svn rev #24280: branches/plugins2/ doc/ src/config-files/
ghudson@MIT.EDU
ghudson at MIT.EDU
Tue Aug 31 13:02:44 EDT 2010
http://src.mit.edu/fisheye/changelog/krb5/?cs=24280
Commit By: ghudson
Log Message:
Add documentation of the plugins section to krb5.conf.M and
krb5-admin.texinfo, along with documentation of the pwqual interface
and built-in modules.
Changed Files:
U branches/plugins2/doc/admin.texinfo
U branches/plugins2/doc/krb5conf.texinfo
U branches/plugins2/src/config-files/krb5.conf.M
Modified: branches/plugins2/doc/admin.texinfo
===================================================================
--- branches/plugins2/doc/admin.texinfo 2010-08-31 01:40:19 UTC (rev 24279)
+++ branches/plugins2/doc/admin.texinfo 2010-08-31 17:02:44 UTC (rev 24280)
@@ -410,6 +410,7 @@
* capaths::
* dbdefaults::
* dbmodules::
+* plugins::
* pkinit client options::
* Sample krb5.conf File::
@end menu
@@ -1042,7 +1043,7 @@
This LDAP specific tag indicates the number of connections to be maintained per LDAP server. This value is used if the number of connections per LDAP server are not mentioned in the configuration section under [dbmodules]. The default value is 5.
@end table
- at node dbmodules, pkinit client options, dbdefaults, krb5.conf
+ at node dbmodules, plugins, dbdefaults, krb5.conf
@subsection [dbmodules]
Contains database specific parameters used by the database library. Each tag in the [dbmodules] section of the file names a configuration section for database specific parameters that can be referred to by a realm. The value of the tag is a subsection where the relations in that subsection define the database specific parameters.
@@ -1090,7 +1091,64 @@
@end table
- at node pkinit client options, Sample krb5.conf File, dbmodules, krb5.conf
+ at node plugins, pkinit client options, dbmodules, krb5.conf
+
+ at menu
+* pwqual interface::
+ at end menu
+
+Tags in the [plugins] section can be used to register dynamic plugin
+modules and to turn modules on and off. Not every krb5 pluggable
+interface uses the [plugins] section; the ones that do are documented
+here.
+
+Each pluggable interface corresponds to a subsection of [plugins].
+All subsections support the same tags:
+
+ at table @b
+ at itemx module
+This tag may have multiple values. Each value is a string of the form
+"modulename:pathname", which causes the shared object located at
+pathname to be registered as a dynamic module named modulename for the
+pluggable interface. If pathname is not an absolute path, it will be
+treated as relative to the "krb5/plugins" subdirectory of the krb5
+library directory.
+
+ at itemx enable_only
+This tag may have multiple values. If there are values for this tag,
+then only the named modules will be enabled for the pluggable
+interface.
+
+ at itemx disable
+This tag may have multiple values. If there are values for this tag,
+then the named modules will be disabled for the pluggable interface.
+ at end table
+
+The following subsections are currently supported within the [plugins]
+section:
+
+ at node pwqual interface, , plugins, plugins
+
+The pwqual subsection controls modules for the password quality interâ
+face. In addition to any registered dynamic modules, the following
+built-in modules exist (and may be disabled with the disable tag):
+
+ at table @b
+ at itemx dict
+Checks against the realm dictionary file
+
+ at itemx empty
+Rejects empty passwords
+
+ at itemx hesiod
+Checks against user information stored in Hesiod (only if Kerberos was
+built with Hesiod support)
+
+ at itemx princ
+Checks against components of the principal name
+ at end table
+
+ at node pkinit client options, Sample krb5.conf File, plugins, krb5.conf
@subsection pkinit options
@menu
Modified: branches/plugins2/doc/krb5conf.texinfo
===================================================================
--- branches/plugins2/doc/krb5conf.texinfo 2010-08-31 01:40:19 UTC (rev 24279)
+++ branches/plugins2/doc/krb5conf.texinfo 2010-08-31 17:02:44 UTC (rev 24280)
@@ -89,6 +89,10 @@
cross-realm authentication. It is also used by the end-service when
checking the transited field for trusted intermediate realms.
+ at itemx plugins
+Contains tags to register dynamic plugin modules and to turn modules on
+and off.
+
@ignore
this doesn't seem to be used
@itemx kdc
Modified: branches/plugins2/src/config-files/krb5.conf.M
===================================================================
--- branches/plugins2/src/config-files/krb5.conf.M 2010-08-31 01:40:19 UTC (rev 24279)
+++ branches/plugins2/src/config-files/krb5.conf.M 2010-08-31 17:02:44 UTC (rev 24280)
@@ -110,6 +110,9 @@
.IP [dbmodules]
Contains database specific parameters used by the database library.
+
+.ip [plugins]
+Contains plugin module registration and filtering parameters.
.PP
Each of these sections will be covered in more details in the following
sections.
@@ -682,6 +685,59 @@
.IP ldap_conns_per_server
This LDAP specific tag indicates the number of connections to be maintained per
LDAP server.
+
+.SH PLUGINS SECTION
+
+Tags in the [plugins] section can be used to register dynamic plugin
+modules and to turn modules on and off. Not every krb5 pluggable
+interface uses the [plugins] section; the ones that do are documented
+here.
+
+.PP
+Each pluggable interface corresponds to a subsection of [plugins].
+All subsections support the same tags:
+
+.IP module
+This tag may have multiple values. Each value is a string of the form
+"modulename:pathname", which causes the shared object located at
+pathname to be registered as a dynamic module named modulename for the
+pluggable interface. If pathname is not an absolute path, it will be
+treated as relative to the "krb5/plugins" subdirectory of the krb5
+library directory.
+
+.IP enable_only
+This tag may have multiple values. If there are values for this tag,
+then only the named modules will be enabled for the pluggable
+interface.
+
+.IP disable
+This tag may have multiple values. If there are values for this tag,
+then the named modules will be disabled for the pluggable interface.
+
+.PP
+The following subsections are currently supported within the [plugins]
+section:
+
+.SS pwqual interface
+
+The pwqual subsection controls modules for the password quality
+interface. In addition to any registered dynamic modules, the
+following built-in modules exist (and may be disabled with the disable
+tag):
+
+.IP dict
+Checks against the realm dictionary file
+
+.IP empty
+Rejects empty passwords
+
+.IP hesiod
+Checks against user information stored in Hesiod (only if Kerberos was
+built with Hesiod support)
+
+.IP princ
+Checks against components of the principal name
+
.SH FILES
/etc/krb5.conf
.SH SEE ALSO
More information about the cvs-krb5
mailing list