non-empty
- instances.
+ account status propagated to that environment. By default, only
+ principals no instances (single-part principals) are propagated. You
+ can list a specific set of instances (space-separated), which will then
+ also be propagated to Active Directory. The ad_instances option is only
+ used by the plugin and is not used by the command-line utility. Any
+ principals passed to the command-line utility will be acted on, even if
+ they have non-empty instances.
If ad_base_instance is set, then any password change for a
single-component principal (such as user@EXAMPLE.COM) will be handled
LDAP *ld = NULL;
LDAPMessage *res = NULL;
LDAPMod mod, *mod_array[2];
- char *dname, *lb, *end, *dn;
- char ldapbase[256];
+ char *dn;
char *ldapuri = NULL, *ldapdn = NULL, *control = NULL, *target = NULL;
struct berval **vals = NULL;
char *value;
/* Ensure the configuration is sane. */
CHECK_CONFIG(ad_admin_server);
- CHECK_CONFIG(ad_realm);
+ CHECK_CONFIG(ad_ldap_base);
/* Get the credentials we'll use to make the change in AD. */
code = get_creds(config, ctx, &ccache);
goto done;
}
- /*
- * Convert the domain name to a DN. The default is ou=Accounts, which
- * is what Stanford uses, but the base DN prior to the dc portion for
- * the realm can be changed with a configuration option.
- */
- memset(ldapbase, 0, sizeof(ldapbase));
- if (config->ad_ldap_base == NULL)
- strlcpy(ldapbase, "ou=Accounts,dc=", sizeof(ldapbase));
- else {
- strlcpy(ldapbase, config->ad_ldap_base, sizeof(ldapbase));
- strlcat(ldapbase, ",dc=", sizeof(ldapbase));
- }
- lb = ldapbase + strlen(ldapbase);
- end = ldapbase + sizeof(ldapbase) - 1;
- for (dname = config->ad_realm; lb < end && *dname != '\0'; dname++) {
- if (*dname == '.') {
- *lb = '\0';
- strlcat(ldapbase, ",dc=", sizeof(ldapbase));
- lb += 4;
- } else {
- *lb++ = *dname;
- }
- }
-
/*
* Since all we know is the local principal, we have to convert that to
* the AD principal and then query Active Directory via LDAP to get back
code = sync_error_system(ctx, "cannot allocate memory");
goto done;
}
- code = ldap_search_ext_s(ld, ldapbase, LDAP_SCOPE_SUBTREE, ldapdn,
- (char **) attrs, 0, NULL, NULL, NULL, 0, &res);
+ code = ldap_search_ext_s(ld, config->ad_ldap_base, LDAP_SCOPE_SUBTREE,
+ ldapdn, (char **) attrs, 0, NULL, NULL, NULL, 0,
+ &res);
if (code != LDAP_SUCCESS) {
code = sync_error_ldap(ctx, code, "LDAP search for \"%s\" failed",
ldapdn);
if (config->ad_admin_server == NULL
|| config->ad_keytab == NULL
+ || config->ad_ldap_base == NULL
|| config->ad_principal == NULL
|| config->ad_realm == NULL)
return 0;
ad_principal = service/krb5-sync@EXAMPLE.COM
ad_realm = AD.EXAMPLE.COM
ad_admin_server = ad.example.com
+ ad_ldap_base = ou=Accounts,dc=ad,dc=example,dc=com
ad_instances = exclude
queue_dir = queue
ad_principal = service/krb5-sync@EXAMPLE.COM
ad_realm = AD.EXAMPLE.COM
ad_admin_server = ad.example.com
+ ad_ldap_base = ou=Accounts,dc=ad,dc=example,dc=com
ad_instances = exclude
ad_queue_only = true