Russ Allbery [Sun, 31 Dec 2017 22:39:42 +0000 (14:39 -0800)]
Fix build for new Heimdal, new Config::AutoConf
Current versions of Heimdal no longer include all of the libraries
when asking pkg-config for heimdal-kadm-server, so explicitly ask
for heimdal-krb5 as well and concatenate the flags together.
Pass the compiler flags into Config::AutoConf as well as the linker
flags to pick up Heimdal -I/usr/include/heimdal flags on Debian.
Adjust the call to check_decl for the new Config::AutoConf call
style.
Russ Allbery [Wed, 14 May 2014 21:19:44 +0000 (14:19 -0700)]
Support principal lists and expiration dates in change report
In the password-change-report example, support reading the list
of principals from an external file, and change the meaning of the
-e option to take a cutoff expiration date. Users will be included
if their password does not expire before that date.
This returns true if the entry has the given attribute, and false
otherwise. Needed for fast checking of whether a given Kerberos
database entry is disabled.
Add an attributes method to Authen::Kerberos::Kadmin
Returns the attributes set on a principal as a list of strings, or
as one string in the kadmin examine format. Add documentation,
including an explanation of what all the attributes mean.
Add entry modification and setting password expiration
The optional parameter can be used to set the password expriation
in the entry, and there is a new modify() method that will write
back all modified entries in the principal entry.
Fixes some email addresses to use the correct versions from
rra-c-util and update all the test programs to use the new
environment variables to control which tests are run.
Create an Authen::Kerberos::Kadmin::Entry object, add basic get
support to Authen::Kerberos::Kadmin to return it, and support a
last_password_change method. Use that to test that the password
was really changed in the kadmin test suite.
To prepare for returning Authen::Kerberos::Principal objects from
Authen::Kerberos::Kadmin methods, move the wrapping function to
the separate utility code.
Store an Authen::Kerberos object in the ::Kadmin object
Instead of storing a bare krb5_context object, store a wrapped
Authen::Kerberos object in the Authen::Kerberos::Kadmin object.
This will allow us to return other Authen::Kerberos::* objects
from Authen::Kerberos::Kadmin methods, with an underlying
Authen::Kerberos object to keep them alive. It will also make it
easier later to allow the caller to provide an Authen::Kerberos
context.
Include util/util.h in implementations of its functions
It's best practice to include the header file that defines a
function in the C code that implements the function so that the
compiler can detect prototype mismatches.
Russ Allbery [Sat, 8 Mar 2014 01:32:05 +0000 (17:32 -0800)]
Add initial support for obtaining credentials
Add a new authenticate API that obtains initial credentials from
a keytab. Only a few options are currently supported. Also add
a basic implementation of Authen::Kerberos::Creds that's just
sufficient to check that authenticate is doing the right thing.
Russ Allbery [Fri, 7 Mar 2014 04:52:57 +0000 (20:52 -0800)]
Add tests for keytab functions
Add a test suite for keytabs and keytab entries, as well as the
necessary test data. Fix some bugs uncovered in the keytab and
keytab entry code that was not previously tested.
Russ Allbery [Fri, 7 Mar 2014 04:33:07 +0000 (20:33 -0800)]
Add initial keytab and principal implementation
Flesh out the Authen::Kerberos API considerably by adding some
glue for the first useful application. Add classes to represent
keytabs, principals, and keytab entries. Add more portability
glue so that we can start probing the nature of the local Kerberos
library. Add tests for correct handling of principal objects.
Russ Allbery [Fri, 28 Feb 2014 23:54:30 +0000 (15:54 -0800)]
Exclude t/data from coverage testing
We may have tiny support programs in the t/data directory. Those
shouldn't be run as part of coverage testing. Not only will they
probably not contribute to coverage, they may do disruptive things
like expect something on standard input.
Russ Allbery [Fri, 28 Feb 2014 23:31:43 +0000 (15:31 -0800)]
Fix password quality checking
When using the kadmin libraries in server mode, we have to do
password quality checking ourselves, since the library never does
it. Add the required code to the chpass implementation, add a
test configuration, and test password quality.
Russ Allbery [Fri, 28 Feb 2014 04:36:00 +0000 (20:36 -0800)]
Get Heimdal compiler flags using pkg-config
For right now, until we support a wider range of Kerberos libraries,
get the Heimdal compiler flags using pkg-config. This will let the
package build properly on a Debian system with heimdal-multidev but
not heimdal-dev.
Russ Allbery [Fri, 21 Feb 2014 18:53:50 +0000 (10:53 -0800)]
Initial version
Compiles and loads, but hasn't been tested and doesn't support the
configuration parameters required for effective testing. The only
functionality implemented so far is server-mode support for the
Heimdal libkadm5srv library.