Commit 37bd6ad0 authored by Russ Allbery's avatar Russ Allbery

Change module name to krb5_sync, add more configuration docs

The name of the plugin is now krb5_sync.so instead of passwd_update.so
and is installed under /usr/local/lib/krb5/plugins by default.  The
KDC configuration for the name of the module to load will need to
change accordingly.

Add configuration documentation for Heimdal and MIT post 1.9 to README.
parent 228cbc3a
......@@ -25,17 +25,18 @@ util_libutil_la_SOURCES = util/concat.c util/concat.h util/macros.h \
util/messages.h util/xmalloc.c util/xmalloc.h
util_libutil_la_LIBADD = portable/libportable.la $(KRB5_LIBS)
# Put the module into /usr/local/lib/kadmind by default, relative to --libdir.
moduledir = $(libdir)/kadmind
# Put the module into /usr/local/lib/krb5/plugins by default, relative to
# --libdir.
moduledir = $(libdir)/krb5/plugins
# Rules for building the password synchronization plugin.
module_LTLIBRARIES = plugin/passwd_update.la
plugin_passwd_update_la_SOURCES = plugin/ad.c plugin/api.c plugin/error.c \
# Rules for building the krb5-sync plugin.
module_LTLIBRARIES = plugin/krb5_sync.la
plugin_krb5_sync_la_SOURCES = plugin/ad.c plugin/api.c plugin/error.c \
plugin/internal.h plugin/heimdal.c plugin/mit.c plugin/queue.c
plugin_passwd_update_la_CPPFLAGS = $(LDAP_CPPFLAGS)
plugin_passwd_update_la_LDFLAGS = -module -avoid-version $(LDAP_LDFLAGS) \
plugin_krb5_sync_la_CPPFLAGS = $(LDAP_CPPFLAGS)
plugin_krb5_sync_la_LDFLAGS = -module -avoid-version $(LDAP_LDFLAGS) \
$(KRB5_LDFLAGS)
plugin_passwd_update_la_LIBADD = portable/libportable.la $(LDAP_LIBS) \
plugin_krb5_sync_la_LIBADD = portable/libportable.la $(LDAP_LIBS) \
$(KRB5_LIBS)
# Rules for building the krb5-sync utility. We specify the CFLAGS to work
......@@ -44,7 +45,7 @@ plugin_passwd_update_la_LIBADD = portable/libportable.la $(LDAP_LIBS) \
# will cause the sources to be built twice, once with a prefix for this
# program.
sbin_PROGRAMS = tools/krb5-sync
tools_krb5_sync_SOURCES = tools/krb5-sync.c $(plugin_passwd_update_la_SOURCES)
tools_krb5_sync_SOURCES = tools/krb5-sync.c $(plugin_krb5_sync_la_SOURCES)
tools_krb5_sync_CFLAGS = $(AM_CFLAGS)
tools_krb5_sync_LDFLAGS = $(LDAP_LDFLAGS) $(KRB5_LDFLAGS)
tools_krb5_sync_LDADD = portable/libportable.la util/libutil.la \
......
......@@ -2,6 +2,11 @@
krb5-sync 2.2 (2012-01-10)
The name of the plugin is now krb5_sync.so instead of passwd_update.so
and is installed under /usr/local/lib/krb5/plugins by default. The
KDC configuration for the name of the module to load will need to
change accordingly.
Add support for the new libkadm5 hooks provided by MIT Kerberos 1.9.
With that version and later, no patch to MIT Kerberos is required to
use this code. Thanks to Sam Hartman for the patch.
......
......@@ -128,7 +128,7 @@ INSTALLATION
the Linux kernel). Use make warnings instead of make to build with full
GCC compiler warnings (requires a relatively current version of GCC).
The plugin is installed as /usr/local/lib/kadmind/passwd_update.so by
The plugin is installed as /usr/local/lib/krb5/plugins/krb5_sync.so by
default, and the utilities are installed in /usr/local/sbin. The last
step will probably have to be done as root. To install in a different
location, specify the location with the --prefix option to configure.
......@@ -250,15 +250,38 @@ CONFIGURATION
directory other than the one given, you will need to change the
beginning of the krb5-sync-backend script as well.
The kadmind patch adds a configuration option for the kdc.conf file
specifying the path to the plugin. If this option is not set, the
With MIT Kerberos 1.9 or later, support for kadmind plugins is built in.
To load this plugin, add the following to the kdc.conf or krb5.conf file
used by kadmind:
[plugins]
kadm5_hook = {
module = krb5_sync:/usr/local/lib/krb5/plugins/krb5_sync.so
}
You may wish to install krb5_sync.so under a krb5/plugins/kadm5_hook in
the library directory used for your Kerberos installation instead, in
which case you can use "kadm5_hook/krb5_sync.so" as the relative path to
the plugin.
The kadmind patch for Heimdal adds a configuration option for the
krb5.conf file in the [kadmin] section. If this option is not set, the
plugin will not be loaded and none of the hooks will be run. Therefore,
to use the plugin, add a line like:
to use the plugin, add configuration like:
[kadmin]
hook_libraries = /usr/local/lib/krb5/plugins/krb5_sync.so
to the configuration file used by kadmind and kpasswdd. Update the path
for wherever the krb5-sync plugin is located.
The kadmind patch for older versions of MIT adds a similar configuration
option for the kdc.conf. To use the plugin on older versions of MIT,
add a line like:
pwupdate_plugin = /usr/local/lib/kadmind/passwd_update.so
pwupdate_plugin = /usr/local/lib/krb5/plugins/krb5_sync.so
to the local realm sub-section of the [realms] section. Update the path
for wherever the password update plugin is located.
to the local realm sub-section of the [realms] section.
ACTIVE DIRECTORY SETUP
......
......@@ -13,7 +13,7 @@ to the [kadmin] section in the configuration file used by kadmind,
kpasswdd, and kadmin (for kadmin -l). An example setting would look like:
[kadmin]
hook_libraries = /usr/local/lib/kadmind/passwd_update.so
hook_libraries = /usr/local/lib/krb5/plugins/krb5_sync.so
This is a preliminary, and ugly, patch that adds the necessary features
for krb5-sync in a somewhat brute-force way. It will change in the future
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment