Formatting, organization, and license updates to README
Add the new LICENSE section that I'm now using for software, adjust
more documentation for the new plugin installation location, and
clean up some other bits in the documentation.
Don't create a directory for each Kerberos implementation. We don't
have a whole set of tests for each implementation. Instead, move the
two implementation-specific interface checks into the plugin directory.
Handle NULL password for Heimdal, collapse duplicate code
While our Heimdal patch never calls our hook for create without a
password, handle this case anyway in case that changes in the future.
Collapse duplicate code from create and chpass by having create just
call chpass.
Drop concat and concatpath from the util library. Change xasprintf,
xvasprintf, basprintf, and bvasprintf to be void functions and remove
any remaining checks of their exit status.
Russ Allbery [Thu, 23 Feb 2012 18:53:06 +0000 (10:53 -0800)]
Ignore "Operation not permitted" errors in silent krb5-sync-backend
When krb5-sync-backend is running in silent mode, ignore "Operation
not permitted" errors from krb5_set_password. Heimdal 1.5.2 returns
this error from Active Directory when attempting to change the
password of an account that does not exist.
Russ Allbery [Wed, 8 Feb 2012 00:56:19 +0000 (16:56 -0800)]
Make the single-debian-patch and patch-header options local
* Move single-debian-patch to local-options and patch-header to
local-patch-header so that they only apply to the packages I build and
NMUs get regular version-numbered patches.
Russ Allbery [Wed, 11 Jan 2012 01:06:54 +0000 (17:06 -0800)]
Recommend krb5-admin-server 1.9 in the plugin package
* Recommend krb5-admin-server 1.9 or later in the plugin package. This
isn't the best way to express the dependency, since the plugin is
actually loaded by libkadm5srv, but otherwise we have to depend on the
specific SONAME of libkadm5srv even though any version of the package
will do. This will capture the most common scenarios.
Don't recommend krb5-kdc; the plugin has nothing to do with the KDC.
Russ Allbery [Wed, 11 Jan 2012 00:50:36 +0000 (16:50 -0800)]
Add Breaks and Replaces in krb5-sync-tools against krb5-sync
* Add Breaks and Replaces on the old internal krb5-sync package to
krb5-sync-tools. This is unnecessary for Debian but helpful for the
transition at Stanford and will be removed once that transition is
complete.
Russ Allbery [Wed, 11 Jan 2012 00:45:46 +0000 (16:45 -0800)]
Split the package into krb5-sync-plugin and krb5-sync-tools
* Split the package into krb5-sync-plugin and krb5-sync-tools packages,
since the former needs to be multiarch.
* Update the krb5-sync-plugin README.Debian for the built-in support for
loading this plugin in MIT Kerberos 1.9 and later and to provide a
sample of the krb5.conf configuration required.
* Update the package description and dependencies to reflect that it's
now specific to MIT Kerberos.
Russ Allbery [Wed, 11 Jan 2012 00:14:32 +0000 (16:14 -0800)]
Change module name to krb5_sync, add more configuration docs
The name of the plugin is now krb5_sync.so instead of passwd_update.so
and is installed under /usr/local/lib/krb5/plugins by default. The
KDC configuration for the name of the module to load will need to
change accordingly.
Add configuration documentation for Heimdal and MIT post 1.9 to README.
Russ Allbery [Tue, 10 Jan 2012 20:41:27 +0000 (12:41 -0800)]
Accept password in standard input in krb5-sync-backend
krb5-sync-backend's password command now accepts the password on
standard input in addition to accepting it as a command-line
parameter. This is more secure since the password is not exposed to
other users of the same system.
Russ Allbery [Tue, 10 Jan 2012 19:30:59 +0000 (11:30 -0800)]
Better configure support for finding LDAP libraries
Add --with-ldap, --with-ldap-include, and --with-ldap-lib flags to
configure to specify the locations of the OpenLDAP libraries if
they're not on the standard search path.
This also avoids linking things unnecessarily against the LDAP
libraries, which fixes problems with the xmalloc test suite.
Russ Allbery [Tue, 10 Jan 2012 18:24:37 +0000 (10:24 -0800)]
Remove the patch for Stanford's MIT Kerberos 1.4.4
Remove the patch for Stanford's patched MIT Kerberos 1.4.4 from the
distribution. This has not been used at Stanford for years and is old
enough that it's unlikely to be of interest to others.
Russ Allbery [Tue, 10 Jan 2012 18:17:59 +0000 (10:17 -0800)]
configure.ac and Makefile.am cleanup
Move all Automake options into configure.ac instead of splitting them
between configure.ac and Makefile.am. Add a probe for uint32_t, since
we use it in our code.
Russ Allbery [Tue, 10 Jan 2012 17:34:45 +0000 (09:34 -0800)]
Update to rra-c-util 4.1
* Build on systems where krb5/krb5.h exists but krb5.h does not.
* Kerberos probes no longer assume transitive library dependencies.
* Fix removal of /usr/include from Kerberos CPPFLAGS.
* Include strings.h where present for more POSIX string functions.
* Avoid passing a NULL context to krb5_get_error_message.
* Fix a data type issue in the messages utility library.
* Fix incorrect __attribute notations in the utility library.
* Add replacement for a missing strndup (such as on Mac OS X).
* Add notices to all files copied from rra-c-util.
Russ Allbery [Mon, 8 Aug 2011 23:12:52 +0000 (16:12 -0700)]
Cleanup of MIT Kerberos 1.9 support
Do some code and syntax cleanup, update NEWS and README, rename the
file to match the current naming convention, and fix the prototype
of the external function we provide.
Current MIT Kerberos calls the password change hook with a NULL
password in the -randkey case, which the module wasn't prepared to
handle. For now, quietly skip -randkey key changes, since we cannot
currently do anything sensible with them.