1. 19 Aug, 2015 4 commits
  2. 10 Dec, 2013 4 commits
  3. 05 Dec, 2013 3 commits
    • Russ Allbery's avatar
      Update to rra-c-util 4.12 (to be) and C TAP Harness 2.3 · a517ad35
      Russ Allbery authored
      Update to rra-c-util 4.12:
      
      * Better error messages from xasprintf on failure to format output.
      * Check return status of vsnprintf properly.
      * Significant improvements to POD tests.
      * Avoid leaking a dummy symbol from the portability layer.
      * Probe for Kerberos headers with file existence checks.
      
      Update to C TAP Harness 2.3:
      
      * runtests now treats the command line as a list of tests by default.
      * The full test executable path can now be passed to runtests -o.
      * Improved harness output for tests with lazy plans.
      * Improved harness output to a terminal for some abort cases.
      * Flush harness output after each test even when not on a terminal.
      * bail and sysbail now exit with status 255 to match Test::More.
      * Suppress lazy plans and test summaries if the test failed with bail.
      * Add warn_unused_result gcc attributes to relevant functions.
      a517ad35
    • Russ Allbery's avatar
      Change the name of the module to drop the redundant krb5_ · 65c27a8a
      Russ Allbery authored
      This will require configuration changes during upgrades.
      65c27a8a
    • Russ Allbery's avatar
      New syslog option to suppress syslog logging · b74bca9a
      Russ Allbery authored
      Add a new boolean krb5.conf option, syslog, which can be set to false
      to suppress syslog logging of the actions taken by the plugin and
      error messages leading to queuing the change.  Always log the error
      that leads to queuing a status change.
      b74bca9a
  4. 21 Nov, 2013 2 commits
    • Russ Allbery's avatar
      ad_ldap_base now contains the entire base DN · 5743ea9e
      Russ Allbery authored
      The meaning of the ad_ldap_base configuration option has changed, and
      it's now mandatory for status synchronization.  This setting should
      now contain the full DN of the tree in Active Directory where account
      information is stored (such as cn=Accounts,dc=example,dc=com).
      Previously, the dc components should be omitted and were derived from
      the realm; this is no longer done.  If this configuration option is
      not set, principal status will not be synchronized to Active
      Directory.
      5743ea9e
    • Russ Allbery's avatar
  5. 20 Nov, 2013 1 commit
    • Russ Allbery's avatar
      Drop support for old versions of MIT Kerberos · fa76b090
      Russ Allbery authored
      Drop support for MIT Kerberos versions prior to 1.9.  All major
      distributions are now shipping with a newer version of MIT Kerberos
      than this, and supporting older versions requires supporting patches
      and maintaining handicapped internal APIs.  MIT Kerberos 1.9 and later
      do not require patches to use this module.  Patches for Heimdal are
      still provided.
      fa76b090
  6. 19 Nov, 2013 1 commit
    • Russ Allbery's avatar
      Add support for ad_base_instance · 50c9870a
      Russ Allbery authored
      Add a new string krb5.conf option, ad_base_instance, which, if set,
      changes the way that password synchronization is handled.  When this
      option is set, the password for the principal formed by appending that
      instance to a base principal is propagated to Active Directory as the
      password for the base principal.  So, for instance, if this is set to
      the string "windows", the password of the principal "user/windows" is
      propagated to Active Directory as the password for the principal
      "user" and password changes for the principal "user" are ignored.
      This special behavior only happens if "user/windows" exists in the
      local Kerberos KDC database; if not, password propagation for the
      principal "user" happens normally, just as if this option weren't set.
      This allows the Active Directory principal to be treated as an
      instance rather than a main account for specific users without
      affecting behavior for other users.
      
      No regressions, but currently untested otherwise.
      50c9870a
  7. 16 Nov, 2013 1 commit
    • Russ Allbery's avatar
      Add ad_queue_only to force queuing of all changes · 4563cb8b
      Russ Allbery authored
      Add a new boolean krb5.conf option, ad_queue_only, which, if set to
      true, forces all changes to be queued even if there are no conflicting
      changes already queued.  The changes can then be processed later with
      krb5-sync-backend.  This can be useful if real-time updates to Active
      Directory cause performance issues in kadmind or kpasswdd.  kpasswd
      clients in particular are often intolerant of delays.
      4563cb8b
  8. 15 Nov, 2013 2 commits
  9. 18 Sep, 2012 2 commits
  10. 14 Sep, 2012 1 commit
  11. 12 Sep, 2012 1 commit
  12. 11 Sep, 2012 1 commit
  13. 23 Feb, 2012 1 commit
  14. 11 Jan, 2012 1 commit
    • Russ Allbery's avatar
      Change module name to krb5_sync, add more configuration docs · 37bd6ad0
      Russ Allbery authored
      The name of the plugin is now krb5_sync.so instead of passwd_update.so
      and is installed under /usr/local/lib/krb5/plugins by default.  The
      KDC configuration for the name of the module to load will need to
      change accordingly.
      
      Add configuration documentation for Heimdal and MIT post 1.9 to README.
      37bd6ad0
  15. 10 Jan, 2012 9 commits
  16. 08 Aug, 2011 1 commit
    • Russ Allbery's avatar
      Cleanup of MIT Kerberos 1.9 support · 892a8f2d
      Russ Allbery authored
      Do some code and syntax cleanup, update NEWS and README, rename the
      file to match the current naming convention, and fix the prototype
      of the external function we provide.
      892a8f2d
  17. 16 Sep, 2010 1 commit
  18. 15 Sep, 2010 1 commit
    • Russ Allbery's avatar
      Skip password change if given a NULL password · a71591e3
      Russ Allbery authored
      Current MIT Kerberos calls the password change hook with a NULL
      password in the -randkey case, which the module wasn't prepared to
      handle.  For now, quietly skip -randkey key changes, since we cannot
      currently do anything sensible with them.
      a71591e3
  19. 27 Aug, 2010 1 commit
  20. 26 Aug, 2010 2 commits