Replace checking with policy for kadmin-backend

kadmin-backend for an MIT Kerberos server no longer has the boolean
checking configuration parameter, which said whether to do password
checking.  Instead, there is a new policy configuration parameter
which, if set, sets that password policy for newly created accounts.
To duplicate the previous behavior when checking was true, set policy
to "standard".

diff --git a/NEWS b/NEWS
index 4050c84453222be765fa37ef2db5ca322d7dce38..a4404ef8f2b0e88d5417c8c68776dd893c5a32a9 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -2,12 +2,20 @@
 
 kadmin-remctl 3.1 (unreleased)
 
+    kadmin-backend for an MIT Kerberos server no longer has the boolean
+    checking configuration parameter, which said whether to do password
+    checking.  Instead, there is a new policy configuration parameter
+    which, if set, sets that password policy for newly created accounts.
+    To duplicate the previous behavior when checking was true, set policy
+    to "standard".
+
     Add an expiration command, which sets the expiration date of a
     principal.  Based on a patch from Garrett Wollman.
 
-    For an MIT Kerberos server, add the create_opts configuration
-    parameter, which adds additional options that are passed to kadmin
-    addprinc when a principal is created.
+    kadmin backend for an MIT Kerberos server now supports the create_opts
+    configuration parameter, which adds additional options that are passed
+    to kadmin addprinc when a principal is created.  Based on a patch by
+    Garrett Wollman.
 
     Allow underscores in principal names by default in the examine
     function.

diff --git a/kadmin-backend b/kadmin-backend
index 269fb3f99829944aa1a7c21fbf417d5a5be6061c..4bc9f74fd28ec5dd8c3e5b5a23589661bc17b67c 100755 (executable)
--- a/kadmin-backend
+++ b/kadmin-backend
@@ -67,12 +67,12 @@ our $LDAPSEARCH = 'ldapsearch';
 #     afs_srvtab  => Srvtab for Kerberos v4 kasetkey authentication
 #     acl         => File listing principals that can manage this instance
 #     allowed     => Regex matching permitted principal names (w/o instance)
-#     checking    => True if we should enable password strength checking
 #     create_opts => Extra options to pass to kadmin addprinc
 #     k5_admin    => Principal for Kerberos v5 kadmin authentication
 #     k5_host     => Admin server for Kerberos v5 kadmin operations
 #     k5_keytab   => Keytab for Kerberos v5 kadmin authentication
 #     locked      => Program to check to see if we can enable an account
+#     policy      => The password policy to set for created principals
 #     reset       => True if we should allow password resets
 #
 # No instances are configured by default.  In order for a particular instance
@@ -260,8 +260,8 @@ sub kadmin_create {
     kadmin_config ($instance) or return;
     $principal = "$principal/$instance" if $instance;
     my $command = 'add_principal +requires_preauth';
-    if ($CONFIG{$instance}{checking}) {
-        $command .= ' -policy standard';
+    if ($CONFIG{$instance}{policy}) {
+        $command .= " -policy $CONFIG{$instance}{policy}";
     } else {
         $command .= ' -clearpolicy';
     }
@@ -1522,11 +1522,6 @@ handled separately) or a realm, and be sure it rejects any characters that
 might confuse the shell or B<kadmin> (shell metacharacters, whitespace,
 and so forth).
 
-=item checking
-
-Set to a true value if passwords for this instance should be subject to
-password strength checking, false otherwise.
-
 =item create_opts
 
 Contains extra options to pass to the B<kadmin> C<addprinc> command when
@@ -1559,6 +1554,11 @@ to check if an instance is locked.  Locked means that the instance cannot
 be enabled again using this interface for some policy reason.  If the
 array is undefined or empty, there is no checking for locked status.
 
+=item policy
+
+If set, the given password policy will be set for all newly-created
+principals.
+
 =item reset
 
 Set to a true value if B<kadmin-backend> should support resetting