Formatting, organization, and license updates to README
Add the new LICENSE section that I'm now using for software, adjust
more documentation for the new plugin installation location, and
clean up some other bits in the documentation.
Don't create a directory for each Kerberos implementation. We don't
have a whole set of tests for each implementation. Instead, move the
two implementation-specific interface checks into the plugin directory.
Handle NULL password for Heimdal, collapse duplicate code
While our Heimdal patch never calls our hook for create without a
password, handle this case anyway in case that changes in the future.
Collapse duplicate code from create and chpass by having create just
call chpass.
Drop concat and concatpath from the util library. Change xasprintf,
xvasprintf, basprintf, and bvasprintf to be void functions and remove
any remaining checks of their exit status.
Russ Allbery [Thu, 23 Feb 2012 18:53:06 +0000 (10:53 -0800)]
Ignore "Operation not permitted" errors in silent krb5-sync-backend
When krb5-sync-backend is running in silent mode, ignore "Operation
not permitted" errors from krb5_set_password. Heimdal 1.5.2 returns
this error from Active Directory when attempting to change the
password of an account that does not exist.
Russ Allbery [Wed, 11 Jan 2012 00:14:32 +0000 (16:14 -0800)]
Change module name to krb5_sync, add more configuration docs
The name of the plugin is now krb5_sync.so instead of passwd_update.so
and is installed under /usr/local/lib/krb5/plugins by default. The
KDC configuration for the name of the module to load will need to
change accordingly.
Add configuration documentation for Heimdal and MIT post 1.9 to README.
Russ Allbery [Tue, 10 Jan 2012 20:41:27 +0000 (12:41 -0800)]
Accept password in standard input in krb5-sync-backend
krb5-sync-backend's password command now accepts the password on
standard input in addition to accepting it as a command-line
parameter. This is more secure since the password is not exposed to
other users of the same system.
Russ Allbery [Tue, 10 Jan 2012 19:30:59 +0000 (11:30 -0800)]
Better configure support for finding LDAP libraries
Add --with-ldap, --with-ldap-include, and --with-ldap-lib flags to
configure to specify the locations of the OpenLDAP libraries if
they're not on the standard search path.
This also avoids linking things unnecessarily against the LDAP
libraries, which fixes problems with the xmalloc test suite.
Russ Allbery [Tue, 10 Jan 2012 18:24:37 +0000 (10:24 -0800)]
Remove the patch for Stanford's MIT Kerberos 1.4.4
Remove the patch for Stanford's patched MIT Kerberos 1.4.4 from the
distribution. This has not been used at Stanford for years and is old
enough that it's unlikely to be of interest to others.
Russ Allbery [Tue, 10 Jan 2012 18:17:59 +0000 (10:17 -0800)]
configure.ac and Makefile.am cleanup
Move all Automake options into configure.ac instead of splitting them
between configure.ac and Makefile.am. Add a probe for uint32_t, since
we use it in our code.
Russ Allbery [Tue, 10 Jan 2012 17:34:45 +0000 (09:34 -0800)]
Update to rra-c-util 4.1
* Build on systems where krb5/krb5.h exists but krb5.h does not.
* Kerberos probes no longer assume transitive library dependencies.
* Fix removal of /usr/include from Kerberos CPPFLAGS.
* Include strings.h where present for more POSIX string functions.
* Avoid passing a NULL context to krb5_get_error_message.
* Fix a data type issue in the messages utility library.
* Fix incorrect __attribute notations in the utility library.
* Add replacement for a missing strndup (such as on Mac OS X).
* Add notices to all files copied from rra-c-util.
Russ Allbery [Mon, 8 Aug 2011 23:12:52 +0000 (16:12 -0700)]
Cleanup of MIT Kerberos 1.9 support
Do some code and syntax cleanup, update NEWS and README, rename the
file to match the current naming convention, and fix the prototype
of the external function we provide.
Current MIT Kerberos calls the password change hook with a NULL
password in the -randkey case, which the module wasn't prepared to
handle. For now, quietly skip -randkey key changes, since we cannot
currently do anything sensible with them.
Russ Allbery [Thu, 26 Aug 2010 23:06:44 +0000 (16:06 -0700)]
Avoid deprecated OpenLDAP functions
This mostly consists of changing to the _ext_s forms of various
functions, but also means using the value retrieval functions that
return struct bervals, with corresponding changes to how the
resulting data is managed.
Russ Allbery [Thu, 26 Aug 2010 22:16:56 +0000 (15:16 -0700)]
Add additional gcc warnings
Add -Wformat=2 -Winit-self -Wswitch-enum -Wdeclaration-after-statement
-Wshadow to the set of gcc warnings. Stop passing -DDEBUG=1 since I no
longer use that define anywhere. Change -W to -Wextra since I'm
requiring a fairly new GCC anyway.
Fix a place where a local variable was being shadowed, picked up by
-Wshadow.
Russ Allbery [Thu, 26 Aug 2010 21:33:08 +0000 (14:33 -0700)]
Add a patch for MIT Kerberos 1.8.3
Add a version of the krb5-sync patch for MIT Kerberos 1.8.3. This is
a simple forward-port of the 1.4.4 patch and doesn't use any of the
new plugin capabilities or configuration. Thanks to Sam Hartman for
the port.
Russ Allbery [Sun, 16 May 2010 19:47:13 +0000 (12:47 -0700)]
krb5-sync-backend error suppression improvements with Heimdal
Fix suppression of some error messages in krb5-sync-backend when the
-s flag was given. This was broken by adding the krb5-sync: prefix to
error messages from krb5-sync.
Suppress the Heimdal service_locator plugin error message in
krb5-sync-backend when the -s flag was given.
Russ Allbery [Sun, 16 May 2010 18:13:13 +0000 (11:13 -0700)]
Queue password change for AD for any password change failure
Queue password changes on any failure to change the password in Active
Directory, rather than only on failures returned as an error in the
password change protocol. Heimdal 1.3.2 will return an error about a
missing service location plugin instead of the last error from Active
Directory, causing the plugin to fail the whole password change rather
than queuing it as intended for unknown users.
Russ Allbery [Fri, 5 Feb 2010 19:30:58 +0000 (11:30 -0800)]
Import utility library and use it for messages from krb5-sync
Import the messages and xmalloc parts of the utility library and use
it for messages from krb5-sync. Also use util/macros.h to provide the
UNUSED define.
Russ Allbery [Fri, 5 Feb 2010 04:55:38 +0000 (20:55 -0800)]
Massive update of Kerberos compatibility code
If krb5-config produces results that don't work for Kerberos probes,
fall back on manual library probing rather than just failing.
If KRB5_CONFIG was explicitly set in the environment, don't use a
different krb5-config based on --with-krb5. If krb5-config isn't
executable, don't use it. This allows one to force library probing by
setting KRB5_CONFIG to point to a nonexistent file.
Sanity-check the results of krb5-config before proceeding and error
out in configure if they don't work.
Add separate --with-krb5-lib and --with-krb5-include configure options
to set the library and include directories independently, and handle
lib64 systems better and more automatically.
Import the new Kerberos compatibility layer from rra-c-util and
supplement it with the principal manipulation functions needed here.
Take advantage of it to massively simplify the code.
Russ Allbery [Tue, 26 Jan 2010 01:53:48 +0000 (17:53 -0800)]
Port instance checking code to Heimdal
Heimdal uses a completely different API than MIT Kerberos for getting the
components of a principal. Probe for the necessary functions and port
the code. This is very ugly; a better portability layer is needed.
Russ Allbery [Tue, 26 Jan 2010 01:40:43 +0000 (17:40 -0800)]
First pass port of AD code to Heimdal
Avoid deprecated functions and add new configure probes for the Heimdal
functions.
krb5_set_password_using_ccache sets krb5_data structs, whose data members
are void * on Heimdal. Add the appropriate casts for printing the results
into a string.
Include stdlib.h in plugin/ad.c, which always needed it but whose need was
apparently masked by MIT Kerberos includes.