Russ Allbery [Tue, 10 Dec 2013 04:45:19 +0000 (20:45 -0800)]
Disable ad_base_instance for MIT Kerberos
Calling libkadm5srv functions from inside a kadm5_hook plugin
appears to corrupt the state of the library on MIT Kerberos.
Disable the ad_base_instance configuration option on MIT Kerberos
for the time being.
Russ Allbery [Tue, 10 Dec 2013 02:13:14 +0000 (18:13 -0800)]
Add NEWS and update README.Debian for new options and plugin
The plugin name has changed and the ad_ldap_base option is now
required. Document the required changes in NEWS, since it's hard
to automate the update process of the configuration files.
Russ Allbery [Tue, 10 Dec 2013 00:09:06 +0000 (16:09 -0800)]
Only probe for krb5/kadm5_hook_plugin.h when building with MIT
If building with Heimdal using non-standard paths, we may find the
MIT Kerberos header but not be able to compile with it because of
all the symbol conflicts. Work around this by only checking for
the header when building with Heimdal.
Russ Allbery [Sat, 7 Dec 2013 03:56:37 +0000 (19:56 -0800)]
Fix detection of ad_base_instance principals
The logic for checking the Kerberos database for the principal
was incorrect in the case where the principal exists. Fix the
status code checking to work properly.
Russ Allbery [Sat, 7 Dec 2013 03:53:33 +0000 (19:53 -0800)]
Allow propagation of base instances
We weren't allowing ad_base_instance instances through far enough
into the password change logic to determine that they should be
propagated to the base account.
Russ Allbery [Fri, 6 Dec 2013 23:15:33 +0000 (15:15 -0800)]
Add a basic test suite for krb5-sync-backend
This does not (yet) test the process function, but everything
else gets some reasonable basic testing. Still to be done, as
well as process, is testing of creating files when there are
conflicts and testing the purge function.
Russ Allbery [Fri, 6 Dec 2013 23:13:57 +0000 (15:13 -0800)]
Work around Net::Remctl::Backend bug in krb5-sync-backend
Net::Remctl::Backend doesn't do argument count validation
properly with arguments from standard input, which affected the
password command. Allow one fewer argument than we require and
do a separate check that the number of arguments is correct.
Russ Allbery [Fri, 6 Dec 2013 23:10:39 +0000 (15:10 -0800)]
Fix locking in krb5-sync-backend with non-default queues
Allow krb5-sync-backend to create the lock file if it's missing,
and pass in the queue directory to the lock function so that it
can find the correct lock file.
Russ Allbery [Fri, 6 Dec 2013 06:45:40 +0000 (22:45 -0800)]
Finish cleanup of krb5-sync-backend coding style
Functionality should be the same, but it now uses IPC::Run and
Net::Remctl::Backend and holds a queue lock while processing a
particular queue file. The -h option was removed and a new
manual command was added.
Russ Allbery [Thu, 5 Dec 2013 07:27:27 +0000 (23:27 -0800)]
Add standard Perl test suite
Add the test suite for Perl programs. Currently, the critic test
does not pass if maintainer tests are enabled, since the coding
style for krb5-sync-backend is out of date.
Russ Allbery [Thu, 5 Dec 2013 06:10:21 +0000 (22:10 -0800)]
Merge krb5-sync sections in generated krb5.conf files
It looks like the profile library can't handle multiple appdefault
sections for krb5-sync and doesn't combine them properly. Make
make-krb5-conf a bit more complicated to merge the settings into
the existing section.
Russ Allbery [Thu, 5 Dec 2013 05:02:57 +0000 (21:02 -0800)]
Update to rra-c-util 4.12 (to be) and C TAP Harness 2.3
Update to rra-c-util 4.12:
* Better error messages from xasprintf on failure to format output.
* Check return status of vsnprintf properly.
* Significant improvements to POD tests.
* Avoid leaking a dummy symbol from the portability layer.
* Probe for Kerberos headers with file existence checks.
Update to C TAP Harness 2.3:
* runtests now treats the command line as a list of tests by default.
* The full test executable path can now be passed to runtests -o.
* Improved harness output for tests with lazy plans.
* Improved harness output to a terminal for some abort cases.
* Flush harness output after each test even when not on a terminal.
* bail and sysbail now exit with status 255 to match Test::More.
* Suppress lazy plans and test summaries if the test failed with bail.
* Add warn_unused_result gcc attributes to relevant functions.
Russ Allbery [Thu, 5 Dec 2013 04:36:29 +0000 (20:36 -0800)]
Simplify queue-only test using make-krb5-conf
Generate the krb5.conf file for the queue-only test by adding the
configuration setting on to the default.conf file instead of using
a separate file. Also redo the setup to be somewhat cleaner.
Russ Allbery [Thu, 5 Dec 2013 02:14:58 +0000 (18:14 -0800)]
Start cleaning up module test suite
Import the Kerberos TAP functions from rra-c-util so that we can
use bail_krb5, and update the Kerberos Autoconf macros to match.
Add make-krb5-conf to build a configuration with known settings,
although it's not being used yet. Clean up and comment the dynamic
loading tests and use bail more to avoid making the whole test
conditional.
Russ Allbery [Thu, 5 Dec 2013 00:48:08 +0000 (16:48 -0800)]
New syslog option to suppress syslog logging
Add a new boolean krb5.conf option, syslog, which can be set to false
to suppress syslog logging of the actions taken by the plugin and
error messages leading to queuing the change. Always log the error
that leads to queuing a status change.
Russ Allbery [Wed, 4 Dec 2013 23:47:54 +0000 (15:47 -0800)]
Improve formatting of the configuration documentation
Break up the configuration documentation in README into separate
paragraphs for each configuration option and organize in
alphabetical order by configuration option name. Be clearer
about the required or not required status of some options.
Russ Allbery [Wed, 4 Dec 2013 23:29:45 +0000 (15:29 -0800)]
Use a vector for ad_instances
Rather than doing complicated parsing of the space-separated list
of acceptable instances, add support for vectors and parsing the
configuration option into a vector, which makes the code fairly
simple and straightforward.
Russ Allbery [Wed, 4 Dec 2013 22:48:09 +0000 (14:48 -0800)]
For queuing, strip realm using krb5_unparse_name_flags
Rather than trying to parse the resulting string for the realm
separator, use krb5_unparse_name_flags and tell the Kerberos
library to strip the realm for us.
Russ Allbery [Wed, 4 Dec 2013 21:47:13 +0000 (13:47 -0800)]
Fail the password change if we can't check the instance
If configured with a base instance, fail the password change if
we can't look up the instance in the Kerberos database to determine
whether it should be propagated.
Russ Allbery [Thu, 21 Nov 2013 06:09:46 +0000 (22:09 -0800)]
Return a real status from sync_instance_exists
Return a Kerberos status and store the existence in a separate
boolean variable. This doesn't abort the password change on failure
yet due to some problems in calling functions, but it's the first
step.
Russ Allbery [Thu, 21 Nov 2013 04:54:17 +0000 (20:54 -0800)]
ad_ldap_base now contains the entire base DN
The meaning of the ad_ldap_base configuration option has changed, and
it's now mandatory for status synchronization. This setting should
now contain the full DN of the tree in Active Directory where account
information is stored (such as cn=Accounts,dc=example,dc=com).
Previously, the dc components should be omitted and were derived from
the realm; this is no longer done. If this configuration option is
not set, principal status will not be synchronized to Active
Directory.
Russ Allbery [Thu, 21 Nov 2013 03:13:38 +0000 (19:13 -0800)]
Rename all of the internal functions
Use the much shorter sync_ prefix instead of pwupdate, and don't
care internally about pre-commit vs. post-commit. We handle that
entirely in the module glue layer now. Remove the empty and
never-called postcommit password function.
Russ Allbery [Thu, 21 Nov 2013 02:15:08 +0000 (18:15 -0800)]
Rework internal error handling to use Kerberos errors
Now that we've dropped the old API, we can drop the error handling
mode, which predates rich Kerberos errors. Replace it with use of
krb5_set_error_message everywhere, and change a lot of functions
to return a krb5_error_code instead of a boolean or some special
status code.
As part of this change, all password changes are queued for Active
Directory if they fail regardless of the reason for the failure.
Russ Allbery [Wed, 20 Nov 2013 23:00:13 +0000 (15:00 -0800)]
Pass the Kerberos context into all internal functions
Standardize the API so that all functions except the init and
shutdown take the plugin configuration and the Kerberos context,
and stop internally creating and removing Kerberos contexts. Stop
using void * in a bunch of places, isolating that to the MIT and
Heimdal plugin code.