functions uniformly use the same standard error formatting and exit
status for kadmin failures.
+ The Heimdal version of kadmin-backend now requires the IPC::Run Perl
+ module (available from CPAN).
+
When prompting for a username in passwd_change, strip any surrounding
whitespace from that username before proceeding.
REQUIREMENTS
The kadmin backend is written in Perl and requires the Perl Expect
- module. The MIT version (kadmin-backend) calls the MIT Kerberos v5
- kadmin and kpasswd programs and therefore requires that they be
- available. The Heimdal version similarly requires kpasswd, but uses the
- Perl module Heimdal::Kadm5 for kadmin operations and requires it be
- installed. For integration with the AFS kaserver Kerberos v4 realm, it
- uses kasetkey. The Kerberos v4 synchronization is disabled by default.
+ module. The Heimdal version also requires the IPC::Run module. The MIT
+ version (kadmin-backend) calls the MIT Kerberos v5 kadmin and kpasswd
+ programs and therefore requires that they be available. The Heimdal
+ version similarly requires kpasswd, but uses the Perl module
+ Heimdal::Kadm5 for kadmin operations and requires it be installed. For
+ integration with the AFS kaserver Kerberos v4 realm, it uses kasetkey.
+ The Kerberos v4 synchronization is disabled by default.
The kadmin backend can propagate instance creation and deletion to an
Active Directory. To use this support, you will need the Perl Encode,
use Date::Parse qw(str2time);
use Heimdal::Kadm5 qw(KRB5_KDB_REQUIRES_PRE_AUTH KADM5_POLICY_NORMAL_MASK
KRB5_KDB_DISALLOW_ALL_TIX KADM5_POLICY_CLR);
+use IPC::Run qw(run);
use POSIX;
use Time::Seconds;
check_password ($password);
$principal = "$principal/$instance" if $instance;
return unless $CONFIG{$instance}{pwcheck};
- my $pid = open (CHECKER, '-|');
- if (not defined $pid) {
- die "error: cannot fork: $!\n";
- } elsif ($pid == 0) {
- open (STDERR, '>&STDOUT') or exit 1;
- open (PROGRAM, '|-', $CONFIG{$instance}{pwcheck}, $principal)
- or die "error: cannot run $CONFIG{$instance}{pwcheck}: $!\n";
- print PROGRAM "principal: $principal\n";
- print PROGRAM "new-password: $password\n";
- print PROGRAM "end\n";
- close PROGRAM;
- exit ($? >> 8);
- } else {
- my $output = <CHECKER>;
- close CHECKER;
- unless ($output eq "APPROVED\n" and $? == 0) {
- $output =~ s/\n/ /g;
- $output =~ s/\s+$//;
- warn "error: Insecure password rejected\n";
- print "retstr: Insecure password: $output\n";
- return;
- }
+ my $in = "principal: $principal\nnew-password: $password\nend\n";
+ my $out;
+ run ([$CONFIG{$instance}{pwcheck}, $principal], \$in, \$out, \$out);
+ unless ($out eq "APPROVED\n" && $? == 0) {
+ $out ||= '';
+ $out =~ s/\n/ /g;
+ $out =~ s/\s+$//;
+ warn "error: Insecure password rejected\n";
+ print "retstr: Insecure password: $out\n";
+ return;
}
return 1;
}